It has been more than a month after Microsoft terminated the support services of Windows XP system (WinXP) on April 8, 2014. According to StatCounter statistics report¹, the number of WinXP users in Hong Kong only has a slight decrease of 1% ( to 14.01% ) compared to the previous month. It shows that there are still a large number of users unable to upgrade or migrate to other operating systems in time. In view of this, this blog article attempts to understand the reason of not to upgrade or migrate to other operating systems and explore the need of risk management for continuing to use WinXP.

Figure 1. Trend of WinXP market share in Hong Kong from 2014-Jan to 2014-May

After the end of support service, is it still able to use WinXP ?

After April 8, 2014, WinXP can still operate, but Microsoft will no longer provide any support services for WinXP, including the release of security updates to patch vulnerabilities, which means that WinXP users have to face security risks of having unpatched vulnerabilities. On April 26, 2014, security experts discovered a new Internet Explorer zero-day vulnerability (CVE-2014-1776), which affected Internet Explorer version 6-8 running on WinXP. Due to the fact that the exploit code had been publicly available and attack had been in the wild before the vulnerability announcement, Microsoft believed that it was a critical vulnerability. They decided to offer the security patch for WinXP users , but this exception case is not guaranteed to happen in future. Microsoft later released another Security bulletin in May 2014, and it was the first time they did not include WinXP.

Although WinXP can still operate after the end of support services, with the release of vulnerabilities on the rise but without the corresponding security patch, the security risk is increasing gradually.

Reasons for users choosing not to upgrade or migrate to other operating systems ?

The WinXP end of support services initiated a lively discussion on the Internet, including the reasons for users choosing not to upgrade or migrate to other operating systems. We collected the main reasons below ( in random order ):

1. "Waiting for replacing the computer with an upgraded Windows system or migrate to other operating systems in future."
2. "The system still can operate as usual. There is no need to upgrade or migrate to other operating systems."
3. "Believe that anti-virus software is sufficient to eliminate the security risk."
4. "Legacy software / applications can only run on WinXP."
5. "There is no budget to upgrade or migrate to other operating systems."

Risk management in continuous use of WinXP

Looking at the above reasons, if the users decided, or was forced to continue using use WinXP in the short term, we suggest that they conduct risk management to mitigate security risks that may arise. Since the security threats in continuous use of WinXP come mainly from the Internet, we can base on the need of WinXP users using Internet to develop the measures on system upgrade or migration priorities and risks reduction.

Prepare for software end of support life cycle

The WinXP end of support service case reveals our lack of preparation for the end of support services on computer systems and software applications. In fact , common software such as Microsoft Office, Adobe Reader, and Oracle Java also have their own life cycle on support services. We should prepare for end of support of software or system in use at an early stage. We have to prepare for the budget for upgrade or migrate to the new systems and develop measures to mitigate security risks if we cannot timely upgrade for some reasons.

Following the WinXP end of support services, we also have to pay attention to the fact that software vendors support for WinXP will also be reduced gradually. Google Chrome, Adobe Photoshop and some security software³ have announced the next version or the existing version will end the support for WinXP in 2015. In addition , the WinXP users are in general using the 32-bit version operating system, but the newly developed software mainly turns to support 64-bit operating system, so it may not be able to install this type of new software on WinXP.

Conclusion

WinXP was a very successful operating system but was not designed to handle the modern security threats. In the past decade, cyber crimes have become prominent, and malware and network attacks have increased significantly. It can cause the financial loss due to information leakage and denial of service etc. in personal and corporate environment. In addition, as demand for more data privacy escalates, continuous use of WinXP and its bundled old version of IE browser pose additional threats such as weaker memory protection, encryption, hashing and digital signing algorithms, lack of sandbox and more advanced safe browsing features in the browser. In order to make sure that PCs continue to be securely supported and operational, HKCERT urges both consumers and business to upgrade or migrate to other operating systems as soon as possible to mitigate the security threats on data and financial loss caused by malware and network attacks. For any reasons, if you want to continue using WinXP, please do the risk assessment, apply good measures to mitigate security threats, while setting system upgrade or migration priorities and planning better for full upgrade or migration.

Reference

1. http://gs.statcounter.com/#desktop-os-HK-monthly-201404-201405
2. http://cw.com.hk/feature/10-ways-keep-windows-xp-machines-secure
3. http://www.av-test.org/en/news/news-single-view/the-end-is-nigh-for-windows-xp-these-anti-virus-software-products-will-continue-to-protect-xp-after/