You’ve probably heard this before. I hope you’ve heard this before.
Microsoft has announced that on April 8, 2014, just 32 days from the writing of this post, support for Windows XP will cease (Microsoft Office 2003 will also be end-of-lifed on this date). This means that there will be no more security updates for the 12-year-old operating system, nor will there be any technical support available.
XP has been a very successful piece of software for MS, particularly because of its relative stability. Unfortunately, because of that stability and success, a very large percentage of businesses (particularly in regulated industries such as healthcare and banking) have not migrated to one of the newer Windows operating systems. Quite frankly, Vista scared a lot of folks off of doing so a few years back.
Those businesses, again, particularly the regulated ones, are in a tough spot right now. As soon as that support ends, those machines still running XP are immediately out of compliance with PCI DSS, HIPAA, and FISMA (probably more). Updating every ATM in your bank’s network, or every MRI in your radiology practice, for example, is a costly and time-intensive operation. And that’s only after validating that the applications running on them will continue to function properly on Win7 or Win8.
Estimates are that nearly 95% of ATMs in the US are running on XP. I personally am a bit leery of putting my card into one of those anyway, but once there are no more security patches being applied to the OS…well, that’s unnerving to say the least. ATM skimmers are bad enough, but it’s a relatively high-risk/low-reward operation compared to being able to hack the actual machine.
The major manufacturers of ATMs are working with the payment card industry to get waivers or extensions as they work around this issue. It will be interesting to see how successful this is, as this wasn’t a spur of the moment announcement by Microsoft, but something that they’ve actually postponed more than once over the past several years.
One work-around that the medical equipment industry has been employing for some time now (a lot of those devices still run WindowsNT and Apache1.0) is putting a hardware appliance in place to help mitigate potential vulnerabilities. This may be an approach for ATMs as well. With the average cost to upgrade each ATM approaching $3000, following healthcare’s example by going with a small investment in a stopgap looks to be the answer in the interim.