IE Vulnerability: Crisis Averted for Windows XP Users?

May 2, 2014 • Published Categories Best Practices Tags , , , ,

Windows XP users may be breathing a sigh of relief following Microsoft’s announcement that it is patching—even for XP users—a major vulnerability discovered in its popular Internet Explorer (IE) browser.

But folks, we’re just getting started. Now that the April 8 end date for Microsoft Windows XP support has passed, XP users can expect an ongoing onslaught of hacking attempts based on new vulnerabilities that don’t get patched.

If you are an XP user, you can pretty easily write off this single IE patch release as a one-time event. It’s highly unlikely that Microsoft will repeat this scenario.

Background on the IE Vulnerability

On April 28, reports of the first known, post-April-8 vulnerability began circulating. For XP users, this IE browser vulnerability meant that if you use IE to access or browse the Internet, your machine and the network it’s attached to could be accessed by a malicious outsider.

According to Microsoft’s advisory:

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.                                                                                 

Industry Experts Weigh In

The U.S. and U.K. governments responded to the IE announcement by advising people not to use Internet Explorer until Microsoft fixed the vulnerability. Remember, however, that if Microsoft didn’t issue the patch for Windows XP, then this fix would never happen. In essence, you could never safely use Internet Explorer again.

Industry experts have issued statements with regard to security and privacy compliance (i.e., PCI, HIPAA) and Windows XP. Here is ControlScan’s stance:

ControlScan does not endorse or recommend the use of compensating controls for the existence of unsupported operating systems (namely, Windows XP after April 8, 2014) within a cardholder data (CHD) environment. ControlScan may, at times, provide details to clients, partners and prospects regarding controls that are “above and beyond” the controls already found in the PCI DSS and therefore may be used within an overall compensating control to help mitigate the risk associated with the presence of Windows XP in a PCI environment after April 8, 2014.  The sharing of these control details in no way implies ControlScan’s endorsement of the use of said controls for a Windows XP compensating control.

As a PCI Qualified Security Assessor (QSA), I also stress the following for self-assessing merchants:

  • There is no silver bullet security control or solution to mitigate the risk presented by the existence of unsupported operating systems within a cardholder data environment. Any control you put in place as a compensating control must be viewed as a TEMPORARY stop-gap to a game plan which ultimately includes the replacement of all unsupported operating systems.
  • In order for any merchant or CHD-handling organization to use a compensating control to meet PCI compliance, a constraint must be identified that prevents the organization from meeting the original PCI control. If your organization has the financial and technical means to replace all Windows XP systems within 3 months, for example, and decides to take 12 months to make the replacements, my QSA opinion would be that any compensating control in place from months 3-12 is invalid. The number one goal should be to decommission and replace all unsupported operating systems as quickly as possible.
  • All compensating controls must be uniquely articulated, justified and implemented within your organization’s environment. In other words, there is no “blanket” compensating control that can be applied universally to organizations for any lacking/missing PCI DSS control.

I’ll say it again as I’ve said before: If your organization is running Windows XP—even if you have antivirus programs and firewalls in place—your security posture will be significantly reduced and you will not be in compliance with the PCI DSS. Those subject to HIPAA will also be out of compliance.

Time to Jump Ship

Over time, new vulnerabilities will be discovered and they will chip away at your business’s security – not to mention its processes and productivity. If your business is still running Windows XP, it is past time to upgrade.

ControlScan and ShopKeep POS have produced a practical guide that can help you quickly identify and completely address Windows XP in your business environment. Download your free copy of the eBook here:

Leave a Comment