And it’s still a potential open door for bad actors
Most people who were alive at the time can remember where they were on September 11, 2001, even though it now seems like ancient history. But how many can remember where they were a little more than six weeks later on October 25, 2001?
That date is when Windows XP was released to the public, and nearly 18 years on, incredible as it may seem, it is still in use around the world. Although it may not appear on many desktops, according to one source just under four percent of desktop and laptop computers worldwide are running this antique – in computer terms – operating system. Only three years ago, it was calculated that 90 percent of British NHS trusts were still using XP – and that was over two years after support had been officially withdrawn.
Additionally, variations of this operating system, including an embedded version, are in common use around the world in critical applications. To take just one example, the Reserve Bank of India has set a deadline for the removal of XP by banks from a critical application area by June 2019 – that’s over five years since Microsoft pulled the plug on support for desktop XP (support for the embedded XP system ended some two years after that. And the critical application? ATMs – and India is far from being the only country where XP is deployed in this area. POS (Point of Sale) systems are other major platforms on XP is still installed, although officially support for POSReady 2009 – an XP SP3 variant – has been continued until April 2019.
What is alarming is that Microsoft has recently released a patch – its first for XP in over two years – warning of a vulnerability whereby “any future malware that exploits this vulnerability could propagate … in a similar way as the WannaCry ransomware attack … swept the globe,” according to Microsoft’s Security Response Center’s director of incident response, Simon Pope.
The vulnerability is vaguely described by Microsoft as being through Remote Desktop Services, but even that small amount of information, according to some experts, is enough for the bad actors to uncover it, and to create a worm that can spread through networks without any human intervention. Systems running Windows 8 and above are reportedly not vulnerable.
Though banks are known to pay Microsoft for support long after XP’s ‘sell-by’ date, other users of the system may not have the resources to do so. Over half of industrial sites are using the system for realtime systems, such as industrial process control, or services that cannot be interrupted, such as in medical institutions, and cannot halt the system to upgrade from XP, or even install a critical patch, even though Wired magazine describes a future attack on XP as being “inevitable”.
First Response’s technical director, John Douglas, comments, “Running a vulnerable system presents security and reputational risks to the organisation. At First Response, we deal with a wide variety of operational environments, including ‘always on’ systems, and are ready to help and advise on proactive preventative measures, as well as working with our clients on Incident Response Plans to mitigate the effects of any possible cyberattack, and provide a speedy recovery and return to normal operations.”