Safer computing with Windows XP after Microsoft ends support

Microsoft ended support for Windows XP on April 8, 2014.

This is not the end of the world for people still using Windows XP but Windows XP users need to be extra careful to stay safe and secure on the Internet.

Here are my 5 suggestions for Windows XP users – 

  1. Do not use Internet Explorer, use an alternate browser, for example Firefox.
  2. Use an antivirus, for example Avast!
  3. Keep your software up to date, for example install updates to Flash. 
  4. Be extra careful of  clicking on links in email or on web sites.
  5. Keep a backup of your important data.

Here is my detailed take on Windows XP, security, moving away from Windows XP and the future.

pop up windows proclaiming Windows XP End of Support
Windows XP End of Support

Windows XP background and end of support

Windows XP was installed on computers sold from October 2001 thru January 2007.  XP has undergone 3 Service Pack Updates and many security patches.  Microsoft decided to stop offering support for both security and financial reasons.  Microsoft wants to be rid of Windows XP because it is an old and less secure operating system.  Newer versions of Windows have more security built in.  Microsoft wants to save money by no longer paying staff to support XP and develop security updates for it.  Microsoft wants to generate revenue by pushing people into buying Windows upgrades or new computers and wants business and government that still rely on Windows XP to buy support, more on that below.

The fact that Microsoft is not patching security problems in Windows XP is creating a dangerous security problem for all XP users and arguably all users of the Internet.  But exactly how dangerous and how immediate a threat is debatable.  Most security vulnerabilities are in the browser and software that runs on Windows (Flash, Acrobat, Java, Office, etc).  Windows XP (excluding Internet Explorer) in later life was infrequently security patched .  One could argue that the operating system Windows XP is less a security problem and the software that is run on the computer is the greater security problem.  Security expert Steve Gibson believes this is the case and continues to use XP, more on that below.

Windows XP is still a big player in the world, many people, businesses and governments are still using Windows XP.   30% of all computers worldwide on the Internet still use XP.

Many of the Windows XP computers still in use today are way behind in their security updates.  These unpatched computers are a larger threat to security than patched cpmputers and could even disrupt the Internet at large with viruses, botnets, spam and other malware.  Illegal copies of Windows XP will not update.  Many of these illegal Windows PCs are in China and other countries that have freely stolen Windows.

Security:  more about the 5 tips listed above

Do not use Internet Explorer.  The browser  Internet Explorer (IE) has a history of being less secure than alternative browsers (such as Firefox).  IE is part of Windows and cannot be uninstalled from Windows.  Since it is part of Windows people tend to use it by default.  But you can ignore Internet Explorer.  Install an alternate browser such as Firefox, Chrome, Safari, Opera, etc.  and ignore IE.  I recommend Firefox.  Firefox has useful security features built in, for example it will update itself automatically and can natively read PDF documents.

Use an antivirus, for example Avast!.  There are many good free and paid antivirus programs out there.  Free and paid antivirus programs are compared at PC Magazine and MaximumPC Magazine.  Most antivirus program companies are continuing to support Windows XP and even Microsoft will continue to support currently installed instances of Security Essentials  on XP until 2015 although you will get scare reminders that your Windows is out of date. For minimum malware protection I recommend using Avast! free for active antivirus and installing Malwarebytes free for an on demand virus scanner.  Paid subscription antivirus products such as Avast! and Malwarebytes will offer more features and protection.

Keep your software up to date.  Keeping your software up to date means installing the latest software updates and patches when they are offered by the software makers.  Keeping software secure is a never ending cat and mouse game – the bad guys find security holes in software and the software makers offer us security patches to plug the holes.  Although Microsoft no longer will keep Windows XP updated, we can keep all our other software updated and this will be a big security win.  If we assume Windows XP is a mature software with less security vulnerabilities to exploit, the bad guys will attack the newer more vulnerable software that we use – all about return on investment.   Programs that interact with the Internet are the most critical to keep updated.  Here are some examples of software and how they are updated.  The Internet browsers  Firefox and Chrome update themselves as needed.  Flash is a common browser add on that will alert you with a pop up that it needs to be updated, please do so.  Java is an add on computer language required for some web sites and games, update it when offered, more on Java below.  Adobe Acrobat reader is a commonly installed software, update it when offered, more on Acrobat below.  Microsoft Office programs will update every patch Tuesday by themselves.  Other Office programs like OpenOffice will offer updates.  In general update your software when the manufacturer offers an update.  This brings up the question, how do you know the update offer is legitimate?  No simple answer here, if the update offered looks like it came from the program it probably is legit.  If the update offered does not look legit it likely isn’t, for example visiting a questionable web site and being offered a video codec is likely malware.   Don’t accept software offered as you are roaming the Internet or reading email.

Be extra careful of clicking on links in email or on web sites.  Presently this is the most common way for a computer to be compromised by the bad guys.  An email can have an attachment, usually a picture or document, but it could also be a malware program sent by a bad guy.  The bad guys will try hard to make it look legitimate and useful.  Email can be spoofed which means the sender appears to be someone that you know but their name has been forged in the From field by some else.  Also email accounts may be hacked and used to send spam or malware.  A spoofed web site will look like the real thing but will try to harvest your username and password.  A click on a link or opening an attachment can install malware such as botnet software or a keystroke logger.  Botnet software lets a remote bad guy take over your computer to send spam or worse.  A keystroke logger will capture what you type, such as usernames and passwords, and send that info back to the bad guys.

