A reader recently made an interesting point: Windows XP, in his mind, was the tech story of the decade. He's probably right. Microsoft has never made an OS of any kind with this lengthy a life cycle. XP has lived on in the face of two major upgrades, Windows Vista and Windows 7, both of which were designed to obsolete it. But the success of XP has a dark side as well. And with most businesses still standardized on this Windows version, XP's problems are starting to outweigh the benefits.
Part of the problem is that XP still ships with wildly outdated noncore technologies, many of which are becoming favorite targets of hackers. Key among these are Internet Explorer (IE) 6.0 and, less obviously, Adobe Flash Player 6.
I'd be surprised to discover that I needed to defend my contention that IE 6.0 is arguably the most dangerous software any business could have deployed throughout their environment today. But it bears repeating: The web is the number one vector of electronic attack, and IE 6.0 was built for a different decade and, more important, before Microsoft's Trustworthy Computing initiative. Put simply, it's just not safe to use.
The problem is that IE 6.0 is still widely used. And this is despite two major IE upgrades, IE 7.0 and IE 8.0, both of which are dramatically more secure and dramatically more functional. (These two newer IE versions aren't perfect, however. In the recent electronic attack on Google that emanated out of China, a vulnerability in IE 6.0, 7.0, and 8.0 was allegedly used. This begs a separate question: Does it make sense for any security-conscious business to use IE at all?)
So the possibilities of hacker attacks against IE aren't all that surprising. But many admins may not even realize that XP ships with a hugely outdated Flash version. In fact, it's so old that Adobe has shipped four major updates to the software since XP first arrived. It's now up to version 10.
Because multiple vulnerabilities in Flash 6 can be targeted by hacker attacks and result in remote code execution exploits, Microsoft recommends that XP users update to the current Flash version. Common sense, right? But in the upgrade adverse corporate world, I have no doubt that millions of machines will continue forward unprotected.
A new level of vigilance is required here because as OS vendors like Microsoft have done increasingly good jobs of protecting their customers, hackers have moved on to other attack vectors, including application software like IE, Microsoft Office, Adobe Reader, and Flash. The popularity of such attacks makes sense; each of these solutions is used by hundreds of millions of users every day.
But when businesses are only slowly updating the technologies installed on users' PCs—or not updating them at all—the situation is exacerbated. And the attack surface of your environment grows ever bigger.
I mentioned earlier that XP's benefits—compatibility, familiarity, performance, and, let's face it, the fact that it's often already paid for—will soon be outweighed by problems inherent to using an OS that's almost a decade old. These problems become all the more dangerous when combined with hackers' new emphasis on unpatched applications.
The obvious way to mitigate many of the resulting problems is to upgrade. But as you're all too well aware, upgrading comes with its own problems, not the least of which are the financial, training, and support costs. But as we've discussed over the past few weeks, this is a unique moment in time, and the ideal time to not just change for change's sake, but to upgrade in ways that make sense. And that means reevaluating what's installed on users' computers, which cloud computing services you can perhaps take advantage of, which systems can be virtualized and centrally controlled, and so on.
But at the very least—that is, working within the confines of the systems you currently use—please be sure to thoroughly evaluate the software solutions you have running within your environments and ensure that they're all at least updated with the latest security fixes. We can't all handle electronic attacks as well as Google apparently did in the recent Chinese situation. But we can at least do the minimum.