Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco
Rest In Peace Windows Xp

XP Eulogy

TK Keanini

Friends, Romans, countrymen, lend me your ears. Today, April 8th 2014, marks a significant day in history as we bid farewell to Windows XP. I, TK Keanini (@tkeanini), would like to pay my deepest respect to XP in this eulogy that I hope resonates with you so that you may share it with others. 

Windows XP, born on August 2001, is remembered today for its contributions to information security.  In a memo Bill Gates published on January 15, 2002, he made security the highest priority for Microsoft worldwide. XP heard the call, and in its lifetime, delivered three very significant service pack updates. In doing so, it set a new course for security features on a computer. I’d like to highlight a few of them so that we all remember its significance as it is “shut down” one final time.

Let us remember that Windows XP was the first to deliver an on-by-default, host-based firewall on all network interfaces. No such network protection was offered prior, and this was a step in the right direction for network security. While this seems a bit trivial today, it changed the way in which attackers carried out their tactics. Once this was released, attackers went from “pushing” their attacks to the victim to somehow getting the victim to “pull” the exploits to them as we see today with phishing and waterhole attacks.

This change in directionality can be directly attributed to this on-by-default firewall at the host level on every desktop. To really see this effect, one can look at this Wikipedia entry on the timeline of notable computer worms. The release of XP Service Pack 2 was the demarcation point where worm activity took a sharp fall, and we owe this to XP.

XP is remembered for offering a number of defensive enhancements designed to protect customers from certain methods of exploitation that were incredibly successful prior to XP. Windows for years had been exploited by tricks performed in memory functions, and something had to be done. In tandem with the Visual C++ compiler, the defensive measures included:

  • /GS Stack buffer overrun detection
  • /SafeSEH exception handling protection
  • Structured Exception Handler Overwrite Protection (SEHOP)
  • Data Execution Prevention (DEP) / No eXecute (NX)
  • Address space layout randomization (ASLR)
  • Pointer Encoding
  • Heap corruption detection
  • Migration of buffer-overrun prone functions to safer versions

These defensive measures took entire categories of attacks (e.g., memory-based attacks such as buffer overruns) off the attacker’s playbook. 

XP Service Pack 2 (SP2) was the first to disable anonymous access to most MSRPC interfaces by default.  Prior to this, a ridiculous amount of remote access was granted to unauthenticated users via remote procedure calls (RPC). While there is still more hardening to do, the defaults introduced in XP SP2 put us on the right track in the reduction of the target surface.   

Last but certainly not least, we have Automatic Updates. While the official record says that Windows ME was the first to deliver ‘Automatic Updates,’ most of us remember it as a first in XP, because XP introduced the Background Intelligent Transfer Service – a protocol for transferring files in the background without user interaction. Internet of Things designers take note here! Please don’t send us back to 2001 when it comes to security updates. Until you make security updates automatic and requiring very little user interaction, updates will not take place, and your device will be a liability to everyone on the Internet. Thanks, XP, for showing everyone the way. 

It is now time to say goodbye to XP once and for all. No, seriously! Put it behind you and stop running it right now. Starting today, April 8th 2014, there will be no more updates to XP, and from here on out, if you are running XP, you are harmful to yourself and those around you, which today means everyone on the Internet. Rest in peace XP, and I thank you for your contribution to information security.

Shout outs to @mmurray @oliverlavery @st0rmz @djtechnocrat and Bob Thomas for their support.


More from this contributor:

In the rush for integrated security, we cannot afford to forget that human beings are an important part of the equation. They are a crucial component...
Detect with Host alarms
Sometimes it is impossible to detect an attack at the moment it is taking place. Insider threats, custom malware, or advanced persistent threats may...
Detect with Host alarms
I often search for analogies that help businesses understand solutions that are new to them but are relatable to their existing day-to-day routines...