Keep a backup of your important data.  Please keep backup copies of all your data that you would hate to lose.  Your computer stores your data on its hard drive.  By default this is one copy in one place.  Anything can happen to that one copy of electronic data and it could be lost forever –  accidental erasure of the data, malicious erasure of the data, the hard drive could catastrophically fail, the computer could be stolen, a virus could erase or lock the data, a natural disaster could destroy the computer.  There are many ways to backup and copy data.  The simplest would be to periodically copy your important data to a USB drive.  An external hard drive with Windows or third party backup software will back up data on a schedule.  A cloud backup company (for example Carbonite) will automatically back up new data as it is created to a cloud data storage site somewhere on the Internet.  Free and paid cloud storage is available, examples include Dropbox, Microsoft OneDrive, and Google Drive.  The more important the data is, the more copies in different places you need to keep because backup copies may be lost, destroyed or become inaccessible.  An example of cloud storage suddenly becoming inaccessible is megaupload.com which was shut down with no warning to all users.

Security:  Advanced tips

Create and use a Limited account.  By default the first account created in Windows XP is an Administrator account.  Administrator accounts have full privileges to manage the PC including changing system settings.  Limited accounts are prevented from changing system settings.  Therefore using a Limited account greatly reduces the danger of malware writing settings and viruses to the computer.  Running with a Limited account does have annoyances, for example, you may need to switch to an Administrator account to install software and some software will not run in a limited mode, ie VPN.  Security expert Steve Gibson uses a Limited account with Windows XP.

Disable or remove Java.  Java is a programming language add on for computers and has been a significant security risk lately.  Java is needed for some web sites and games.  If you don’t need it, uninstall it and at least disable it in your browser.

Acrobat software has had its share of security issues, consider replacing it with an alternate PDF reader.

Browser add ons.  Surfing the Internet is one of the biggest threats to computer (including Windows XP) security.  There are browser add ons that can help mitigate this threat, for example NoScript.

Install and use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) which is “a utility that helps prevent vulnerabilities in software from being successfully exploited.”   For advanced users.

Uninstall all software that you don’t need.  Any software is a vulnerability (attack surface as the security people say) and uninstalling any software that you don’t need is a good thing.

Leaving Windows XP – upgrade, new PC or switch

Upgrade your computer from Windows XP to Windows 8 or Windows 7.  I’m going to say this is not a good option for most people because if your computer came with XP, your computer is old and will not run Windows 8 or Windows 7 well.  There are also economic reasons not to upgrade – the Windows 8 upgrade will cost $119 USD list price, your computer may require more memory to run newer Windows (4GB memory is about $50) and a computer running XP is at least 8 years old and subject to old age issues such as hardware failures.  The upgrade process itself is complex, time consuming and expensive when done by professionals.  And don’t forget your time to adjust to the new version of Windows.

Buy a new PC with Windows 8 or Windows 7.  Yes, Windows 7 is still available if you look.

Abandon Windows.  You can leave Microsoft Windows behind and go Apple, Android or Linux.  Apple offers computers, laptops and iPad tablets.  Many vendors such as Samsung offer Android computers (Chromebooks) and tablets.  Linux can be installed on any PC hardware.   Also, you can do Internet on iPhones, Android phones, cheap tablets and iPods.  There will be a learning curve for a new operating system.

Change to Linux operating system.  This is a radical jump but if you are willing to learn a new operating system this is golden.  If your computer needs are basic, like get on the Internet, you will quickly learn to use Linux.  The good news is Linux is free, supports most PC hardware (even old PC hardware) and is considered very secure.  The bad news is the learning curve and some hardware may be trouble to connect (printers, webcams, etc).  Linux can be run from a DVD to test drive it.  Ubuntu is a popular version of Linux.

Windows XP is still in play for business and government

Many businesses and governments are still using Windows XP.  The danger is mitigated by isolating their networks from the Internet, carefully locking down the PC clients (with group policy) and subscribing to Microsoft’s paid Windows XP security updates.

Most ATM machines run Windows XP embedded which sounds dangerous but isn’t so much because XP embedded is a stripped down version of XP with less attack surface, the ATM network is isolated from the Internet and Microsoft is offering security updates for XP embedded business users for a fee.

Yes Microsoft is still creating security updates for Windows XP.  Microsoft stopped free security updates for the public and small business and now only supplies security updates to paying customers (business and government).

Moving forward with unsupported Windows XP

Microsoft blinked and updated Internet Explorer versions 6, 7, 8 that run on Windows XP in early May 2014, after the April 8, 2014 end of support.

pop up window showing Update History showing IE patched
XP IE8 patched May 3 2014

Microsoft pushed the usual Malicious Software Removal Tool (MSRT) to XP computers on May 13, 2014, on the second Tuesday update schedule demonstrating that Microsoft still cares about XP a little.

May 20, 2014 update.  Windows XP has now been “unsupported” for over a month now with no serious security issues reported.  Some security experts predicted all hell would break loose April 9, 2014 (the day after end of support) with Windows XP security being attacked by hackers with zero day exploits saved up to be unleashed after Microsoft support ended.  This did not happen.

May 28, 2014 update.  A hack has surfaced to allow Windows XP to continue to receive updates by tricking Microsoft into thinking the hacked XP is embedded.  Microsoft says this may break things in XP.  A reference at zdnet.com: Registry hack enables continued updates for Windows XP

My favorite security expert Steve Gibson (grc.com) has called all the drama about Windows XP “a tempest in a teapot.

Summary

Microsoft’s end of support for Windows XP is not the end of the world but XP users need to be more careful on the Internet to stay safer.

I have discussed ways to stay safer and offered ways to leave Windows XP.

These are my ideas and suggestions, your experiences may be different.

Share your ideas and suggestions with me.

Happy safe computing.

Leave a Reply

Your email address will not be published. Required fields are marked *