Windows XP source code leak: Tips for businesses

If your company uses devices running Windows XP, this source code leak is yet another reason get them protected.

In late September, news broke that the source code for Windows XP had leaked online. A torrent file for downloading the operating system code was published on an anonymous forum, and it spread webwide quickly. Although Web analytics service StatCounter estimates that fewer than 1% of all computers actually run Windows XP, that still represents millions of devices globally.

Why a Windows XP source code leak is bad news

Microsoft discontinued support for Windows XP way back in 2014, so anyone still using it in 2020 is taking a big risk; Microsoft will never patch the new vulnerabilities that continue to pop up. The company makes one exception: critical bugs that can lead to global incidents. For example, the company determined that the CVE-2017-0144 (exploited by WannaCry) and CVE-2019-0708 vulnerabilities posed such a threat. Less high-profile vulnerabilities can also have very nasty consequences, however.

Leaked source code aggravates the situation by giving potential attackers the opportunity to study the operating system in depth, which likely means more exploitation attempts in the near future. Security experts are not at all certain to keep on top of all of the vulnerabilities cybercriminals discover.

What’s more, the vast majority of modern security solutions run only under current operating systems. That’s largely because the difference between Windows 10 and Windows XP, as well as among the technical specifications of the devices on which they run, is too great for one solution to effectively protect both operating systems.

We are also ending support for the outdated versions of our main solution that can still be used to protect Windows XP, which means companies that can’t or won’t upgrade their operating systems will have to look for alternative means of protection.

Security solution for legacy systems

A source code leak is a sound reason to review all corporate systems and, where possible, upgrade devices from Windows XP to at least Windows 7. However, not all companies can get rid of an outdated operating system just like that. Some require it for compatibility with critical hardware or software; others might simply lack the cash to upgrade everything that needs it.

Fortunately, we have a solution for keeping legacy systems secure: Kaspersky Embedded Systems Security. We initially created it to protect devices, such as ATMs and POS terminals, running Windows Embedded operating systems (including ones based on Windows XP), but the solution protects ordinary computers running XP equally well. As with our flagship technologies for businesses, you can manage Kaspersky Embedded Systems Security centrally from Kaspersky Security Center.

Tips for securing Windows XP devices

If your company’s computer fleet still harbors machines running Windows XP, don’t opt for just any antivirus solution; you need an integrated security approach.

  • Use the latest versions of software that are compatible with the operating system. For example, Chrome has not supported Windows XP since 2016, or Firefox since 2018. All else being equal, the latter is the better choice;
  • Remove all unnecessary programs — or, better, use Application Control technology to cull the list of processes allowed to run on outdated computers. The set of tasks handled by such devices is usually small, and having an “allow” list of runnable programs greatly complicates matters for cybercriminals;
  • Disconnect old devices from the Internet where possible. Where access is critical, use the most modern of the available browsers;
  • Use a Web gateway to filter external traffic and block unwanted requests from the outside. For that, look no further than Kaspersky Security for Internet Gateways.