‘Windows XPocalypse’ and Security
Technical support and automatic updates for Windows XP will end next Tuesday, April 8. This has brought up some concerns around security, as patches for known issues were previously delivered via the soon-to-be defunct automatic updates. What does this mean for Windows XP users?
First it is important to note that on April 8th, only a few variants of the XP operating system will be End-of-Support. End-of-Support means that there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates. Further details can be found on Microsoft’s web site, but I will summarize the changes here.
The systems that people must worry about are:
- Windows XP Home Edition
- Windows XP Media Center
- Windows XP Professional
- Windows XP Tablet PC Edition
When it comes to embedded systems (non-desktop versions of XP), the only one that people need to take urgent action on is Windows XP Professional for Embedded Systems. This product is identical to Windows XP, and Extended Support will end on April 8, 2014. If you have an XP variant for which support is ending on 4/8/14, you need to treat it as if it were already dead and move quickly into getting it replaced. Pretend that it caught fire, and you will be moving with the right amount of urgency.
Here are some other variants of Windows XP that are going to receive updates after 4/8/2014. Organizations should still be planning now for cutovers on these systems.
- Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016.
- Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on Jan. 8, 2019.
Point of Sale Systems
It turns out that Point of Sale (POS) systems run two types of Windows Embedded platforms, but those End-of-Support dates are not until 4/12/2016 and 4/9/2019. Businesses should, however, take immediate action to identify which version they have and put in motion a plan to migrate well before these deadlines. These systems include:
- Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. It is built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016.
- Windows Embedded POSReady 2009. This product for Point of Sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and Extended Support will end on April 9, 2019.
Since POS systems deal with such sensitive information and have become such big targets for attackers, retailers should definitely already be working with vendors to plan for these upgrades to ensure that there are no lapses in security. Some have asked if retailers should switch from traditional POS systems to wireless tablets and smart devices to increase security. However, this is not an effective defensive strategy as the adversary is able to find weaknesses in all information technology. The best strategy is to maintain diligent and vigilant security measures for whatever systems a retailer is using to take payments.
As businesses leverage information technology to remain competitive and grow, there is an equal responsibility to manage the security of this infrastructure. An accurate inventory and maintenance schedule is fundamental, and if a business or technology partner does not know the End-of-Support schedules for critical devices, bad things are certain to happen.
Businesses need to know the End-of-Life/End-of-Support schedule not only for all of the items on their own asset list, but also for the systems used by partners. If you have partners with technology, or you are using a Value Added Reseller, ask them to produce a monthly report of their applications or appliances that are coming up for End-of-Life/End-of-Support in the next 24 months. Stay ahead of the game and minimize surprises.
Follow Tim (TK) Keanini on Google+.
TAGS network security, windows xp, retail security, xpocalypse, point of sale