Security warning for embedded Windows XP systems
Innominate Security Technologies in Berlin is warning users of industrial automation equipment based on XP that Microsoft Extended Support and Security Updates will cease entirely on April 8, 2014.
New Windows XP vulnerabilities continue to be identified. By early July, Microsoft had released 31 Windows XP relevant security updates in 2013, 18 of them classified as critical, following 25 critical out of a 39 total updates in 2012.
While the obvious solution might be to upgrade to a newer operating system, this may involve significant costs and interruptions. Software upgrades within an operating production network commonly encounter unintended and unanticipated consequences.
"I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails," said Tim Rains, director of trustworthy computing at Microsoft. "There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft."
"We see from data published in the Microsoft Security Intelligence Report that the security mitigation built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see," he said. "The data we have on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8."
A simpler, less expensive approach has already proven successful in the automotive industry and on automated production networks using older systems from Windows 95 to Windows 2000 says Innominate. This uses distributed security appliances based on Innominate’s mGuard technology to protect non-patchable legacy systems on the network, installed by ordinary technicians without interrupting production, configured and launched easily from a central server console. The resulting advantage is a low-cost hardening of these systems by a simple and transparent installation of plug-and-play modules wherever required.
To achieve this, mGuard Integrity Monitoring supervises file systems against unexpected modifications or additions to programs, dynamic link libraries, and other executable code without using virus patterns, eliminating the need for their permanent update. This innovation can even detect damages from zero day exploits for which virus patterns don’t even exist yet.