What are the potential security issues when I keep using Windows XP?

51

15

Microsoft stopped updating Windows XP and the media warns us of security leaks. I actually just read that continuing to use Windows XP is "extremely" dangerous. Why exactly is this such a danger? I would believe that by now XP should be pretty safe to use after years of updates.

Are there particular things XP users have to look out for and perhaps take counter measures against?

I would also believe that all the interesting places for hackers will update to Windows 7/8 and serious threats will not be created anymore in the future, at least not specifically aimed at Windows XP.

Madmenyo

Posted 2014-04-08T15:19:25.923

Reputation: 800

Question was closed 2014-04-09T22:11:18.830

"Extremely dangerous" is way strong. Why? Will my PC explode if I use Windows XP? Actually, if anything happens to the system, I can just reinstall Windows, so "extremely" is not appropriate here. – Wais Kamal – 2018-06-10T00:13:39.883

11

The answer to this question is long and involved. true understanding requires a great deal of study and experience. Thats why most folks read opinions and advice from those who have developed the knowledge you question. Since you do not want to trust what the entire industry has been saying since 2007, there is no answer we could give you that would satisfy. short answer, you are wrong in almost every way you can be wrong. start here: http://nakedsecurity.sophos.com/2013/10/31/has-microsoft-just-proved-why-you-should-upgrade-from-xp/

– Frank Thomas – 2014-04-08T15:26:46.610

3@FrankThomas It is not about thrust. I am just questioning the media. I'm not asking for a detailed 160 page PDF issuing every issue and targeted for security experts. I'm asking for a simple and clear explanation and perhaps simple counter measures regular users can understand. That would make life easier for a regular user. – Madmenyo – 2014-04-08T15:30:35.363

4XP was built on a sandstone foundation, and over time ants have worn holes throughout it. there are too many holes to patch, so you tear down the house and build it again on an improved foundation. vista for all its flaws in userland had a significantly more securable kernel, and will stand up better against previously unknown exploits. there is no simple or clear set of countermeasures you can take when you don’t know the form of the exploit (since it hasn't happened yet). No one can tell you what threats XP will face tommorow, only what its facing today. – Frank Thomas – 2014-04-08T15:36:22.680

Safe in what environment and from what threats? As currently worded, this is an extremely broad question. – Jason – 2014-04-08T17:47:14.510

3Safety is illusion. – Jet – 2014-04-08T18:01:35.093

5I think using Windows XP even with updates is extremely dangerous – VL-80 – 2014-04-08T19:19:29.237

1Since, if i may say so, this is a interesting question and definitely has interesting and useful answers. Could this question be un-holded? I understand the topic is broad but i cannot think off a way to cut it in pieces and ask multiple questions about this subject. Yet this proved to be a popular question with some good answers and deserves to be re-opened imho. – Madmenyo – 2014-04-10T16:01:06.000

Answers

45

Some reasons that XP is NOT safe, regardless of security updates.

Here are some facts to be aware of:

  1. Antivirus is a conceptually flawed approach to malware protection. Everyone should use one, but accept that at least 20% of the threats in the wild will penetrate their defenses. at times (depending on product) up to 60% of malware may evade detection.

  2. XP due to its age and popularity, has more established 0-day exploits than any newer windows OS. There are currently 964 CVEs affecting XP, 511 affecting Vista, and 410 affecting Windows 7 (many of which relate to Windows 7 Phone).

  3. XP lacks a number of critical kernel features common today including:

    • driver signing requirements (and WHQL certification)
    • restricted access to raw memory
    • Kernel-mode integrity checking
    • protections from malicious kernel patches
    • working Address space randomization and Data Execution Prevention (true DEP is impossible without additional restrictions on memory access)
    • Permissions enforcement on all resources, including registry keys and device drivers (Windows Resource Protection)
    • TPM integration

  4. Most XP users run as system admin. Simple attacks like drive by downloads can automatically:

    • patch kernel components
    • install malicious drivers and rootkits
    • manipulate, install, and start services.
    • access protected registry areas
    • access raw memory to steal data.
    • traverse user directories and files with no boundaries.

