Skip to main content

HKCERT calls for attention on Windows XP End of Support

Release Date: 20 Mar 2014 2364 Views

Microsoft has announced the end of support (EOS) for Windows XP (WinXP) on 8 Apr 2014 (Note 1). After this date, Microsoft will no longer provide support and security patch for WinXP. Microsoft will continue to provide patch for supported versions of Windows including Windows Vista, Windows 7, 8.0 and 8.1. HKCERT urges WinXP users to take immediate action to upgrade the operation system software to newer version of Windows or migrate to other operation systems with good support.

 

 

Market share of WinXP in Hong Kong

According to StatCount (http://gs.statcounter.com), WinXP accounted for 17% of client OS in Hong Kong in February 2014, down from 26% in March 2013 (Figure 1). In other words, about 1.4M PCs are still running WinXP. Newer versions of Windows were taking up the share, with Win 7 dominating at 53% and Win 8.x catching up at 10% (Figure 2).

 

Figure 1. Trend of WinXP market share in Hong Kong from 2013-Feb to 2014-Feb

 

 

Figure 2. Client OS market share in Hong Kong in 2014-Feb

 

 

Security Implications of WinXP EOS

WinXP SP3 is 5.7 times more vulnerable than Win 8 RTM
According to the Microsoft Security Intelligence Report Volume 15 (Note 2), WinXP has a much higher infection rate (9.1) than Win7 (4.9) and Win 8 (1.6) in Q2 of 2013, although the encounter rate are quite comparable with these systems. That means the chance of exposure to security attack of every Windows OS is similar, but WinXP has about double the infection rate of WinVista or Win7 and 5.7 times that of Win8 RTM (Figure 3).
 

 

Figure 3. Infection Rate and Encounter Rate for Windows client operating systems, 2Q 2013

(Source: Microsoft Security Intelligence Report Volume 15)

 

WinXP will have an even higher security risk after EOS
If Microsoft ceased to support WinXP, security patches and supports are no longer provided to WinXP users. If any vulnerability of Win7 or Win8 is shared by WinXP, hackers may reverse engineer the patch for Win7 and Win8 to find out the vulnerability they can use to exploit WinXP. WinXP will be exposed to more attack and suffer higher risks in the future.
 

Do not rely on unofficial security patches
Some people who still use WinXP are hoping that white knights will appear to save them. Some third party developers might volunteer to provide unofficial patches after WinXP EOS. However, with less thorough knowledge about the internals of WinXP, and less experience in dealing with vast applications and environments as Microsoft staff, the quality and compatibility of the unofficial security patches developed by third parties cannot be compared with the Microsoft ones. Furthermore, these third parties have no contractual obligation and thus are not accountable to the users. Making it even worse, some malicious parties could take the opportunity to provide trojanized patches to WinXP users to infect their computers with malware. HKCERT advised against relying on unofficial security patches.
 

 

Make a right move: upgrade of migrate to a supported operating system

WinXP was a very successful operating system but was not designed to handle the modern security threats. In the past ten years, cyber criminals have become prominent, malware and network attacks increased significantly and demand for more data privacy escalates. Continued use of WinXP and its bundled old version of IE browser pose additional threats such as weaker memory protection, encryption, hashing and digital signing algorithms, lack of sandbox and more advanced safe browsing features in the browser. In order to make sure that PCs continued to be securely supported and operational, HKCERT urge both consumers and business to migrate to newer versions of operating system immediately.
  

 

Embedded WinXP Professional facing EOS

Some embedded systems (embedded systems), such as point of sale terminals and ticketing system uses the Embedded WinXP Professional Edition operating system. This system has EOS on December 31, 2016 (Note 3). Hardware vendors providing devices using Embedded WinXP Professional should develop the upgrade or migration plan now as the revamping, testing and deployment of embedded systems takes long time.

 

 

Notes
#1 Support of Windows XP ends on April 8, 2014
      http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx

#2 Microsoft Security Intelligence Report, Volume 15, page 59
      http://www.microsoft.com/security/sir/default.aspx

#3 Windows Embedded Product Lifecycles & Support
      http://www.microsoft.com/windowsembedded/en-us/product-lifecycles.aspx