To: From: Date:

All RDM Development Officer 22nd January, 2014 SECURITY IMPLICATIONS OF MICROSOFT WINDOWS XP END OF SUPPORT

SUBJECT:

Introduction Production use of software in a networked environment is typically surrounded by security processes to mitigate newly discovered security vulnerabilities. Software patch management is one of the fundamental security processes that organizations employ to mitigate risk and ensure system compliance. Software vendors usually update software to fix discovered vulnerabilities and release new software versions or patches to existing software versions. When a software vendor discontinues updates for securityrelated issues, newly discovered vulnerabilities become persistent threats in an organizations attack surface. When a software application is widely deployed, the attack surface becomes a significant risk. Microsoft announced that the extended support for the Windows XP operating system (as well as Office 2003 and Exchange 2003) is scheduled to end on April 8, 2014. According to Microsoft, end of support means an end to the following: Security updates Non-security hotfixes Free or paid assisted support options Online technical content updates

This is the time to make sure you have the latest available update or service pack installed. Without Microsoft support, you will no longer receive security updates that can help protect your PC from harmful viruses, spyware, and other malicious software that can steal your personal information.

Microsoft Support Lifecycle Microsoft Support Lifecycle policy provides consistent and predictable guidelines for product support availability when a product releases and throughout that products life. By understanding the product support available, users are better able to maximize the management of their IT investments and strategically plan for a successful IT future.

Client operating systems

Latest update or service pack

End of mainstream support

End of extended support

Windows XP

Service Pack 3

April 14, 2009

April 8, 2014

Windows Vista

Service Pack 2

April 10, 2012

April 11, 2017

Windows 7 *

Service Pack 1

January 13, 2015

January 14, 2020

Windows 8

Windows 8.1

January 9, 2018

January 10, 2023

* Support for Windows 7 RTM without service packs ended on April 9, 2013. Be sure to install Windows 7 Service Pack 1 today to continue to receive support and updates.

Security Implications Microsoft Windows XP was designed and developed 13 years ago, before Twitter, Facebook, instant messaging, social networking or the cloud. Over the past decade, internet usage, and consequently malicious activity, has grown exponentially; Windows XP and Office 2003 were never designed to operate in todays environment. The annual Microsoft Security Intelligence Report consistently indicates that Windows XP SP3 machines receive more than twice the number of malware infections as Windows 7 machines.

Since its release, cyber-intruders have discovered and exploited a number of vulnerabilities, some of which are able to compromise the security of an organizations network holdings without warning. When an exploit becomes known, Microsoft issues security bulletins or advisories which may also contain patches that must be installed in order to protect our networks. The delay between the discovery of a vulnerability and the design and implementation of a mitigation patch facilitates the exploitation potential of that vulnerability by cyber-intruders. Consequently, an organizations network could remain vulnerable for an extended period of time. After April 8, 2014, therefore, any newly discovered vulnerability will no longer be addressed by Microsoft and new patches to fix them will not be developed, thus increasing the likelihood of a successful cyber-incident on an organizations network. External Security Threats Malware increased from 1000 in 1996 to millions in 2012 and has become an online crime story. It includes computer threats such as viruses, worms, Trojans, exploits, backdoors, password stealers and spyware. Windows XP is 21times more likely to be infected by malware than Windows 8. !--Evolution of attacks Rather than actively targeting remote services, attackers now primarily focus exploiting vulnerabilities in client applications such as web browsers and document readers such as acrobat. Such attacks (infections) can slow your machine to a crawl, and if they start sending spam or virus emails from your machine, your legitimate emails risk being Vulnerability Windows XP with SP3 is up to 56.5 times more vulnerable than Windows 8 RTM. Hacktivism threat to business increased nearly 70% in H1 2012 versus H1 2011. Fake Virus Alerts includes rogue software in the form of pop ups which can infect computers if clicked and can spoof the Microsoft security update process.

refused by recipients email servers because you have been blacklisted as a spammer. This can hamper or cripple business. How the evolution of security threats impacts business The way organizations and their employees use technology has changed dramatically in the last decade and unfortunately hackers have evolved too. The security risks you faced on your desktop more than a decade ago do not come close to todays threat landscape across a range of devices.