Protection in a Post-XP World

One of the industry’s most attacked and vulnerable OSes is finally coming to an end—it’s the End of Life (EOL) for Windows XP. Rest in peace my dear friend. You were a good partner in crime, and an even better adversary. If Windows 3.1 started my career in security, you laid the foundation for all that was to come. And now with XP’s EOL we can look forward to even more push-button hacking. For that—amongst many other things—thank you from the bottom of my heart.

But alas, with every pleasure there must also be pain, and the Windows XP EOL is both good and bad for attackers and users alike. For over a decade, Microsoft has persevered against all odds with Patch Tuesday vulnerability notices and subsequent software updates. It’s become the industry norm to responsibly disclose exposures to Microsoft and for them to fix (some of) them. Over time, this process has plugged many holes and produced one of the more stable application environments in mass computing history.

The Details

At this point, we’re all aware of the details surrounding XP’s EOL but here’s a quick recap:

Both XP Personal and Enterprise systems will stop receiving security updates—or any updates at all for that matter—as of April 8, 2014. Automatic updates to protect your XP PC are now an ancient relic. The same goes for Microsoft Security Essentials (MSE) as the company will no longer allow Windows XP users to download this software suite. If a user already has MSE on their system prior to the EOL, then it will continue working. Unfortunately its protection ability will immediately begin to diminish due to a lack of AV signature updates—the lifeblood of MSE.

As a result, the security world has been buzzing with talk of the “XPocalypse”.

“…unsecured XP machines of all kinds will be compromised by hackers to form new botnets. This kind of system, in which hacked systems' processors are put to new tasks unbeknownst to their owners, can be used for everything from massive Denial of Service attacks to mining cryptocurrency, and would add substantially to the insecurity of the Internet as a whole.” – Forbes

The real problem is that some organizations will and others will not be able to follow Microsoft’s remediation strategy: move to Windows 7 or 8. But the upgrade prescription is not a panacea. Upgrades can cause serious problems all by themselves. While more secure by design than XP, the new OSes suffer from gaps in legacy support in addition to introducing new risks—a natural consequence of “fresh code”. In the worst cases, the patches for new versions can unintentionally expose even more vulnerabilities in XP. As mentioned by ZD Net:

“As Microsoft Trustworthy Computing director Tim Rains pointed out last August, the company's own security updates for supported operating systems such as Windows 7 and Windows 8 involuntarily provide attackers with intelligence about flaws in older operating systems.”

Other organizations, however, can’t simply switch out XP—at least in the short term. In many cases, XP is embedded in other devices like ATMs and Point of Sale (POS) systems or manufacturing related ones like industrial robots or medical devices. For XP Embedded, Microsoft states it will continue support until 2017 . However generous that offer, the reality is that devices using XP Embedded never really update their software anyway—it’s too disruptive to the purpose of the device. Thus, these endpoints are extremely vulnerable since they are often not patched or at best, are patched infrequently.

A Hacker’s Playground

As if XP’s perpetual vulnerability isn’t bad enough, combine this with an unparalleled ease of exploitation and you get a virtual hacker playground for everyone from script kiddies to groups running Advanced Persistent Threat (APT) campaigns. Unlike the modern versions of Windows 8 with its integrated components, XP’s many weaknesses include the following (XP SP 3 with Internet Explorer 8 is assumed):

1. It lacks Structured Exception Handler Overwrite Protection (SEHOP), which protects against some of the common stack buffer overflow techniques on Windows.

    

2. It’s not compatible with the protections offered by Protected Mode and Enhanced Protected Mode browsing, which transparently implement the principle of least privilege in the browser.

    

3. While XP SP 3 has some Address Space Layout Randomization (ASLR) support, it does not support: stack randomization, heap randomization, image randomization, bottom-up randomization, top-down randomization or high-entropy randomization.

    

4. XP is not built to take advantage of the code hardening techniques afforded by modern Visual Studio compilers such as: Virtual Table Guard and Enhanced GS buffer overrun protection, heuristic checking, compiler-inserted array bound checking, and sealed optimizations (which replace virtual calls with direct calls).

