Handling Windows XP End-of-Support – Feed it, kill it, but don’t starve it.
As you all know by now, on April 8th 2014, Microsoft will stop supporting some variants of XP (details in this other blog post). The software industry for years has operated this way with every system on your network having a predetermined service life, but given the current threat landscape, I would like to propose a change. You see, the problem is that come 4/8/2014, all of these systems that are End-of-Support will continue to work just as they did on days and years prior. This is a big problem because people don’t change their behavior when things are business as usual.
What I’d like to see happen when any information technology reaches End-of-Support – meaning no fixes will be issued for newly found security vulnerabilities – is that it stops working. That’s right, kill it! Having an End-of-Support/End-of-Life technology alive and connected to the Internet makes it a liability for everyone online. It is called End-of-Life for a reason, and what I want to see happen is for the vendor to literally end the technology’s life. One of the rules in my personal playbook is: Feed it or kill it, but never starve it. Complex and dynamic systems do not deal with this lingering state very well, and it is time we make a change in how we handle the service life of a product.
Traditionally, the retirement phase of a product’s service lifecycle begins with the announcement of the End-of-Sale (meaning you can no longer purchase the product), followed by a period of time known as the End-of-Life that ultimately ends with the End-of-Support date when no more updates will be released. This is a critical stage for close-sourced products, because no one other than the vendor can issue fixes, and that vendor just told you they will never issue another update no matter what. Right here, kill it please. The implementation of this new policy must happen early in the service life, but if done well both technically and socially, the world will be a safer place because the right expectations and events will drive the right behavior.
No product should be online if there is no opportunity to fix newly found vulnerabilities. We have a problem on the Internet where a patch is available and yet people are still irresponsibly running old versions. At least in these situations, remediation is available via an update, but when there is no update, my position is that the technology should be killed immediately.
These expired versions of Windows XP will continue to work, and trust me, they will be targeted by attackers because what better investment can the adversary make? If they spend a week to develop a new exploit, they get to use it on expired technologies until the end of time, as no patches will ever fix it.
You can ask customers politely and even urgently to upgrade, but until their current version stops working, or worse, is part of a security-related catastrophe, they will typically do nothing. The reason Y2K drove a change in human behavior was because on that date, old code was going to fail – there was a clear and significant event approaching. On April 8th 2014, customers’ Windows XP systems will work just like they did on days prior. I predict that End-of-Support XP systems will still be on the Internet and will be used for botnets and other supply-side resources for adversaries.
Consider this problem five or ten years into the future when millions of devices brought on by the Internet of Things are allowed to remain online after their End-of-Support date. We cannot afford this, people! The change I’m pushing is good for everyone because Internet security is everyone’s problem.