Ok people, gather round and listen because we have some knowledge to impart to all of you. As all of you reading this know, from articles we have posted as well as information provided from Microsoft in press releases and articles, support for Windows XP ceased to be on April 8, 2014. This was done for a multitude of reasons, the most important one being that it was time to move on. Roughly 12 years is a good run for an operating system, but it was time for it to go to the farm upstate, ok?
But, what does this mean in the grand scheme of things?
- Microsoft is no longer developing anything for the XP market. This is a dead operating system. It is pinin’ for the fjords.
- No development means no updated technical documents and more importantly, no updated Security Packs.
Now you might think that the Security Packs were just there to make your computer demand to, or automatically, reboot at the most inopportune time possible. Not so. These packages of code were there to help patch and enhance the operating system to handle the daily barrage of viruses, Trojans, and exploits that get dreamed up by sad little criminals. Without Microsoft developing Security Packs for Windows XP, the operating system has been left to its own devices against every bad thing out there on the infinite Internet. And if you still insist on using XP, you are out there alone too.
Don’t believe these updates are important enough to warrant upgrading your operating system? Here is what the Director of CyberSecurity and Cloud Strategy at Microsoft, Tim Rains, wrote about how people use security updates to exploit systems that aren’t upgraded:
“. . . security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality.”
Rains, Tim, The Risk of Running Windows XP After Support Ends April 2014, – August 15, 2013 (December 5, 2014), http://blogs.microsoft.com/cybertrust/2013/08/15/the-risk-of-running-windows-xp-after-support-ends-april-2014/
When you are talking about a program that is being actively developed, there can be several small and incremental security updates made over the course of a day or week. Criminals will do their thing to break and exploit these updates, the software developers will work on improving it and release another update. This cycle continues day in and day out until one day when all the software developers are put on a different project and the product is discontinued or left to the wild. At this point the criminals can have a field day exploiting the program and the people who still use it.
That brings me to another point, since April there have been serious breaches of security with older protocols used across the Internet, specifically SSLv3. SSLv3 is a security process used to pass sensitive information over the Internet for important things like credit card numbers and passwords. The latest attack is called POODLE and it lets criminals inject their own data into a call and intercept sensitive encrypted information from the call. This is a big deal, this doesn’t just affect how you interact with us here at ACS Technologies, it also affects how you interact with your bank, hospitals, department stores, and so on. Is it a place where incredibly sensitive data needs to be transmitted across different networks? Then it could be vulnerable.
Why do I mention this? Because Windows XP is very vulnerable to this type of attack, especially if you are using Internet Explorer 8 or lower, and there is nothing that ACS Technologies can do about it. With the POODLE attacks, we have to say enough is enough. We have to end support for anything running on Windows XP. By keeping access open to people and organizations who have not upgraded to a more stable and maintained operating system, we are doing a disservice to those we serve who have upgraded and maintained. It is not in anyone’s best interest to triage software for a dead operating system, and this situation will not get better.
What does this mean for you?
Well if you have Windows XP and use our products, you must upgrade to a current operating system and web browser. After December 29, 2014, you will no longer be able to use your web browser to upload or download information, view information, or do anything that requires a web browser to access our programs. For your reference, please refer to our February 2014 article that discusses the end of life and next steps.
As always, our support teams are here to help you if you have any questions but here are two suggestions:
- If the idea of upgrading all the computers in your organization seems expensive and daunting, start by upgrading one or a few and designate those to use the ACS programs and other sensitive programs.
- If you use one of our web only products like ACS OnDemand or Realm, you could look into using a low priced laptop with the latest operating system installed until you can afford to upgrade your other systems. Note that this option will not work if you want to run something that requires installation on a computer like ACS or Headmaster.
- Consider using Consistent Computer Bargains Inc. to help mitigate some of the cost of purchasing the new software.
For right now, if you can upgrade your systems, great, please go ahead and make the jump. If it is not fiscally possible for you to do so, then add a line item to the next budget to upgrade the operating systems or computers at your organization and move ahead with one of the options above in the meantime.
ACS Technologies End of Life Releases
About Windows XP and End of Life
About SSLv3 and POODLE
SSLv3.0 Vulnerability – technical content
Google Paper about POODLE and SSLv3.0 – technical content