Deciding to upgrade an old, out-of-support operating system to a more recent one that’s just snuck out of mainstream support might seem like madness to some IT professionals, but Melbourne Health clearly has a different view.
Last week, Royal Melbourne Hospital's pathology department was infected by a new variant of the infamous Qbot malware, which is more often associated with attacks on banking systems where it steals passwords and captures users’ keystrokes.
What’s interesting about this incident is not so much the presence of the new Qbot variant, but that the infection vector was a newly-discovered zero-day exploit in Windows XP.
Yes, Melbourne Health was still relying on a substantial fleet of Windows XP workstations for critical hospital functions, such as pathology, with the attack leaving staff manually processing blood, urine and tissue samples.
Melbourne Health's IT guys were forced to fast-track their in-flight Windows 7 upgrade program to flush Qbot out of their environment, since the infection was rendering all inflicted Windows XP machines unusable.
The health network decided to jump to Windows 7 rather than something newer to soften the impact of cultural change, and also to ensure critical medical software remained licensed.
Interestingly, Windows 7 shifted out of mainstream support on 13 January 2015, and, to make life harder, Microsoft has deprecated every version of Internet Explorer prior to IE11.
Unless Melbourne Health has managed to upgrade all of the legacy application software that relies on old browser versions, they’ll still be sitting on a vulnerable and potentially unpatched platform.
According to NetMarketShare, Windows XP commands just under 11 percent of the operating systems installed on PCs.
That’s an amazing number of completely unprotected, unpatched and vulnerable machines, each one potentially exposed to any number of zero-day vulnerabilities that will never be addressed by Microsoft.
Whether the anti-virus vendors will bother to help out remains to be seen, but systemic, underlying code issues in the operating system will always be a problem when no one is patching them, and will only get worse with time.
Just as interesting, IE11 has made it onto a quarter of all PCs. However, 20 percent of computers are running old browsers that are no longer patched or supported by Microsoft, so that’s a massive number of vulnerable computers.
Upgrading Windows XP to Windows 7 doesn’t solve the problem if you can’t upgrade your browser, and looking at these statistics, this is a massive exposure.
What can you do?
Security is a big concern when operating systems and applications reach end of support. On the day a vendor stops providing updates, the malware developers ramp up production.
If you run an IT department, you really have to start planning months if not years in advance for an upgrade.
For various reasons, this has traditionally been difficult, due to the excessive costs associated with upgrading legacy applications to work in modern ICT environments, so the years slip by and what happened at Melbourne Health will happen again and again.
However, today’s reality has shifted. There are far less excuses now that cloud providers offer myriad options to migrate you to desktop-as-a-service offerings, where they provide the base desktop service and are contracted to keep it up to date.
The service provider owns the risk if there are issues with legacy applications and must offer some modern virtualisation capability to ensure your business keeps it lights on.
If you want to get away from the gripe-cycle of install, run, panic, upgrade, run, etc, then as-a-service cloud offerings are now mature enough to offer real, palatable options, especially now that the price is right.