Microsoft to end security support for Windows XP Service Pack 2

May 12th, 2010

In a move that raises the risk profile of millions of computing devices globally, Microsoft says it will no longer shore up security weaknesses in computers using Windows XP Service Pack 2 and Windows 2000 operating systems. Such desktop PCs and servers are still widely used in corporate networks globally.

And as anyone paying attention knows, infected PCs in corporate settings are in high demand by cyber gangs controlling the botnets driving all forms of cybercrime. Botnets are used to  spread spam, steal data, hijack online bank accounts, commit click fraud and conduct denial-of- service attacks for extortion or political reasons.

The software giant announced Tuesday that it will stop supporting computers using those older operating systems as of July 13th. Service packs contain major security and reliability upgrades.

Global exposure

Qualys estimates 50% of Windows XP machines used by businesses are SP2 machines. Qualys manages computer upgrades for over four thousand corporations, government agencies and large organizations worldwide, as well as small- and medium-sized businesses.

“No new security patches for Windows XP SP2 means that users will not get updates to the core operating system and its components,” says Qualys CTO Wolfgang Kandek. “The overall effect will be that the machine becomes increasingly susceptible to attacks from malicious software.”

Most XP machines in U.S. homes are running with the more recent Service Pack 3. That’s because most U.S. consumers enable Windows auto update, the online service Microsoft uses to automatically push out security fixes to consumer PCs.

However, Gunter Ollmann, VP of research at Damballa, notes that Windows XP SP2 and Windows 2000 are  deployed extensively in computing devices as embedded operating systems that are difficult to update. He says many solenoid devices, such as  those used in the petrochemical and water and gas industries, are still shipped with these old operating systems.

“Unfortunately they’re also prime candidates for compromise via worm-based malware – in particular botnets and other persistent threats,” says Ollmann.

Ollmann,  a leading expert on the activities of botnet gangs, says he expects the major gangs to be “unaffected or simply not care about this recent news.” The primary reason, he says, is because  “their malware agents are more than capable of operating upon newer operating systems and have already been proven to be backwardly compatible with XP SP2.”

Update to SP3 — or buy Windows 7

Microsoft issues security updates on the second Tuesday of each month, known as Patch Tuesday. Corporate users typically install service packs and security patches manually, only after extensive testing, says Jason Miller, data and security team manger at Shavlik Technologies.

“We frequently speak with IT administrators who are running Windows XP SP2 on many machines in their network, and this will affect many businesses across the globe,” says Miller. “For a variety of reasons, mainly resources and cost, many businesses still run older versions of Operating Systems and service packs in their environments.”

Miller says upgrading to the latest service pack level is definitely not a simple task for most organizations, especially  “for those companies with many machines spread across the globe and not readily accessible. Examples of these types of hard-to-manage devices include ATM machines and point of sale devices like cash registers at your local Home Depot.”

Microsoft spokeswoman Alison Dwiggins declined to supply an estimate of how many Windows XP SP2 PCs and Windows 2000 servers remain in business-use globally. “As you know, we don’t break out the install base,” she wrote in an email reply to questions submitted by Technology Live.

Microsoft recommends that its customers buy new Windows 7 PCs. Alternatively XP SP2 users can install Service Pack 3. The procedure is described here. Asked to characterize the go-forward risks of using Windows XP SP2 PCs, Dwiggins replied:

Per the Microsoft support lifecycle policy, Microsoft will no longer provide support or updates (including Security Updates) for the versions of Windows that have reached the end of support. Installation of the most current service pack and all available Security Updates (at a minimum) is recommended to ensure that available security protections are in place for a Windows computer and to prevent the spread of malicious software to other computers.

Shavlik’s Miller recommends that corporate users bite the bullet and replace their older machines with new Windows 7 units.

“Companies choosing to not adhere to vendor support lifecycles presents a risk to a network as vulnerabilities exist that can lead to virus outbreaks, breaches in security and potential loss of data,” says Miller.  “The longer Microsoft continues to support legacy products and applications, Microsoft and its customers will suffer as they will spend effort and energy supporting legacy code instead of ultimately developing new technologies and security measures.”

By Byron Acohido