Cybercrooks expected to step up Win XP SP2 attacks

update Organizations still running Microsoft's Windows XP Service Pack 2 (SP2) on their workstations should upgrade to a supported version as cybercriminals could focus more attacks on the older OS version, according to observers in the security field.

Cybercrooks are expected to do so in efforts to exploit the end-of-support status of Windows XP SP2 on Jul. 13, when machines running the operating system (OS) will no longer receive software updates such as updated drivers or security patches, from Microsoft.

According to Net Applications, Windows XP accounts for 62.4 percent of the worldwide OS market. Qualys CTO Wolfgang Kandek added in a May 28 blog post that about half of all enterprise Windows XP installations are running SP2.

Microsoft on Jul. 13 also stopped support for Windows 2000. However, Net Applications statistics indicate the OS has just 0.45 percent market share.

To add to the worrying stats, just days after Microsoft retired support for Windows XP SP2 and Windows 2000, the software vendor announced that a vulnerability in Windows Shell could allow an attacker to perform remote code execution. Kandek said in a follow-up blog post that the two OSes were likely also affected despite the lack of mention from Microsoft.

No support bodes well for hackers
Graham Titterington, principal analyst at Ovum, noted the end-of-support phase for Windows XP SP2 will encourage cybercrooks to attack XP SP2 "because once they find a vulnerability, they can go on exploiting it indefinitely".

To mitigate the risk, organizations should "immediately" upgrade to a supported version of Windows, he said in an e-mail. "In fact, they should have done so already," Titterington said.

Further down the road, as more businesses move to an OS that is supported with regular updates, cybercriminals would likely shift their targets to home PCs, very small businesses as well as those running counterfeit copies of unsupported OSes, added Titterington.

Richard Sheng, regional director for business development and product marketing at Trend Micro, concurred.

In an e-mail, he pointed out that creating malware specific to Windows XP "will definitely pay off" as the OS has a significant user base.

"News [of the retirement of support for Windows XP] will just boost the motivation of cybercriminals since XP will be more vulnerable than ever," Sheng said.

Compared to Windows XP SP2 users, who can be easily upgraded to the supported SP3, organizations that have yet to migrate from Windows 2000 are at greater risk, he noted.

Based on a recent survey of Trend Micro's enterprise customers, over 50 percent ran Windows 2000 in their production environment while 28 percent indicated they would continue to run the OS after support for it ends on Jul. 13, 2010.

"Most of those surveyed have the desire to move to a supported OS, however, they are unable to upgrade because of custom applications that may not run in a newer OS, and they don't have the budget or the developers to help with the migration," Sheng said.

He noted that there is "really no substitute" to upgrading to the latest security patch. Citing the analogy of a patient whose doctor advises him to undergo surgery to close up a wound or risk infection, he said companies that procrastinate in moving to a supported OS "will end up fighting a losing battle in preventing infection and will eventually end up losing from both a financial and a security standpoint".

He acknowledged, however, that some enterprises may face constraints in migrating to a new OS or upgrading to a different version. These include organizations in the manufacturing and medical sectors, where even minute changes could adversely affect a system's functions and lead to monetary losses.

Such organizations, said Sheng, may opt for a "virtual patch" which he noted is a temporary fix. They should also isolate systems running out-of-support OSes from the rest of the network to minimize the possibility of an exploit.

Titterington added that there is still "a lot of IT illiteracy" in the enterprise community, particularly among smaller organizations.

"There are bound to be many laggards," he said. "The problem will only be completely solved when old PCs are retired and replaced with systems running a newer version of the OS."

He noted that businesses that currently have older hardware may face problems migrating to new OSes due to processor power and memory. Instead of opting for the most current Windows 7, these companies may find it more appropriate to upgrade to Windows XP SP3, Titterington suggested.