End Game For Windows XP

By James Stork
Senior Vice President, Drake Software 

While you’ve raced to the end of the 2014 tax season, your computer systems have reached another critical deadline:  the end of all support from Microsoft for its 13-year-old operating system, Windows XP.  As of April 8, there are no more upgrades, no more security patches and no more efforts to help keep your computers and client data secure. 

How serious is this if you are still running Windows XP?  Here is a quick assessment of the threat: 

• It is what Microsoft calls, “Zero Day Itself.”  Tim Rains, director of Trustworthy Computing for Microsoft, sums it up: “The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities.” He wrote in Microsoft’s Security Blog: “If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero-day’ vulnerability forever.” 

• Nearly 30 percent of the computers connected to the Internet are running WinXP, according to PC Magazine.  Regardless of what you do now, there is a chance that your machines will be infected simply because of the number of unprotected machines worldwide. 

• CERT, the Computer Emergency Response Team of the US Department of Homeland Security, has begun to issue notices warning users not to use Windows XP and the Internet Explorer browser on the same machine, as patches for Internet Explorer are generally issued with updates to Win XP that will no longer be distributed. 

• The crazies have been waiting for this date.  Hackers have been keeping quiet behind major holes in the operating system.  The day support is stopped will be the day the system is taken offline and the attacks will begin.  The respected Tom’s Hardware site reports that WinXP machines could be attacked within 10 minutes of the deadline at which support ceases. 

• Microsoft began (on March 8 of this year) running pop-up windows to users of its WinXP operating system.  Users who utilize the automatic Windows Update system to keep their systems current will get the notices, but you may have turned that off years ago and be blissfully unaware of the warnings.  

• It’s not just business computers at risk.  CNN Money reports that, “Major Banks are now cutting special deals with Microsoft to extend life support for their Windows XP machines while they replace their fleet of ATMs. JPMorgan bought a one-year extension of service and plans to start upgrading ATMs to Windows 7 at Chase banks in July. Citibank and Wells Fargo said they're also upgrading ATMs, but they wouldn't provide details about their plans.

But April 8 is looming, and you do not have time to deal with hardware and operating system upgrades in the final week of tax season.  The question becomes, how best to protect your firm and its customers until you do have time to deal with it.

Here are our best tips:

• Check to see if you are running Windows XP:
  • Click the Start button.
  • Click Run.  Type Winver, and then press Enter.
  • It will identify if your computer is running WinXP.
  • Don’t panic.  The threat is real, but that does not mean that you are automatically going to end up with compromised computers.  You will have to deal with the problem at some point, but trying to throw a last-minute upgrade into your machines may do more damage than an external threat, particularly if your hardware is as old as your operating system.
  • Consider using a different web browser.
    • Internet Explorer 8, the most recent version available for Windows XP, is already several generations old and will no longer receive security patches.
    • Google Chrome will continue supporting Windows XP until at least April 2015, while Mozilla Firefox has no announced plans to stop supporting Windows XP.
• Back up your data before April 8.  This way, you will have a clean data set from which to restore if you do hit a problem.  Each daily backup from then to the end of April should be done as a new and clean backup, not an incremental backup, if your system permits.  This way, each day sets a new data restore set.
• Disconnect from the Internet.  Where possible, disconnect any computers running Windows XP from the Internet.  If it is not connected to the Internet, the odds of a computer becoming infected are slim to none.  If you have computers running a more current operating system, use them for Internet access and communications.
• Run a complete virus scan to insure you are not infected.  Microsoft has such a tool here.
• Update your Windows XP system before April 8. Note that this is the security update system, not the place to upgrade to a new operating system.
  • Click the Start button .
  • Click All Programs.
  • Click Windows Update.
  • Upgrade your computers as soon as practical after tax season.  See the Windows upgrade site for further information.

Be aware that once tax season is over, you may be compelled to update your computer systems in order to ensure the security of your client data – you are in fact required to keep your customer’s non-public personal information secure according to the Safeguards Rule which was implemented by the Federal Trade Commission as part of the Gramm-Leach-Bliley Act.

Be aware as well that you may have to upgrade other parts of the computer system– printers, scanners and other devices that worked under Windows XP may not have drivers available for more current operating systems.  But that is an issue for after tax season, and we will post a detailed plan for upgrading once the season is over.