If you have been following along with us, you know how to set up a Windows 10 Virtual Machine (VM) for web app pentesting. But now we have run into...
Windows XP: Eol, What you need to know
Well.. If you are still using it, it will still work. You don’t have to worry about the system just shutting down and you losing all of your data. While there has been a lot of hype over this dooms day, we haven’t really seen a lot of the huge predicted issues. I haven’t seen any ATM’s just spitting out cash for no reason. Hospital medical devices have not just stopped working. The earth is still spinning at its normal speed.
So what is the concern? Of course it is going to be security related, on this site. When an operating system goes end of life it means that Microsoft no longer supplies updates or patches. Many times, these updates and patches contain critical security fixes. In some cases Microsoft will provide extended support (for a large fee) to corporations to hold over until migration is complete. This does not help your normal home user though.
Regarding the big concern over ATM machines or other embedded devices, it is important to understand what version of Windows XP they are running. There may be some embedded versions of the OS that are still supported and are not effected by this. There may be some running the End of Life version, but there are still many factors to include. How does the device connect to the internet (or does it connect). Does it have any input ports? What other restrictions on access does it have. All of these factors will raise or lower the risk to that specific device.
For the enterprises out there, running outdated software is always a concern. There is no doubt that security vulnerabilities will be identified and exploits released for Windows XP in the future. As updates come out for newer versions of Microsoft OS, flaws will be identified to still work in Windows XP. With Phishing attacks being very popular, this opens your network up even more than normal. All that money you have put into other controls could be diminished due to the OS and its lack of patches. Some may say that they have custom software that runs on Windows XP only, but there has been plenty of time to update software for a newer OS.
There is also the question of compliance. There appears to be lots of debate on how using Windows XP now effects PCI and HIPAA. It is important to understand how these regulations work and what you need to do if you are still running Windows XP.
For home users, it is similar to the enterprise, except for the money spent on enterprise level controls. Often times home users don’t feel they are at much risk, but in reality, they are a great target for a hacker. The resources of the computer (CPU, Drive Space) is very appetizing. Attackers can use these home machines as launching pads for attacks to help cover their tracks.
Yesterday was the time to start updating to a newer OS, but if you missed that, today is the next best thing. Start upgrading before the new vulnerabilities start flying around the internet.
James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at email@example.com, @JardineSoftware, or visit the Secure Ideas – Professionally Evil site for services provided.