IE flaw ushers risky new era for XP use
When even the Department of Homeland Security is warning against using Internet Explorer, it's a safe bet its security flaws are serious. But for many healthcare providers -- notably those still running on Windows XP -- IE's recently-exposed vulnerabilities won't be fixed by Microsoft.
Microsoft confirmed this week that versions 6 through 11 of Internet Explorer "are susceptible to a newly discovered vulnerability, and that cyberattackers have already exploited the flaw."
[See also: CISO's biggest fear: 'what I don't know']
It pledged to release a fix for the so-called "zero day" threat. But not for computers still running on Windows XP. On April 8, after years of warning, Microsoft stopped delivering technical assistance or software updates for the nearly 13-year-old operating system.
"These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information," wrote officials at the Redmond, Wash. giant.
Windows XP was first released way back in 2001, but security experts guess that 15 to 25 percent of the world's PCs still run on the system. It's a safe bet that includes an untold number of machines at physician practices and small hospitals nationwide.
This serious security gap for Internet Explorer is just the first of many vulnerabilities that will be left unfixed from here on in for any provider using XP. One tech writer called it the "the first sign of the XPocalypse."
Sergio Galindo, general manager of the infrastructure business unit at computer security firm GFI Software, says his company has been working with many small- and medium-sized clients to help them prepare for the end of XP support.
"With 20 percent of our customers still running Windows XP, it still holds a good portion of our attention," he said.
Healthcare organizations are particularly vulnerable.
"For those healthcare providers that fall under HIPAA, having a Windows XP machine as part of your business practice may put your compliance at risk," said Galindo.
Computers running XP will continue to work, of course, "but with greater and greater risk," he said.
Still, despite the fact that this wide-open vulnerability "has been widely communicated," there still exists an "'it won't happen to me' syndrome" on the part of many XP users," said Galindo.
But now more than ever, he said, "it is highly likely that an unprotected system will be impacted by a virus, worm or malware."
In the short term, there are steps that can be taken to put up at least an adequate defense against the risks posed Internet Explorer.
David Harley, senior research fellow at IT security company ESET, suggested setting IE's Active Scripting and ActiveX to "prompt." It's "mildly irritating," he admitted, "but seems to reduce the attack surface if you actually disallow it on prompt unless you know you need it."
But "the simplest route is just to set IE security levels to 'high,' or use Enhanced Protected Mode in IE versions that support it," he added. "If you're using XP, you should probably be setting IE security level to 'high' already, as a way of generally decreasing the attack surface on an unsupported OS."
Longer term, however, the fact remains that Windows XP machines are at extremely high risk for hacking and data breaches; whatever the cost of upgrading to a newer operating system could be far eclipsed by the price of a HIPAA settlement.
For those practices still running on XP, Galindo suggests incremental steps. First, "make sure that information is archived properly," he said.
Next? Even though Microsoft's current OS is Windows 8.1, Galindo suggests a smaller leap to Windows 7.
"The problem is that Microsoft has moved on to Windows 8, which involves a different interface," he said. "Where possible, 7 is solid and is most like XP. Moving to 8 involves more training and adapting to a new interface -- this will involve some time for users to get used to it. I'm not sure that time is well spent at this point."