Upgrade, or else: Microsoft's opportunistic approach

Upgrade, or else: Microsoft's opportunistic approach

Upgrade, or else: Microsoft's opportunistic approach
Microsoft’s technical support or security patches and updates for the Windows XP operating system, which the company introduced in 2001, expired on April 8, 2014. 

Users of Microsoft Windows XP have been given two options — either switch over to later versions of the operating system or seek Microsoft’s extended support for an additional period of 15 months. 

Microsoft’s extended security update option is not low-cost for most organisations. 

The UK government recently signed such a deal that cost almost £5.6 million. 

Beyond the cutoff date, those who continue to rely upon Windows XP will do so at their own peril. 

According to Microsoft’s notification, it is very important for customers and partners to migrate to a modern operating system. 

The available Microsoft options are Windows 7 or Windows 8.1.
The notification adds that support for Office 2003 will also end by the same date. 

Microsoft goes on to say that systems running Windows XP after April 8, 2014 should be considered as not protected. 

In other words, persisting with the use of Windows XP beyond the deadline could result in increasing the cyber security risks, as no new security patches for vulnerabilities would be available. 

A report in ComputerWeekly.Com quotes Tim Rains, director of Trustworthy Computing at Microsoft, as saying that between July 2012 and July 2013, 30 vulnerabilities were discovered in the operating systems that were common to Windows XP.

This highlights the inherent high risks to all users of information technology systems and especially to critical infrastructure industries and segments. 

The implied meaning is, either upgrade to a newer operating system or buy a new computer.  

Challenges of migration

However, there are challenges in migrating to a new system, especially in the case of critical infrastructure control systems. 

Compared to enterprise applications where potential disruptions are manageable, the challenges of migrating to a new computer or upgrading the operating system to Windows 7 or 8.1 are more serious, especially in industrial control applications, which demand low downtime.

Often, migrations would call for redeveloping control applications involving extensive efforts, interoperability testing to ensure that the software works and is compatible with legacy subsystems and unbudgeted expenses. 

Continuing to depend on Windows XP beyond the support cutoff date has serious implications, as without support, the system may become easier to hack in, resulting in potential disruptions in service or other serious consequences. 

The other caveats are additional need for hardware upgrades, if existing hardware does not meet system requirements, and the possibility of hardware manufacturers stopping support to Windows XP on existing or new hardware. 

This could mean non-availability of drivers required to run Windows XP on new hardware. 

The announcement that Windows 7 mainstream support and extended support end by January 13, 2015 and January 14, 2020 respectively adds further pain to end users. 

According to Net Applications.com, Windows XP accounts for more than 30 per cent of all operating systems deployed. 

Critical infrastructure industries and sectors such as electric and water utilities, oil and gas pipelines, transportation, banking (including ATM machines) and others rely extensively on Windows XP. 

Hackers may discover and exploit some such or other vulnerabilities in unsupported systems. 

Such a possibility is real; according to some reports, almost 95 per cent of bank ATM machines globally stand exposed to potential hacking.  Windows XP has codes similar to Windows 7 and Windows 8. 

Therefore, some of the bugs that Microsoft may identify in future as part of its technical support could possibly exist in Windows XP. 

Hackers could exploit those potential vulnerabilities and such a possibility would leave Windows XP users defenceless. Microsoft’s Timothy Rains has corroborated this. 

In its report “End of Windows XP support puts ATMs at risk”, the Financial Times quotes Timothy Rains of having said at a recent computer security conference in San Francisco “The probability of attackers using security updates for Windows 7, Windows 8, Windows Vista to attack Windows XP is about 100 per cent.” 

A recent alert issued by the Federal Financial Institutions Examination Council highlights the enormity of the problem ATMs face. 

The FFIEC alert says that in a recent attack, nicknamed 'Unlimited Operations', hackers netted more than $40 million with the use of just 12 debit card accounts. 

According to the alert, cyber attacks against banks that use Web-based ATM control panels are on the rise and thieves are changing the controls on ATMs that enables practically unlimited withdrawals. 

