The end of support for Windows XP has disastrous potential for those who do not prepare for it. Anyone still on the OS can expect an onslaught of malware after April 8th, 2014 – the date Microsoft will no longer ship security patches for XP.
Any bad guy out there with an XP exploit will likely sit on it until EOS for obvious reasons – it’s simply more profitable for them. Releasing an exploit today will likely result in a Microsof t patch. But, if the exploit is not released until after the end of life and no patch is made available, that exploit can be a valuable commodity for a longer period of time and therefore will demand a higher price. In fact, there’s some evidence that XP zero days are commanding a $500,000 price tag.
Regardless of the bad guys’ marketing plan, you need to be ready. Typically, migrations can take upwards of 18 months and we’re now down to less than five. Here are a few thoughts on the approaches being taken by some, along with a few of my own recommendations:
Windows 7 XP Mode is Not Your Solution
Moving to Windows 7 to run your applications in XP Compatibility Mode is a nice idea in theory but Microsoft has stated their support for this feature in Windows 7 also goes away on the end of life date for Windows XP. If your application will only run in Windows 7 XP compatibility mode, you face the risk of finding yourself with application issues and no support from Microsoft after April 8th 2014.
Virtualization with Microsoft MED-V Won’t Solve Your Problems Either
Microsoft has listed an end of support date for MED-V as April 13, 2021. But, if you are running XP on MED-V, the support for the XP virtual machine still ends on April 8th 2014. In this scenario, you’ll have a supported MED-V platform but zero support for the XP virtual machine running on it.
What about Virtualization with VMware?
While virtualizing your XP environment in VMware can allow additional compensating controls that may perhaps offset the risk of unpatched vulnerabilities in Windows XP, the fact remains there will be no support for XP. And, you’re increasing IT burden to configure, manage and secure these images.
Buy Yourself a Little More Time
To buy yourself an additional 15 months, you could update your applications to operate on Windows 2003 Server R2. Applications that run on XP have a greater chance of running on Windows 2003 with little if any modification and Win 2003 is still a supported OS. For now – this is a short-term solution only. July 14, 2015 is the expected end of life for Windows 2003 Server R2. While a less than ideal option, such a move is safer than continuing to run XP after its end of support.
And remember – if you have your own 16 bit applications that currently require XP to operate, your only long-term solution is to rewrite those applications for today’s 64 bit operating systems.
Another suggestion is to deploy application control. While by no means a silver bullet in and of itself, application control will stop anything from running that is not pre-approved. With application control in use, you could then put the costly hardware + software + training upgrade costs on a timeline that better suits your organization. But, like anything, rolling out app control is also time-consuming. You should start the implementation and policy control now so you are ready for April 8. But then you can reap the benefit of this focus roll-out by pushing application whitelisting to the entire network.
Obviously the best scenario for XP end of support is a complete upgrade. But, given the resources required, we know this unfortunately isn’t an option for far too many of us.
Editor’s Note: More information for Windows XP users can be found on the resource page on the Lumension site.