Industry Perspectives Blog

Windows XP: If You Cannot Patch, Catch

More than 12 years after its initial launch and five years after its most recent major update (Service Pack 3), Microsoft is finally ending support for Windows XP. The upshot: Microsoft will release no additional updates for the antiquated OS. No more updates means no more security patches or bug fixes, leaving systems still running XP more vulnerable to viruses and cyber attacks.

If you are one of those CIOs who isn’t ready to move away from Windows XP, then you might have four questions:

  1. How much more vulnerable will my XP systems be? A little? A lot?
    Quantifying the risk of using Windows XP is difficult, especially when it comes to vague metrics such as “more vulnerable.” But history often repeats itself, including the field of security. So let’s see what history tells us. By Microsoft’s own estimate, systems running Windows XP Service Pack 2 were two-thirds more likely to be infected after the software maker dropped support in 2010.

    Attackers love software that isn’t patched often. They can attack it at leisure without getting locked out by security patches from the vendor. Don’t let the silence before the storm fool you — attackers will most likely start reserving their XP-related zero-day exploits for the end-of-life date (April 14), when they essentially become perpetual vulnerabilities.
  2. I have only a handful of XP systems. Should I still be worried?
    Absolutely. You can’t rest easy, because desktop  and laptop computers are a rabbit hole. Break in to just one of them, and chances are that the bad guys can find their way around to other systems, including your crown jewels. Windows domain membership, local caching of passwords, and privileged credentials of helpdesk users are some of the most common (and unavoidable) reasons why attackers are able to spread to other systems in your network. So as long as you have even one XP system connected to the rest of your network, you should be concerned.And the problem goes beyond just Windows. Take Java, for example. In mid-2013, Oracle stopped supporting Java version 1.6. But many systems still continue to use this version of Java, which has many published vulnerabilities — and attackers love it. FireEye knows, because every day we protect our customers around the world against these very Java attacks.
  3. My other security controls are tight. Should I still be worried?
    Unfortunately, very few controls safeguard against unpatched vulnerabilities, and they are often difficult to manage. Your intrusion detection and prevention systems are also be mostly ineffective against Windows XP attacks, because they are signature-based and therefore unable to detect and protect against such zero-day attacks.
  4. So what are my options?
    The best option would be to phase out XP and move to a current version of Windows. If business reasons compel you to stick with XP SP3 in the meantime, then your best bet is to use signature-less technology that can identify the zero-day attacks against unknown, unpatched vulnerabilities that will continue to crop up in Windows XP.One such technology is the FireEye platform, which uses the patented Multi-Vector Virtual Execution (MVX) engine to accurately identify new attacks (including zero-day attacks) to protect your systems in real time.  This technology is so effective that it has enabled FireEye to discover more zero-day attacks in 2013 than all other security companies combined.


Keeping your systems up-to-date with the latest patches is the ideal. But sometimes, that goal is just not possible. For business reasons, older operating systems may linger in your environment. Or third-party tools running in your network may break when new patches are installed. Therefore, detecting advanced attacks against your IT environment is critical. Often, it is the only way to protect against today’s sophisticated, determined threat actors.

The FireEye platform extends this protection to your newer software — including current versions of Windows, Adobe products, and Java — which remain prone to infection too. In fact, the the benefits of the lower infection rate in these products are often far outweighed by the higher exposure due to a larger install base.

So if you are still relying on legacy signature-based solutions to protect your systems, it’s time to call FireEye.