Windows XP only the latest example of risky software, argues KPMG

Consumer PCs already laden with risky programs

The fact that millions of PCs and embedded systems will continue to run Windows XP beyond this week's End of Life (EOL) deadline is only the latest example of obsolete, risky software that shouldn't be used to stoke up unnecessary fear, KPMG analyst Stephen Bonner has argued.

As this week's deadline has approached, a wide range of firms including Microsoft have warned of the dire consequences of continuing to use an operating system that will no longer receive updates or patches so Bonner's view runs counter to this conventional wisdom.

His view is pragmatic. XP cannot easily be upgraded on many embedded systems such as ATMs, ticketing, point-of-sale and military systems, which means that one way or another it will be with us for some time. Ditto consumers, with huge numbers around the globe simply indifferent to the fact that XP is about to become past tense.

"So XP will be with us for some time, and in some quite unexpected places. Little wonder banks and governments are paying millions of pound to extend support beyond April 8," said Bonner.

This was absolutely predictable because a sizable minority of PC users already run many other types of obsolete software such as browsers, plug-ins and other software. Obsolete software is endemic and has been for years.

"It is worth remembering just how much obsolete software resides on our desktops. A survey of Java versions on a million end points last year found many had multiple versions of Java installed. On average organisations ran over 50 different Java versions, and more than half the organisations surveyed had Java software running which was over 5 years old," he said.

Bonner has hit on one of the biggest weaknesses of the claim that running XP after this week represents an unfathomable risk - people already run a lot of risky software so is the operating system necessarily making this much worse?

"There has been speculation about cyber criminals holding back a large store of XP vulnerabilities ready to exploit obsolescent systems. I doubt that will happen - the incentive to exploit early and make money is just too great. However, I suspect some intelligence agencies might have a few zero days still in stock just in case."

Legacy systems were in "difficult to reach places," protected as much by physical as software security and so most of the risk was in the consumer sector. But this population already has major problems, something that running an out-of-date operating systems simply draws people's attention to.

Bonner undoubtedly has a point but the fact remains that the stats are against the hold-outs. With recent figures from security management firm Qualys reminding us that 70 percent of 2013's Microsoft security bulletins affected XP, getting off this desktop is inevitable.

On the other hand, the industry's real problem with XP is that it has never before had to confront the deep indifference to security that has formed the backbone of the problems faced by the software industry in the last decade. Having made little effort to deal with the issue of obsolescence before, future migrations had to be handled better than this one or the same pattern will be repeated.

"So let's look beyond XP, but learn some lessons about the importance of managing obsolescence, removing obsolete software, and remembering to secure those out of sight computers."

Join the CSO newsletter!

Error: Please check your email address.

Tags kpmgMicrosoftsecuritysoftwareoperating systems

More about KPMGMicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place