China set for Windows XP meltdown in 2014

This week news emerged that Beijing officials have been leaning on Microsoft to try and get it to extend support for Windows XP, due to run out in April 2014. I covered it here for The Register.

Now the arguments apparently made by Yan Xiaohong, deputy director of the National Copyright Administration, seem to be two-fold. First, he warned of a potentially huge security risk if Redmond stops releasing patches, with the archaic OS still accounting for over 50 per cent of Windows licenses in the Middle Kingdom.

Secondly, he seems to be saying the government has done its bit and led by example in ditching its pirated software for genuine licenses, so the least Microsoft can do now is support the still-popular OS. Oh yes, and Windows 8 is too expensive to upgrade to.

The second is a typically arrogant argument from a Beijing official. Microsoft has been trailing this switch off for years now so it should have had time to plan an upgrade path, or at least factor it into government plans to “go legit” with  its stock of software.

However the security issue is more valid and in reality could affect consumers and IT security bosses all over the world. According to Akamai, China was just pipped to first place in Q2 2013 in terms of biggest source of attack traffic by a late surge from Indonesia. It has a sizeable 33 per cent share while Indonesia’s stands at 38 per cent.

Not only will this percentage jump significantly higher post-April but if XP levels stay as high as they have been, we can expect a large number of new infected machines appearing in China in 2014. Why should you care? Because these machines will be remotely controlled by cyber criminals to do their bidding. A DDoS campaign or targeted attack against your organisation perhaps, or an information stealing Trojan designed to lift credit card credentials from customers.   

SC Leung, senior consultant at Hong Kong CERT, told me there’s no doubt that the OS will come under greater attack post April.

“If Microsoft ceases to support WinXP, that means service patches, hot fixes and support is no longer provided,” he warned. “If Win7 or Win8 vulnerabilities are shared by WinXP, hackers may reverse engineer the patch for Win7 and Win8 to find out the vulnerability they can use to exploit WinXP.

Attackers may even craft fake patches containing malware to trick users and infect their machines, Leung claimed.

There also exists a longer term problem for WinXP Professional for Embedded Systems, which will run out of support on December 31 2016.

“They are typically used in POS terminals and ticketing systems,” he explained.

“Hardware vendors providing devices using this embedded version of WinXP has to develop plan for upgrade. Changing development platform takes time. They should plan now.”

Unfortunately for many Chinese users and businesses time is not something they have.

“From an information security point of view, we advise users to use a more secure OS, by either upgrading to newer versions of Windows or use other OS that has continuous support,” Leung counselled.

Let’s hope that at least governments and businesses can stump up the extra cash to upgrade to a newer version before the deadline.

The last thing the global info-security industry needs is for infection rates of epidemic proportions to sweep the Middle Kingdom next year.