  5. Many new applications or new versions of old applications won't run on XP. Though I am loathe to consider it, IE is a widely used browser, and the versions of it that can be run on XP are objectively less secure than the modern versions for Win7/8. MS may provide a patch for vulnerabilities found in their SSL libraries, but they can't make it use real ALSR if the underlying kernel can't.

  6. UAC (while annoying, and not nearly so flexible as sudo) does present a meaningful limitation on the actions an attacker can take without user intervention.

  7. Exploits don't just go away. the attacks that were going on in 2004 against XP are still going on, they are just affecting fewer and fewer people every day as consumers get new PCs. there will remain malware targeting XP for a very long time yet. It is likely that no new security patches will be available to patch vulnerabilities that exist only in XP (are already mitigated in vista+).

Frank Thomas

Posted 2014-04-08T15:19:25.923

Reputation: 29 039

1If something like a POS has a firewall installed which gobbles up any packets other than well-formed packets which are sent to/from registered signed applications, by what means would any outside code enter the system? – supercat – 2014-04-08T18:33:41.160

5firewalls only block traffic by attribute, so of the types of malware out there (worms, viruses, and trojans ) they can only block worms (and often the worm comes in looking legit anyway). Trojans have been the primary tactic for malware since 2005, and they work as they always have. the user browses to a site. an ad network the site uses loads an ad with an invisible malformed pdf, or flash vid. the bad file causes flash/acrobat runtime to misbehave and facilitate the download of a RASkit. a malformed document in well formed packets doen't get booted by a firewall. they handle net attacks. – Frank Thomas – 2014-04-08T18:42:37.357

Using a browser to access things other than white-listed https:// addresses is trouble, but many POS systems don't allow anything of the sort. If an application communicates to a host via some TCP port, and doesn't accept flash, PDF files, or other such junk, what hazards would exist? – supercat – 2014-04-08T18:47:14.643

1I assume you are referring to a point of sale system. Since it is an appliance, there is a lot less that can be done to it directly, since it takes almost no input. In general most folks are talking about a user operating system. There are definitely issues with even using it as an appliance related to privacy (hardware limitations on encryption, old comms protocol support, application tier vulnerabilities), etc, but you are right, in that scenario, its less of a concern. – Frank Thomas – 2014-04-08T18:55:59.200

4CONT. that said, POS systems face an entirely different set of threats, because they deal with money directly and interface with accounting systems across the enterprise. that makes then desirable targets for tampering as a gateway into the back office. Barnes and Nobel had hundreds of their POS systems turned against them last year. personally I don't believe a general purpose OS is fit for that kind of environment. – Frank Thomas – 2014-04-08T19:01:18.563

Some contradictions in different answers and discussions on individual topics make it hard to accept a single answer. This however feels like the best answer for now. – Madmenyo – 2014-04-09T16:11:06.147

1yeah. the first thing you learn when studying security is that "secure" is an ideal state that can never be attained. that leaves us with only the concept of "safe" or even better "safe enough". within the ambiguity of "safe enough for what/whom?" there is room for disagreement. I've attempted to provide the most objective answer I can to support my professional position on the topic, but there will always be some dissent on any technological topic, and circumstances do vary. – Frank Thomas – 2014-04-09T16:18:34.037

29

Windows XP has been deemed "dangerous" by several people because Microsoft is no longer providing security updates. Some people state that because of the lack of updates, any new vulnerabilities found in XP will not be patched, which can be a major security issue as many healthcare facilities still utilize XP, and several Point-of-Sale (POS) systems use XP as their base (we don't want another Target incident). I'll also add some history here: when Windows XP SP2 left support, there was an increase of malware by 66% with machines running XP SP2 instead of SP3 (source - ComputerWorld).

