Cyber defence agency warns against using WinXP, IE in unison

The US agency for cyber defence has added its weight to the rising tide of warnings about Windows XP going end of life on April 8.

It said users who are unable to stop using embedded versions of Windows XP should at least stop using Internet Explorer, and even then may have invalidated any cyber insurance that requires patch updates.

Despite the warning, the US Computer Emergency Readiness Team (US CERT) acknowledged the fact that some business - notably those that use embedded versions of XP - may have to remain with the ageing Windows operating system.

But it said if a business must use WinXP, then it should be using a more secure web browser client.

US-CERT's warning comes as a raft of organisations advise PC users to migrate to a more recent version of Windows as a matter of urgency.

According to Sarb Sembhi, an analyst and director of consulting with Incoming Thought, users of systems such as ATMs and CCTV platforms are quite likely to be using an embedded version of WinXP - with no real economic alternative open to them.

"It is going to be difficult for them to migrate away from these systems, but the good news here is that most embedded Windows XP users won't be using a browser interface, so they have nothing to fear from this announcement," he said.

Sembhi also warned, however, that businesses using any type of embedded WinXP system should check their cyber security insurance cover conditions, as most insurance of this type, he said, has a primary condition of software being fully patched and up to date.

"This could create problems after 8 April when Windows XP will no longer be patched by Microsoft," he said.

On top of this, the analyst cautioned that any organisation that is subject to security audit requirements - such as that mandated by PCI DSS - is unlikely to pass muster on its WinXP system when the operating system goes end of life next month.

"Normally I would say that, if a business conducts a regular risk analysis process in connection with its IT systems, then they should be okay to use an embedded WinXP system, but the insurance and audit issues may be a problem. And since Windows XP is so old, I doubt that many businesses are using a desktop version of the operating system at this late stage."

US-CERT has also warned against combining WinXP and MS-Office 2003 for similar security reasons.

“All software products have a life-cycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance,” the agency said in its advisory.

Analyst Bob Tarzey echoed Sarb Sembhi's note of caution, saying that all IT security IT has an element of `belt and braces' in it.

"US-CERT is right to advise against staying with XP, but if there is no short term choice, the advice to consider a non-Microsoft browser makes sense," he said, adding this was especially pertinent given the fact that most web browser clients are free to use.