The Windows XP Zombie Apocalypse

Indeed, many vendors have already committed to continued support for Windows XP as a platform upon which their products will run, which sounds a lot more reassuring than it actually is in real world terms.

The start and finish of such 'protection' is really just your web browser and email client targeted stuff, whereas the start and finish of the XP security argument has to be the not so small matter of the first time someone exploits a low-level OS vulnerability which enables them to circumvent any such AV defence.

At the very least, then, enterprises with XP devices still operating need to limit the use of browsing or email (preferably to zero) while locking those machines down to running specific 'safe' software as far as possible. Filter any traffic going to and from an XP device more aggressively, and up your monitoring of these devices. Isolate XP instances where possible, use whatever network security resources you have to up the inspection of them, and even consider running your instances of XP on Virtual Machines.

All of this is good advice, but it's still akin to placing a sticking plaster on a gangrene infected leg. The only real solution is amputation. It's not too giant a leap of the imagination though. There are plenty of IT security professionals out there supporting this scenario to suggest that the bad guys are already sitting on a XP zero-day or two just waiting for security updates to expire before using it in the wild.

Some people point to nothing much having happened when Windows 2000 reached end of life status, back in 2010, and others point further back in time to the end of life of Windows 95. However, while the scale of both from the user base was large, more so in the case of Windows 95, the IT security threat landscape was entirely different.

Now that threatscape is both much broader by way of the number of devices that are at risk, and bizarrely also much more targeted by way of the end game. Fewer threats fall into the 'nuisance' category and far more have a payload of monetary gain. Only a fool would argue that the security threats today are not a lot more sophisticated than they were four years ago, and certainly in an entirely different league from 13 years ago when XP burst onto the scene.

The truth of the matter is that XP just isn't as prepared. Despite all the updates and patches, it remains unable at its very core to deal with the kind of threats out there today. Windows upgrades are not just about Microsoft hunting for more revenue (although obviously that's a part of it) but are also about improving the user experience and, most importantly from the perspective of the IT security professional, about bringing ever increasingly advanced security to the OS. Sure, the haters will hate, as they say, but that's fact.

Each point upgrade of Windows has been more secure than its predecessor. XP is so old now that it stands to reason that even if it had not reached end of life, the devices running it would be considered more of a risk, in fact a significantly higher risk, from the security perspective than those running Windows 7 or 8.

Yes, the 'XP Apocalypse' scenario sounds familiar to the 'Y2K Bug Disaster' in some ways. And everyone knows that never actually happened. However, one of the reasons the Y2K bug never materialised is that people were prepared, and took those preparations seriously. The same cannot be said of XP end of life. Plenty of people who should know better have buried their heads in the sand rather than commit the time and money required to move to a supported, and therefore better secured, OS platform.

Advice such as 'ensure any XP machines cannot access the internet via email clients or web browsers' is sound enough, given that most attacks are likely to come from this vector, but better advice is to smell the coffee and migrate away from XP as soon as possible.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.