Introduction

After 12 years, support for Windows XP ends today, April 8, 2014. That means there will be no more security updates or technical support for Windows XP. So XP has officially died but millions of computers with this operating system installed are still "alive" and will be unprotected against new threats from right now, these are the Zombies-XP. Even thousands of ATM's and other critical infrastructures will be using this OS for a while, nobody knows how long...

And what is the advice from Microsoft? We have two options.

1. To upgrade to a newer Windows operating system like Windows 7 or Windows 8.1.
 
2. "If your current PC can't run Windows 8.1, it might be time to consider shopping for a new one."


Sure, we should upgrade to the lastest Windows OS. If our hardware doesn't support it, we should buy a new computer or hundreds in the case of some companies and install Windows 8.1, working hard to transfer all data from one computer to the another, teach the users to use Windows 8.1, etc... Or maybe it is a great opportunity to move to a free Linux operating system, but that is another issue...

This post is focused on users or companies who are not allowed to upgrade to the lastest Windows OS for different reasons like not being able not afford to buy new computers, to have old software which is not capable of runnig in other OS, to not have staff enough to perform the upgrade, etc...

The main threats we need to deal with

First of all we need to keep in mind the attack vectors we need to fight with.

  • Browser-based attacks. I think these attacks could be the most common attacks at this moment. A website could take advantage of a web browser vulnerability just by visiting it. Also, a website could exploit a plugin enabled in the web browser, like Java or Adobe plugins, in the same way.

  • Network Exploits. New worms could be designed to exploit the Windows XP services running in a computer. Now, they are unprotected so the same worm could work in the future after being discovered.

  • Social Engineering techniques. These techniques try to trick a user into opening a link in an email or open an attachment supposed to be a PDF file or whatever "legitimate" file to infect a machine. Look at the case of the Siesta Campaign.

These attacks vectors are common to other OS, but in this case it is really dangerous if we use one which will not have security updates in the future. We will be vulnerable against ZeroDay threats (that is common to all OS) and known threats. Without having security updated we can't fix the previosly mentioned.

Suggested solutions

Here, I will suggest some advice to try to keep your environment more secure using Windows XP.

  • Most antivirus software manufacturers plan to support Microsoft XP until at least April 2016. So try not to select one which stops supporting XP before that date.

  • Choose a web browser with a long-term support plan like Google Chrome which extends the support for XP users until April 2015. On the other hand, Mozilla Vice President said: "We have no plans to discontinue support for our XP users", so consider using this browser too.
 
  • Try not to use plugins in your browser like Java, Adobe Reader, Adobe flash... but if you need them, be sure they are updated (if there are updates available). I use this site to check if my plugins browser are updated.

  • Don't use not administrative accounts. Most of exploits target desktop software (like web browsers and the plugins we mentioned above) are mitigated if the user account is a standard user.

  • Isolate your Windows XP computers in multiple subnetworks behind your network firewalls. That is really important because your XP is already vulnerable and when it is infected, it will be used by hackers to pivot to other systems in your network to try to get access to your data and network resources.

  • Monitor these isolated networks to find suspicious activities. Monitor your network traffic to look for possible command and control connections, an increase of network activity, internal probing techniques, brute force attempts from these networks, etc...
  • Limit the access to the Internet. It is really important not to give full access to the Internet to your users. You can use proxy rules or URL filtering in your firewalls devices. Just give access to sites which are needed to work. We want to avoid websites with exploit kits or other kinds of attack. Yes, I know, legitimate sites are hacked and begin to spread malware like the case of the attack to php.net but we need to have less risk by limiting the access to other sites. 

  • Teach your users to be careful. Every user could be targeted for attack using social engineering. No matter the position of the employees, each computer is a good entry point to pivot to your network. Advise them to check and be suspicious of each email they receive. If they have doubts, they must ask the security department.