Tuesday, 14 January 2014

Secure Windows XP after updates end

Sticking with Windows XP? Here's how to secure your system to a reasonable standard.

We'll cover:

1. How attackers work.
2. The significance this has for Windows XP users who will no longer receive updates to their operating system.
3. Free solutions to help secure your PC.

2014/01/14: This article has been updated, correcting NetMarketShare figures regarding how many people use different versions of Windows. In practical terms there is little difference.

Microsoft will soon stop issuing security updates for Windows XP.

At the same time it will cease issuing updates for its anti-malware product (Microsoft Security Essentials) for Windows XP.

This is significant because a very large minority of PC users still have Windows XP installed. Should they buy a new Windows 8 PC or can they maintain a decent level of security once they are abandoned by Microsoft?

In April 2014 Microsoft will end support for Windows XP and its free anti-malware protection. However, in December 2013 29 per cent of Windows users were still running Windows XP.

To put things into perspective 44.5 per cent were running Windows 7 and only 11 per cent were running Windows 8 and Windows 8.1 combined. These figures are provided by NetMarketShare.

Clearly such a large number of people are not going to switch to Windows 7 or 8 in the next three months.

The following article explains what the threats are for Windows XP users, how they work and ways in which users can secure their old computers without having to upgrade the operating system.

How hackers do it

There are two common ways for hackers to attempt to gain access to desktop computers.

Social engineering

The first is so-called social-engineering, in which they trick victims into running a malicious program. This program may be designed to steal information, such as passwords, from the system. Let’s call this type of software ‘spyware’.

Alternatively the software might try to further trick or blackmail the victim, perhaps by claiming (ironically) that it has detected a malware infection or by locking the PC and demanding payment for releasing the system back into the user’s control. These types of threats are called ‘rogue anti-virus’ and ‘ransomware’ respectively.

For social engineering to work the user usually has to be convinced to run a program. If they are sufficiently convinced that they need to download and run a certain program (or insert a strange USB storage device) then they will probably carry on regardless of what their anti-virus program tells them.

Some may check themselves if they see a warning like, “This file is a Trojan. We recommend you should delete it.” but clearly enough users are fooled for the criminals to continue with this tactic.

No amount of patching Windows will change this situation so, for Windows XP users, this type of threat remains as significant (but probably no worse) as before.

Software exploitation

The second method is to gain access to the system using automatic attacks. These usually involve the victim visiting a website that contains some malicious code. This code, known as an exploit, runs on the target computer and gains a temporary level of control. It uses its new-found position of power to download and install malicious software, such as the aforementioned spyware, rogue security software and ransomware.

Automatic exploits only work because there are security holes, aka ‘vulnerabilities’, in the software on the victim’s computer. Vulnerabilities can exist in the applications that come included with Windows, such as Internet Explorer; in third-party applications such as Java, Flash and Adobe Reader; and even in hardware drivers (last month researchers published an exploit for Nvidia’s display driver).

If vulnerable software is updated to make it less vulnerable then exploits are less likely to work. For example, if you are still using Java version 6.x then your system is very open to attack because there are lots of known vulnerabilities for that software. Upgrading to the latest version 7.x will help, because there are fewer known vulnerabilities in the latest version of Java.

It is neither safe nor accurate to assume that any program has no vulnerabilities at all. Usually it’s just a matter of time before someone finds a new one. If a program is popular then there is more motivation for researchers to look for security holes because they affect the most number of potential victims.

Most popular exploits

It is hard to say whether attackers prefer to exploit vulnerabilities in Windows’ own files or those belonging to third-party software but, according to an update by the security blog Contagio, the exploit kits used by criminals in recent months seem very focussed on Adobe Reader, Adobe Flash and Oracle’s Java.

There are some exploits aimed at Internet Explorer 10 and earlier, many of which could affect Windows XP users. Switching from Internet Explorer to a browser that has continued Windows XP support (such as Google Chrome, Mozilla Firefox and Opera Software’s Opera browsers), and updating all other third-party applications would be a sensible move if you want to stick with Windows XP.

Updating automatically

Microsoft makes updating Windows reasonably convenient thanks to the Windows Update service. However, this does not usually provide updates for third-party software (although it does sometimes). Fortunately there is a free application that behaves in much the same way as Windows Update but for non-Microsoft programs.

Secunia’s Personal Software Inspector (SPI) will scan your PC for vulnerable applications and can automatically download and update those for which updates exist. You can also opt to have it download the updates but wait until you instruct it to install them, and you can even have it simply scan and inform you about available updates, rather than downloading anything.

How this affects users of Windows XP beyond April 2014

If Microsoft sticks to its plans then Windows XP will no longer receive security updates after April 2014. This means that any future vulnerabilities detected in Windows XP system files and the applications that come with it will remain unfixed. This appears to be great news for the attackers, who can locate security holes and use them without fear that their activities will be hindered by an impending fix.

The solution(s)

However, this is just one facet of the situation. Third-party applications and hardware drivers will still be updateable as long as their developers continue to provide support. Additionally, certain anti-malware software, including Kaspersky Internet Security and Symantec Norton Internet Security, are capable of detecting many types of exploits and can prevent them from taking control of the system.

I put together a list of anti-malware products that will continue to protect Windows XP after Microsoft withdraws support. Most, at the time of writing, were committed to the foreseeable future.

While Java is notoriously popular with hackers, you don’t need to remove it completely in order to secure your PC. You can keep Minecraft running happily on your system but simply disallow Java in the web browser.

There are at least five free and easy ways to protect against viruses and spyware. Windows XP users won’t be able to follow point #4 (i.e. update Windows) from that linked article but the rest are relevant for those sticking with XP.

Microsoft has a tool that helps to prevent the exploitation of vulnerabilities in its own software and those created by third parties. The Enhanced Mitigation Experience Toolkit is probably a little too tricky to use for everyday users but experts and the inquisitive can download it for free.

So while it is always best to fix the problem, by patching the security hole (or uninstalling the vulnerable application if you don’t need it!), there are ways to prevent the bad guys from gaining access even though the holes continue to exist.