State of Emergency as Windows XP Support Ends?

Now that Windows XP support has stopped, will you become a target for cybercriminals?

Starting from April 8, 2014, Microsoft stops support for Windows XP even while its market share is still high (29.53% in February 2014 according to Net Applications). What would be the security impact of this decision? In practical terms, computers that are still running Windows XP no longer receive updates, including those to address security vulnerabilities of the operating system. Whether you are an individual or a company, are you about to become the favorite target for cybercriminals? It’s not so clear…

Whether small, medium or large enterprise, from banking to industrial to service sectors, April 8, 2014 could impact a wide range of organizations as the end of Windows XP support is more than just a matter of migrating to a new operating system. Other considerations such as cost or disruption of services related to that migration are critical factors that also need to be taken into account when deciding to upgrade.

Take the example of the banking sector. 95% of automatic teller machines (ATMs) around the world rely on computers running Windows XP. Besides the disruption of services to perform this migration, these computers are not normally able to support a newer version of Windows. In this case, a migration is not possible without first upgrading the computer, incurring significant cost and downtime for these companies. The same goes for SCADA (Supervisory Control and Data Acquisition) environments. These industrial systems feature business specific application which have been developed for Windows XP and will require significant development and cost to migrate to another operating system.

In light of the potential difficulties, what options are available to these companies?  One possible option is to do nothing. Will they be more vulnerable? Not necessarily! Depending upon the company, it could be that they do not make patches available for the OS in order to avoid disruption of their services. For these organizations, a disruption of services is not limited to just the migration to a new OS but also includes any update of any operating system. These companies will be no more vulnerable than they already are today. Conversely, companies who have systematically updated their operating systems will become more vulnerable after April 8 if they choose not to upgrade their systems.

As for the ATMs themselves, rest assured that these machines are not directly connected to the internet. The only way for a cybercriminal to target them is to attack the machine itself (e.g.: introducing a Trojan through a USB key connected to the machine) - a very unlikely operation and a very risky one for cybercriminals.

Understand that the key to staying on Windows XP is not being connected to the internet. If that’s not possible, it’s highly recommended that you migrate to another operating system because it is certain that there will be an upsurge of attacks targeting XP vulnerabilities to extract sensitive information (competitive information, credit card numbers …) from these systems.


Guillaume Lovet is Senior Manager, FortiGuard Labs Threat Response Team, Fortinet