Challenges for 2015: End of support for Windows XP

If you provide support for an organization or an external customer user base then you are likely still having to support machines running Windows XP. Microsoft mainstream support for Windows XP ended on April 14, 2009 and extended support ended on April 8, 2014 [1]. This presented an immediate impact in that you could no longer contact Microsoft for support, paid or otherwise. The long term impacts will compound over time as security and operational needs require that we implement technologies that Windows XP does not support.

Unfortunately, so long as the OS is still working today it can be difficult to convince management and customers to upgrade. The intent of this post is to help make a business case for upgrading to a newer operating system by highlighting some of the challenges that XP users and those that support them will experience in 2015 and early 2016.

Here are some of the security issues with Windows XP:

Microsoft stopped providing security patches for vulnerabilities on April 8, 2014. There are known critical vulnerabilities with public exploit code that Microsoft patched in Windows 2003 and later but will not issue a patch for Windows XP

No support for AES [2] which means that RC4 or 3DES must be used for SSL/TLS communications. Both of which are considered weak and have known attacks. Certain hosting providers, such as CloudFlare, have already killed support for RC4 [3].

No usable support for Forward Secrecy which means that if a server’s TLS certificate is compromised any captured network traffic between an XP client and the server with the compromised certificate can be decrypted.

No support for the Server Name Indication (SNI) [4] TLS extension. SNI allows multiple TLS protected websites to share 1 IP address. Without SNI websites protected by TLS must assign one IP address per site. As support for SNI becomes standard you can expect that many site owners will start implementing it and breaking support for browsers without it.

No support for TLS 1.1 and 1.2 [5] [6]. These protocols address weakness in SSLv3 and TLS 1.0. They add support for stronger and faster cryptography as well as add support for TLS extensions enabling future features [7].

In short, there is NO native cryptography on Windows XP that is not known to be either weak or outright broken.

Additionally, there are general support issues.

Internet Explorer 8, which was released in 2009, was the last browser version to support Windows XP. Products and sites that require features from newer versions will not work. Also, due to a change in Microsoft Internet Explorer support policy [8] this browser will not be supported by Microsoft on any platform as of January 12, 2016.

Citrix ceased supporting the platform [9] when it went out of primary support on April 8, 2014. The last version of the Citrix Receiver that worked on the platform was 4.1 but, based on my reading, Citrix will not provide support on 4.1 if you were to call them.

Cisco’s supported VPN clients do not support Windows XP.

Adobe stopped providing support [10] for Adobe Reader and Acrobat on Windows XP in May 2014.

Oracle stopped providing support for Java on Windows XP as of May 2014. Java 7 was the last version to have been supported on XP and it will reach the ‘End of Public Updates’ phase of support in April 2015.

Google currently plans to end support [11] for Chrome on Windows XP in April 2015.

Cisco does not list Windows XP in the supported OS list for WebEx [12] and Jabber [13].

SAP will remove support [14] for the SAP GUI on Windows XP on July 14, 2015.

From a management and customer perspective what this means is that computers running Windows XP will, over time, become unable to run certain software and access websites and services. Depending on the situation this could present an unacceptable business interruption. In some cases, such as unsupported software, this can be identified and planned for. In other cases, such as with websites and services, the change in functionality may be sudden due to a shift to requiring more robust cryptography or implementation of a feature requiring a modern version of Internet Explorer or Chrome. Service providers may be unable to accommodate customers running older software if doing so presents a risk to the rest of their customer base. Any organization that still uses Windows XP to perform a critical business function which interacts with the Internet or other outside resources should review the risks, impacts, and respond accordingly.

– Tom

References:

1. Windows XP lifecyle: https://support.microsoft.com/en-gb/lifecycle?c2=1173&wa=wsignin1.0

2. SChannel cipher suites supported on Windows XP and Server 2003: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380512(v=vs.85).aspx

3. CloudFlare kills support for RC4:
https://blog.cloudflare.com/end-of-the-road-for-rc4/

4. Server Name Indication: http://en.wikipedia.org/wiki/Server_Name_Indication

5. Support for SSL/TLS by browser: http://en.wikipedia.org/wiki/Transport_Layer_Security#browsersTSL

6. Windows XP SSL/TLS/Cipher suite support: https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP

7. Changes in TLS 1.1 and 1.2: http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.1

8. Microsoft changes Internet Explorer support policy: http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

9. Citrix Receiver OS support: http://support.citrix.com/proddocs/topic/receiver-windows-40/receiver-windows-sys-reqs-40.html

10. Adobe end of support on Windows XP: http://blogs.adobe.com/acrobat/windows-xp-end-of-support-html/