Shifting the focus from ATM and financial sector applications, there are control systems operating critical infrastructure industries, such as electric utilities and others, which extensively use Windows XP as the operating system. 

Even though recent versions such as Windows 7 and Windows 8.1 have made their entry into control system applications, Windows XP has remained the dominating operating system for almost a decade. 

Industrial control applications have long lifecycles of 15-20 years and if it isn’t broke, don't fix it is the common practice.
Possibility of cyber attacks

The extent of damage cyber attacks can wreak on industrial control systems has been spelt out by US President Barack Obama in an article in the Wall Street Journal: "In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home." …. 

"Taking down vital banking systems could trigger a financial crisis. 

The lack of clean water or functioning hospitals could spark a public health emergency… the loss of electricity can bring businesses, cities and entire regions to a standstill." 

Subsequently, the President issued Executive Order 13636 on February 12, 2013 for improving Critical Infrastructure Cyber Security. 

Section 1 of the Executive Order relating to policy says, “The cyber threat to critical infrastructure represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the nation’s critical infrastructure in the face of such threats.” 

While hacking relating to privacy issues, ATMs and credit card frauds, and such others are widely known, the same thing is not true of industrial control system cyber attacks. 

Lack of awareness persists among stakeholders. Even though less widely known, the ramifications of ICS cyber attacks on critical infrastructure industries are far more critical, especially from the national perspectives. 

US Defense Secretary Leon E Panetta, highlighting the destructive possibilities of such attacks, said, “An aggressor nation or extremist group could use these kinds of cyber tools to derail passenger trains, contaminate water supply in major cities, or shut down the power grid across large parts of the country.” 

Stuxnet is a computer malware that targeted industrial sites in Iran – a uranium enrichment plant — that uses Microsoft Windows machines and networks as part of industrial control systems and caused them to malfunction. 

Stuxnet is the first known malware to explicitly attack industrial control systems and in the reported case of an Iranian nuclear facility, it destroyed centrifuges. 

Duqu, on the other hand, gathers information rather than interfere with industrial operations. 

Flame targets computers running the Microsoft Windows operating system and can record audio, screenshots, keyboard activities, and network traffic. 

According to experts, this data along with locally stored documents is sent to one of several command and control servers scattered around the world. 

The program then awaits further instructions from these servers. 

A virus called Shamoon attacked computer Saudi Aramco’s computer systems that resulted in shutdown of the company’s internal corporate network, disabling employee e-mails and Internet access.

This decision to withdraw support and nudge loyal customers either to migrate to new operating systems or to seek extended support at additional cost may make perfect sense to Microsoft from a business perspective. 

However, it must be disappointing for Microsoft customers. 

They would have expected Microsoft’s former chairman, who had earlier sent out a message about software security, emphasising that the way forward is ‘Trustworthy Computing’, to live up to his promise. 

Undiscovered vulnerabilities

Besides, Microsoft customers would be wondering why an operating system which has been in the market for well over a decade should continue to have serious undiscovered vulnerabilities.

On the one hand, many users are not able to place the liability on software suppliers for vulnerabilities in their offerings, while on the other, suppliers do not care to address the question. 

Information technology suppliers almost assume that they by right can introduce software products into the market with inherent vulnerabilities to be fixed later through patches and security upgrades.

Ironically, Microsoft issued an Advance Notification on April 3, 2014, according to which the company plans to release four vulnerability bulletins for Windows XP and Office 2003 on April 8, with two of them rated critical and the other two as important.

Such liberties are not available for brick and mortar industrial companies, such as automobile suppliers or pharmaceutical. 

A recent Bloomberg report ‘GM Widens Ignition Recall by 971,000 to 2.59 Million Cars’, is a good example of how they are held liable. 

Mary Barra, chief executive officer of GM, is set to appear in congressional hearings to explain and fix responsibility for faulty ignition switches in GM cars. 

Contrast this with the way Microsoft makes repeated announcements about vulnerabilities in its products.

Get a round-up of the day's top stories in your inbox

Check out all newsletters

Get a round-up of the day's top stories in your inbox