Back in April I published a post about the end of support for Windows XP called The Countdown Begins: Support for Windows XP Ends on April 8, 2014. Since then, many of the customers I have talked to have moved, or are in the process of moving, their organizations from Windows XP to modern operating systems like Windows 7 or Windows 8.
There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft. Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails.
What is the risk of continuing to run Windows XP after its end of support date? One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the case. Read more.
Today we released a new version of our Enhanced Mitigation Experience Toolkit (EMET 4.0). EMET is a free mitigation tool designed to help IT Professionals and developers prevent vulnerabilities in software from being successfully exploited. The tool works by protecting applications via the latest security mitigation technologies built into Windows, even in cases where the developer of the application didn’t opt to do this themselves. By doing so, it enables a wide variety of software to be made significantly more resistant to exploitation – even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.
EMET has been a very popular tool among customers trying to manage risk associated with insecure applications they have in their environments. Over the past year we have seen some attackers evolve their tactics in ways that we believe can be mitigated with a tool like EMET. We have also received feedback from a number of customers on how we could make EMET better fit their needs. This information has been invaluable in enhancing the latest version of the tool. EMET 4.0, released today, incorporates a number of new enhancements including protection against Man in the Middle attacks leveraging the Public Key Infrastructure (PKI), and hardening of Return-Oriented Programming (ROP) mitigations. This version also addresses some known compatibility issues and is designed to work with some of our latest technologies such as Internet Explorer 10 and Windows 8. Read more