Part of being an adult is doing things you don't want to do even though they are critically important, such as...
eating right, exercising and filing your taxes.
Similarly, effectively securing an enterprise's IT resources requires patching, backups and good cyber hygiene. Patching, much like eating right, requires constant diligence and, sometimes, tradeoffs. More often than not, enterprises need to make tradeoffs around deploying patches, and software developers also need to make tradeoffs around what to patch and when it should be done.
Recently, Microsoft had to analyze these tradeoffs when considering Windows XP patches to address vulnerabilities made public by the Shadow Brokers. The software giant pushed out patches for the legacy operating system, as well as others, like Windows Vista and Windows Server 2003, on two occasions earlier this year after the Equation Group exploits were used in major ransomware attacks.
In this tip, we'll explore the tradeoffs Microsoft made in developing these Windows XP patches and different responses from enterprises.
Windows XP patches: The tradeoffs
Nation-state attack tools and exploits rarely become available to the common criminal, but with the exploits released by the Shadow Brokers, this risk analysis changed.
It should be noted that third-party security researchers could have identified some of these attacks. Even with the release of minimal details about a vulnerability, other security researchers could have found the same vulnerability discovered by the National Security Agency (NSA).
The Shadow Brokers selling stolen exploits from the NSA is not something Microsoft or any other software vendor could have anticipated when developing their support lifecycle policies.
Once a vulnerability is made public, it should be assumed that it will be exploited by an attacker. Microsoft had to carefully weigh the benefits and the costs to develop a patch and, in this specific case, the vulnerability included a remote code execution vulnerability that could be widely used. This is probably what drove Microsoft to release a patch for its older, unsupported OSes. However, issuing these Windows XP patches may prolong enterprise use of these unsupported OSes and give users a false sense of security.
The first step for enterprises is to update their risk analysis using data from the new exploits that are now available for Windows XP/2003. This will help them determine if their plan for replacing Windows XP/2003 adequately meets their enterprise risk tolerance and ensure that they are running software supported by their vendor. If not, they may want to devote more resources to replacing Windows XP/2003 systems.
The next step, which may be done concurrently with the first step given the significant increase in risk, is to push the patch to all Windows XP/2003 systems still connected to networks. For enterprises that must use Windows XP/2003 systems on their network, they may want to implement other compensating controls to address these risks, but that will also increase the operational cost of maintaining these systems.
These new patches probably won't encourage customers to continue to use Windows XP/2003, as the drastically increased risk of an attack is not completely resolved by just applying these patches. Some systems will inevitably not get the patch and they will remain unprotected.
Enterprises that must continue to use unsupported systems may want to remove the systems from the network or at least put them on an isolated network with restricted outside access to only the absolutely necessary systems. This will increase support costs and decrease the functionality of these systems; however, it could help drive enterprises to replace these systems.
For enterprises stuck using a device or system controlled by a computer running Windows XP/2003, requiring your vendor to support current operating systems from the original vendor should be mandatory. Without enterprises making this requirement of their vendors, they may continue to be stuck in situations like this.
Software developers want to limit the number of versions of their software in use to reduce support and many other costs to ensure resources can be devoted to developing new versions. Microsoft is no exception to this generalization, and it carefully weighed the options before releasing Windows XP patches to customers.
Enterprises also want to minimize their costs and may delay rolling out new systems to manage these costs, but if the operational cost drastically increases, and the risk of being attacked increases, then this may make the enterprise increase the pace of deploying new systems. Enterprises should rely on Microsoft's generosity to ensure their systems are adequately protected.
Read more about Windows XP end of life
Get info on the most common Windows security vulnerabilities
Discover different Windows XP patches