People Still On WinXP Enter the World of Pain

As the final Patch Tuesday nears, there is a critical vulnerability in Word 2003 SP1, 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-1761

which is currently being exploited. Look at the wrong RTF file, and you are pwned. This applies even if you are just using Word as a viewer in Outlook. It was important enough that Microsoft went outside their normal patch cycle. They don't like doing this, so although they couched it in terms of Microsoft Word 2010, stating that, “... we are aware of limited, targeted attacks directed at Microsoft Word 2010. ” I rather suspect the problem is either more widespread than this, or that sensitive targets have been exploited.

Another critical issue is a flaw in IE6. I have no information on this one, and I am too busy to dig around. Possibly it is not yet being exploited in the wild, though it would be madness to count on that.

My, My, How the World Has Not Changed. Ample industry stories point out the vast numbers of systems still running Windows XP. From enterprise code running behind corporate firewalls, to small businesses that simply cannot afford to upgrade, to home users who are not even aware that there might be a problem running a 13 year old OS, there is a lot of WinXP out there. We still do not do security updates particularly well.

Thirteen years ago I was at a Fortune 500 company, writing hardening scripts for HP-UX 11i (and probably preparing for an audit by HP Professional Services), and more scripts for Symark PowerBroker, doing quite a bit of Linux, and advocating that the new Intranet (remember that term?) should not be rolled out as an IE6-only service. In today's world, HP-UX is still somehow hanging on (albeit by a thread), Linux has advanced to the point that even Microsoft has to accept it, and organizations that deployed those old Internet Explorer 6 apps are now facing the downside of that decision.

In the final analysis, there is almost no metric that shows any overall improvement in the security landscape. Quite the reverse, actually. That doesn't mean that it is impossible. It does mean that some triage is necessary, and how you approach the problem matters as much as ever. Enterprises with great security needs might invest in mechanisms supporting better decision-making related to security trade-offs, but they will also be subject to a broad spectrum of employees, including those hapless home users still on WinXP, and unaware that there is a problem. Some small business owners may simply re-partition a small network, install a firewall and/or proxy server, and quite successfully get on with things.

So, no. The world has not changed. While there will be an uptick in the threat level, we simply need to make more thoughtful decisions, and do some of the things that we already know how to do, but haven't. To the extent that we get better at doing that, any uptick in the threat level brought about by the WinXP EOL might be considered a Good Thing. It was known well in advance, and could be planned for; this was no Black Swan.

I Am Not Claiming This Will Have No Impact

It will. On a personal note, I was planning to work this weekend (when it will be rainy) with the hope of taking Monday and Tuesday off. When we might get our first 70-degree days of spring. This is Oregon; cold rainy springs are common. I have a certain amount of flexibility, and would be a fool to not attempt to make that trade. I would be a greater fool to expect success. So, I won't be going far, and will have my phone in my pocket.

Update 4/8/2014 

It turns out that there were problems today. Not what I expected, of course. It never is; that is the nature of the job. This was nothing to do with WnXP EOL, but Automated Data Analysis Gone Horribly Wrong. ADA is a very tricky thing to get right. Setting limits blindly (which is what you are doing if you get the data analysis bit wrong, and even then you may be solving the wrong problem) can end in tears; your own systems can be your worst nightmare.

In this case it ended well. It wasn't very difficult to prove a false positive, and there was a systems admin who knew pretty much everything about how a complicated system was put together.

You know that old saying, "There's one in every crowd?" It's always a negative thing, but it shouldn't be. Sometimes that one person is worth their weight in gold, particularly when things go all pear-shaped. If you are not making a solid effort to identify and retain that person, You Are Doing It Wrong.