When I advise businesses on being protected against cyber-attacks, one of the first things I focus on is their desktop operating systems. Updates bring about improvements, and fix potential security flaws. It is free, and can easily be automated, but can also be forgotten. Old operating systems often cannot be updated, and from a security perspective this is dangerous.
Organisations don’t like to spend too much on IT, and like even less to spend on IT security. But do they do their sums correctly with such decision-making? The cost of an attack may be many times greater than the cost of putting up adequate defences. The ransomware which has disproportionately hit NHS computers is (yet another!) prime example. It is true that not all of the computers affected by the WannaCrypt virus (1) are running XP, but that is again a matter of updates not being applied… the exploited vulnerability was identified back in March and the fix made available in Microsoft updates to all supported operating systems back in April (2), so only organisations that had failed to patch would have been caught out. Apparently, quite a lot of Windows 7 and 8 computers that weren’t updated in time have also been affected. Microsoft have now made a guarded statement covering themselves for a situation that clearly wasn’t their fault (3) as anyone who knows the software development life cycle will know.
So why the focus on Windows XP? This operating system was released back in 2001. It was a masterpiece of engineering, produced by combining the two quite different Microsoft operating systems technologies of Windows 95/98 and NT (New Technology) to run as much available software as practicable on a stable platform.
It was therefore always going to be an interim product, but the blundered next iteration (Vista) caused a many users to stay with XP much longer than would have been advisable. Indeed, by the time Windows 7 became available (2009) it was only safe to use with an array of service packs and updates. Users therefore became accustomed to using the same operating system for eight years.
At that point, Microsoft may have been justified in proclaiming a phasing out of XP, but many users stuck with their faithful operating system either because they were familiar with the interface, or they had old computer that would be expensive to upgrade. However, by 2013 Microsoft said enough was enough, and an announcement was made that updates to XP would not continue beyond April 2014.
Rather than spending the 12 months investing in new kit that would support later versions of Windows, it seems that the UK government (with some other large organisations) negotiated with Microsoft for a 12 months extension to “updates” on computers running Windows XP, thus allowing 24 months for the many IT departments associated with the public sector to upgrade in kit to run Windows 7 (or later). This would save money in the short term.
By the time April 2015 came along, all UK government computers should therefore have been upgraded. Quite why this wasn’t the case was a mystery to security analysts and researchers like myself, and was reported in The Guardian (4). By then, everyone in the industry should have known that XP software had many vulnerabilities, and there are only so many plasters that can be stuck over a leaking sieve! The boffins at GCHQ would have been very much aware of this, and must have been livid when it became apparent that those 12 months hadn’t been used to upgrade every public sector Windows XP computer in the land. It was, as the IT expert on Radio 5 earlier today commented “only a matter of time” before a major incident occurred. It seems that the government (rightly) did not renew its contract with Microsoft, but encouraging cash-pressed individual departments still with XP computers to negotiate their own deals with the supplier at that point looked naive. Continued support for XP therefore didn’t happen in practice, and it is remarkable that they got away with it for over two years before one of the many identified vulnerabilities of XP was exploited in a damaging way.
Advice: Apply updates to ALL Windows machines, if not set to automatic, and then set to automatic. Keep any Windows XP machine well away from the Internet, back up all your important files, and upgrade it to a machine that can support a more recent version of Windows… preferably Windows 10, which, according to Microsoft, will be supported until October 2025 (5). With luck, you won’t lose anything, but if you did, you’ve got your backup in reserve anyway!
Now, reinstall your applications and you should be ready to go. Almost there, but make sure the applications get updated as well, because they can also carry vulnerabilities. If you are a business, consider the benefits of spending a little more and get assessed for a Cyber Essentials badge to reward your efforts (6).
(1) Microsoft, 2017, “Ransom: Win32/WannaCrypt”, [online at https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt ]
(2) The Verge, 2017, “Microsoft has already patched the NSA’s leaked Windows hacks”, [online at https://www.theverge.com/2017/4/15/15311846/microsoft-windows-shadow-brokers-nsa-hacks-patched ]
(3) Microsoft, 2017, “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack”, [online at
(4) Guardian, 2015, “UK Government PCs open to hackers as paid Windows XP support ends”, May 26th 2015 edition, [online at https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends ]
(5) Computerworld, 2015, “All Editions of Windows 10 will get 10years of updates support”, Jul7 17th 2015 edition, [online at http://www.computerworld.com/article/2949230/microsoft-windows/all-editions-of-windows-10-get-10-years-of-updates-support.html ]
(6) HM Government, 2016, “Protect your business against cyber threats” [online at https://www.cyberaware.gov.uk/cyberessentials/ ]