{"id":5616,"date":"2016-05-27T14:12:11","date_gmt":"2016-05-27T14:12:11","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5616"},"modified":"2020-12-17T12:25:04","modified_gmt":"2020-12-17T17:25:04","slug":"embedded-security","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/embedded-security\/5616\/","title":{"rendered":"Embedded software goes out of support: How to stay safe"},"content":{"rendered":"<p>Almost two years have passed since Microsoft called it quits on Windows XP support \u2013 a change long since announced and long expected, but it was still uncomfortable for many businesses and governmental entities. Although the history of Microsoft Windows XP seemed to end in April 2014, the operating system was not completely gone; many embedded devices still ran Windows XP Embedded Service Pack 3, and as such they were dependent on its security updates.<\/p>\n<p>However, on January 12, 2016, Microsoft ceased supporting Windows XP Embedded Service Pack 3 as well. This is likely to have far-reaching consequences for many businesses.<\/p>\n<p><strong>Why did Microsoft drop the support?<\/strong><\/p>\n<p>Microsoft had obvious commercial reasons as well as security-related ones. Windows XP, in all of its versions, outlived its intended life cycle. Later versions of Windows have many technical advantages. And so on. Product life cycle is the primary concern here.<\/p>\n<p>Discontinuation of support is a nominal, normal process, but with it may come some technical obstacles that make it difficult to get prepared for the end-of-support date on time. For example, hardware may keep working for much longer than the operating system\u2019s planned life cycle, and replacing the software may be economically unfeasible. So businesses either find workarounds or keep using what they have been using past the expiration date.<\/p>\n<p><strong>Obsolete software isn\u2019t going away, though it should<\/strong><\/p>\n<p>Obsolete software is a very common problem, and it\u2019s not about consumer OS alone. It is widely known that some still-functioning satellites are running on decades-old hardware and software. There is a serious issue with supervisory control and data acquisition systems \u00a0(SCADA) too: They use very old operating systems, and the renewal cycle is very long. The same is true for the banking systems \u2013 and not just ATMs. Internal automated banking systems may not be updated for years. As for ATMs, 80% of smaller banks most often prefer to wait for their end of cycle (cycles may be 5\u20138 years, or longer), and then purchase newer machines with fresh software installed.<\/p>\n<p>Obsolete Windows XP installations aren\u2019t the most egregious example, either. Some really critical systems may run on software that is much older. For example, last November, Paris airport Orly <a href=\"http:\/\/arstechnica.com\/information-technology\/2015\/11\/failed-windows-3-1-system-blamed-for-taking-out-paris-airport\/\" target=\"_blank\" rel=\"noopener nofollow\">stopped<\/a> all flights because its air traffic control system crashed. The system couldn\u2019t be fixed immediately because it was running on Windows 3.11: Yes, the 16-bit operating system released on December 31st, 1993.\u00a0 Orly administration plans to update the software by 2017.<\/p>\n<p>As you might guess, Windows 3.11 is most likely thick with bugs that hackers could have exploited \u2013 and that will never get fixed. Fortunately, that wasn\u2019t the case with Orly, but attackers could easily hit on those vulnerabilities, and they wouldn\u2019t need any sophisticated malware or zero-day exploits \u2013 many or most of those bugs have long been public.<\/p>\n<p><strong>The case of Windows XP<\/strong><\/p>\n<p>Windows XP\u2019s end of support affected a great many businesses and government entities, including banks. <strong>Windows XP Professional for Embedded Systems<\/strong><strong>\u00a0<\/strong>\u2013 the very system that fell out of support in April 2014, along with consumer versions of XP \u2013 ran on most ATMs worldwide.<\/p>\n<p>Many organizations weren\u2019t happy about losing that support. Some of the world\u2019s largest entities chose to pay formidable sums to Microsoft for extended support. The <a href=\"http:\/\/www.windowscentral.com\/us-navy-paying-microsoft-91-million-continued-windows-xp-support\" target=\"_blank\" rel=\"noopener nofollow\">US Navy paid $9.1 million for continued Windows XP support<\/a> (along with Office, and Exchange 2003), the <a href=\"http:\/\/www.telegraph.co.uk\/technology\/microsoft\/10741243\/Government-pays-Microsoft-5.5m-to-extend-Windows-XP-support.html\" target=\"_blank\" rel=\"noopener nofollow\">UK Crown Commercial Service (CCS) paid for extension of XP support<\/a>, as did Bank of America, <a href=\"http:\/\/www.digitaltrends.com\/computing\/uk-banks-buying-extended-windows-xp-support-microsoft-atms\/\" target=\"_blank\" rel=\"noopener nofollow\">JP Morgan<\/a>, and <a href=\"http:\/\/www.reuters.com\/article\/us-banks-atms-idUSBREA2D13D20140314\" target=\"_blank\" rel=\"noopener nofollow\">several other banks<\/a>. For them, patches keep arriving \u2013 or, they did until quite recently.<\/p>\n<p><strong>The reasoning behind not updating<\/strong><\/p>\n<p>For large organizations, replacing hardware and software is a long, expensive, and painful process. And organizations are reluctant to drop their still-functional tools \u2013 custom software and hardware systems \u2013 even ones that are long obsolete. As well, replacing software often means replacing the hardware: Compare the system requirements of Windows XP and Windows 10, for example. The latter wouldn\u2019t work on those old Windows XP desktops; it would crawl at best and quite likely wouldn\u2019t start at all.<\/p>\n<p>As certain software drops out of support, organizations have a tough choice. They can either keep using the old software without any support, taking a huge risk and never knowing when criminals might exploit a newfound and never-to-be-fixed vulnerability \u2013 or pay Microsoft (or another vendor) a lot of money for the continued support, which not everyone can afford. They could also choose to migrate, which is extremely expensive done all at once. There\u2019s another way, too.<\/p>\n<p><strong>Allowlists<\/strong><\/p>\n<p>Organizations still using obsolete software and hardware may use third-party security tools, adding a special protective layer against all kinds of vulnerabilities. Simply put, these technologies, generally known as \u201cDynamic Allowlists,\u201d employ lists of legitimate software and prevent anything else from running in the system.<\/p>\n<p>In fact, at a certain point, allowlists become the only approach to ensure safety of the obsolete systems.<\/p>\n<p>One of the obvious advantages here is the cost. Instead of replacing everything at once, businesses can deploy such technologies for a reasonably low price, usually much less than $100 per device. And after they eventually upgrade, allowlists and \u201cdefault deny\u201d policies remain very useful as extra safety measures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Although the history of Microsoft Windows XP seemed to end in April 2014, the operating system was not completely gone; many embedded devices still ran Windows XP Embedded Service Pack 3, and as such they were dependent on its security updates.<\/p>\n","protected":false},"author":2051,"featured_media":15336,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2423,97,113,635],"class_list":{"0":"post-5616","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-embedded","10":"tag-security-2","11":"tag-windows","12":"tag-xp"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/embedded-security\/5616\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/embedded-security\/3779\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/embedded-security\/5616\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/embedded-security\/5616\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/embedded\/","name":"embedded"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2051"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5616"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5616\/revisions"}],"predecessor-version":[{"id":38129,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5616\/revisions\/38129"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15336"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}