On the contrary, some believe the XP is still safe. There is an excellent article on ComputerWorld stating that "Sticking with Windows XP can be a smart move". In a nutshell, some users believe that XP will be perfectly safe, as long as you use a good third-party firewall and good third-party antivirus (it is strongly encouraged to not use Windows Firewall on XP anymore because of the lack of updates). I'll add an article on "How to Support Windows XP Now That Microsoft Isn't"

I'll add some links down here for some good readings about the "death" of XP (I understand that links are discouraged, however this response and many others could last forever if I try to include every little detail in this answer):

Mike Koch

Posted 2014-04-08T15:19:25.923

Reputation: 1 421

This is exactly what i am looking for. I'll let this run for a little while before excepting. – Madmenyo – 2014-04-08T15:35:38.603

4Now it has became a new big target for hackers. The number of vulnerabilities will grow very rapidly (as in SP2 case). Even if AV stops one malware, anothers will work (as in case of SP2+best AV). So don't think that it can stay safe. Even Win8+best AV with latest updates is unsafe... – Jet – 2014-04-08T17:55:55.647

6"In a nutshell, some users believe that XP will be perfectly safe, as long as you use a good third-party firewall and good third-party antivirus." Some users would be wrong. – Maxx Daymon – 2014-04-09T05:24:06.707

1@MaxxDaymon How so? – DBedrenko – 2014-04-09T06:44:47.123

4What excatly can 3rd party firewalls and antivirus do against things like e.g. exploitable network stack bugs? – PlasmaHH – 2014-04-09T08:18:00.180

@NewWorld Various tools protect against certain classes of attack and certain attack vectors, but they can't make up for overall posture. Analogies are imperfect, but having the best doors and the best locks doesn't help when you have glass windows. More details in my answer. – Maxx Daymon – 2014-04-09T16:49:07.867

@MaxxDaymon I completely agree that some users would be wrong. However, my bias would cause a non-neutral answer :D – Mike Koch – 2014-04-09T23:55:32.353

22

Many of the vulnerabilities discovered in Windows are applied to all current operating systems, including XP.

When these fixes are no longer released for XP, but released for other versions of Windows, it's easy for an attacker who knows what they are doing to determine how XP is vulnerable, by monitoring the updates released for operating systems past XP.

Microsoft is basically telling anyone who cares exactly what is vulnerable in XP after the XP EOL date.

LawrenceC

Posted 2014-04-08T15:19:25.923

Reputation: 63 487

17

For the purposes of this answer, I am interpreting the question as focused on what has changed about running Windows XP on April 7, 2014 vs on April 9, 2014. To put another way, I am not going to speak to the myriad of advantages and disadvantages that were true on both days, but rather what specifically changed about Windows XP security on April 8th.

So, from that perspective, lack of patching capability is the security issue with XP post April 8th, and it's a major one. No, running "good" anti-virus software and a third-party firewall won't make up for it. Not by a long shot.

Security is a multi-faceted problem. "Being Secure" involves using encrypted communication channels (https), running active monitoring/detection software (anti-virus/malware), only downloading software from trusted sources, validating signatures on downloaded applications, avoiding notoriously weak software, and updating/patching software promptly.

All of these practices and products taken together can be called security hygiene and, in the case of Windows XP, you can continue to practice all these things except for one: patching, but it won't help.

Why Patching Matters

Therein lies the first and most critical problem. Aggressive patching is the absolute most effective practice of all, and this is why:

  • Anti-virus fails at alarming rates, 40% according to this study. Plenty of others abound. Detection is still mostly based on fixed signatures. Remixing old exploits to evade detection is trivial.
  • Firewalls do not stop what users let in. PDF, Flash, and Java: the Most Dangerous File Types are all invited right through the firewall. Unless the firewall is blocking The Internet, it's not going to help.

