Heartbleed is significant because it could enable an attacker to expose or intercept sensitive information that should be encrypted. It’s a big deal when things like passwords and credit card information can be easily compromised. Andrew Storms, senior director of DevOps for CloudPassage, told me, “This is probably one of the more serious bugs I’ve seen in my 15 years of working in the security industry,” and that sentiment has been echoed by a number of security experts.
So, what makes Windows XP a bigger security concern than Heartbleed? Well, the same reason that the expiration of support for Windows XP was not a “Y2K” event, as some had described it.
When April 8, 2014, passed by and Windows XP machines continued working just like the day before, and the world didn’t come to a crashing halt, there were probably many businesses and individuals stubbornly continuing to use Windows XP who thought — or possibly even said out loud — “See? I told you it wasn’t a big deal.” However, that smug hubris will eventually come back to bite them and will have security implications for the rest of us who share the internet with them as well.
Just as Y2K was a specific event, Heartbleed was just one vulnerability. It was identified, a patch was developed, and the world was put on notice. Now, we can move on. It was an isolated moment in time.
Windows XP, on the other hand, is now a permanent, ongoing “zero day” vulnerability. If attackers are smart and stealthy, we may not even know how many vulnerabilities are discovered in Windows XP from this point on — or how critical they are. There won’t be any more patches or updates, so it’s permanently at risk.
“XP, on the other hand, has stopped evolving and any vulnerability discovered from April 8, 2014, into the future will remain a danger to everyone connected to the Internet,” declares TK Keanini, CTO of Lancope. “The only solution for XP at this point is to make it go away — rid it from existence. Everyone needs to do their part to get rid of it, because if we don’t, in this connected world, it will ultimately be a bad thing for everyone.”
Tim Erlin, director of IT security and risk strategy for Tripwire, shared some thoughts as well. “No one is surprised by the Windows XP risk. Still, the risk presented by XP is going to get worse over time, not better. As a risk, Windows XP is much harder to mitigate than Heartbleed because replacing an entire platform is a more difficult task than updating a library.”
I spoke with Evolve IP CTO Scott Kinka, who explained the root of the problem. He told me, “At this point, our best prospects are actually our worst customers.”
Keanini summed it up the pervasive threat of Windows XP: “Hunt down expired versions of XP and terminate it!
Do you agree that Windows XP poses a bigger security risk than Heartbleed? Share your opinion in the discussion thread below