    

5. Heap hardening is also quite limited, missing support for; header encoding, terminate on corruption, guard pages, and allocation randomization.

    

6. The lack of User Account Control (UAC) file and registry virtualization, as well as robust sandboxing functionality like User Interface Privilege Isolation (UIPI), means there’s no containing the threat of vulnerable third-party software that demands administrative privileges.

    

So what does this really mean? Well, with the enhancements described above, some of the more active vulnerabilities are ineffective—or at least partially mitigated—on newer versions of Windows. These are just some of the reasons why Windows XP was successfully exploited 8x more frequently than Windows 8—and that was in the midst of XP support!  

So, What Can Be Done?

There are a few short-term efforts that you can take to buy your organization some time. Consider the following:

1. Segment XP systems from other networks.

2. Move XP applications to supported versions of servers (i.e. Windows 2003) with Terminal services.

3. Restrict the use of XP systems to those functions that demand XP – all other browsing, email, etc. should be done on the most secure system available.

4. Implement and configure EMET

Now that XP is dead, its vulnerabilities will become an always-open hole—in essence they morph into “forever days”. While it’s typical for AV vendors to support an OS for a few years after its EOL, with this particular OS it’s still not enough. Even less sophisticated attacks can bypass signature based anti-virus software and infiltrate at a system level. The whole protection scheme needs something new.

The Power of PROTECT

CylancePROTECT™ exists to offer organizations a fighting chance at defending their systems and devices—even after the vendor has abandoned them, the application vendors have given up (or disappeared), and every last security product has failed.

CylancePROTECT was launched on February 3, 2014 after more than a year of development and testing to ensure it’s more effective and more accurate than anything else on the market, including; anti-virus, HIPS and whitelists (which typically require frequent updates of their own signatures), heuristics, behavioral analysis or sandboxing.

Here at Cylance, we don’t rely on these limited and increasingly outdated methods. CylancePROTECT is based entirely on machine learning techniques and mathematical modeling to identify threats in near real-time. From the most prosaic malware to the targeted, custom engineered malware used in APT campaigns, CylancePROTECT is ready for them. For more info see our white paper “Understanding Infinity”. CylancePROTECT instantly analyzes hundreds of thousands of features at run-time and mathematically determines the degree of threat that program poses—while its memory protection layer keeps memory attacks from ever gaining a foothold.

Mitigating Risks

The risks posed by XP’s EOL can be mitigated simply by installing CylancePROTECT’s lightweight agent on top of what’s already there. It works both online and offline, stopping the execution of what’s malicious even when you’re not connected to the internet. Since it doesn’t require daily/weekly updates or system scans, the system utilization and impacts to the end-user are minimal. This saves administration and helpdesk overhead. For embedded systems, this is a dream come true. Place it on the system and CylancePROTECT will mitigate the risks to the device—even if it has never been patched.

CylancePROTECT in the Real World

Outdated and unpatchable third-party software constitutes a dire threat vector where CylancePROTECT saves the day. An example would be the lack of support for updates to Adobe Reader by 3^rd party applications on Point of Sale (POS) systems. We have seen this scenario play out numerous times over the years. The customer is unable—or unwilling—to spend the exorbitant amount needed to update their POS system simply to support the latest version of Adobe Reader. Unfortunately in doing so they remain vulnerable to even the most simplistic hacks. With CylancePROTECT, you eliminate the need for that expense by protecting the system as it stands.

There are countless additional use cases we’re executing on here at Cylance through our Professional Services team in order to find where XP machines are, if they are compromised and how to effectively remediate. Interested in seeing CylancePROTECT in action? Join us on April 10^th @ 10:00 AM as Chief Knowledge Officer Dr. Shane Shook takes a deep-dive into the risks and threats posed by the XP EOL and what you can do about to protect your organization.

{{cta('58f8b967-0f0d-4727-8673-54874108de84')}}

Stuart McClure
CEO, Cylance