Running the latest anti-virus and firewall just doesn't do much. That's not to say they aren't effective in combination with all the above hygiene, and anti-virus will eventually detect some exploits as they age, but even then trivial repackaging will evade detection and the underlying exploits will still work. Patching is the foundation of a good defense. Without patching, everything else is just gravy. The vast majority of malware depends on unpatched software to succeed:

How the most common cyber exploits could be prevented (2011):

One of the more disturbing, although not surprising, findings was that the top 15 vulnerabilities being exploited by observed attacks were all well-known and had patches available, some of them for years. The Office Web Components Active Script Execution vulnerability, No. 2 on the hit list, has been patched since 2002. The top vulnerability, in Microsoft’s Internet Explorer RDS ActiveX, has been patched since 2006.

Interesting Analysis on Patching and Attacks:

“In this supplemental analysis, zero-day exploitation accounted for about 0.12 percent of all exploit activity in 1H11, reaching a peak of 0.37 percent in June.”

“Of the attacks attributed to exploits in the 1H11 MSRT data, less than half of them targeted vulnerabilities disclosed within the previous year, and none targeted vulnerabilities that were zero-day during the first half of 2011.”

In other words, the vast majority of successful exploits are only possible because people did not apply patches when they became available. Even now, the majority of the successful Java exploits are against vulnerabilities that have been patched, users are not updating. I could post dozens more research papers and articles but, the point is, when vulnerabilities are known and patches are not applied, that is where the damage increasingly comes from. Malware, like any software, grows and spreads over time. Patches inoculate against old malware but, if patches never come, the environment is getting increasingly toxic by the day, and there is no cure to be had.

Without patches, zero-day vulnerabilities are never closed, they are effectively "zero-day" forever. As each new vulnerability is found, malware authors can spin new minor variations to avoid signature detection, and the OS will always be vulnerable. So Windows XP will become less and less secure over time. In practice, this will look a lot like what we see in the above GCN report among the 40% of XP users in 2011 who hadn't even installed patches from 2002 (so, post-April 8th, that will be 100% by definition). Compounding the problem will be the fact that malware authors are already focusing on XP again, knowing that anything they find will remain valuable and exploitable long term.

In the age of always/frequently-on, always-connected devices, aggressive and frequent patching is a base requirement of any OS.

Maxx Daymon

Posted 2014-04-08T15:19:25.923

Reputation: 1 371

0

The danger is with the applications that exist within Windows XP, such as Internet Explorer. Under XP this software will no longer receive patches, so as new exploits develop and are fixed under the Vista and Windows 7 that same exploit will still remain under XP.

One exploit that provides proof “WMF” exploit virus, which allows hackers to run code on a unpatched machine. This exploit was discovered in 2006 but had existed as code had been migrated from the days of Windows 3.0 and affects all Windows versions from Windows up to Windows Server 2003. Microsoft has issued a patch to fix Windows 2000, Windows XP, and Server 2003, but did not patch Windows NT. Microsoft re-uses code from old versions of the OS, brought forward. It does not mean that all the bugs have been fixed and exploits patched.

Setting aside the issue of security and not fixing the continuing exploits one can look at the future availability of software. Newer application may not run on a XP machine due to not being able to install newer .NET frameworks or other requirements that does not exist under XP. As I have seen with Windows 9X most software companies tend to support for ensuring that their product will function under those OS’s. Norton Antivirus was one product that comes to mind, as the installation for this product relied on Internet Explorer for its installation.

As for counter measures to protect the system, to me would to me just give one the illusion of a protected system, as there is some much to Windows. You would have to spend countless hours keeping track of what is patched / and what is still a security risk. Only counter measure is replace Windows XP with a OS that Microsoft will continue to Patch. It all boils down to what you are going to use the PC for, who is using it (Other computer users or just yourself), and what its attached to. As for my home network I discontinued XP a long time ago, skipped Vista and its issues, and run both Ubuntu and Windows 7. I have tested Windows 8 but did not like how it acted on my network. The Operating System is the sum of all its parts, there is more too it then just an unpatched firewall or installing a new anti-virus to try an protect it.

user314301

Posted 2014-04-08T15:19:25.923

Reputation: 1