To XP or Not to XP

Certain caveats apply:

1. Windows XP Embedded (Toolkit and Runtime), all versions – supported until January 30, 2017
2. Windows XP Professional for Embedded Systems – supported until December 31, 2016

Basically what is ending is support for personal and enterprise use of XP. XP appears repeatedly in security news due to exploits shared by hackers, who make use of them through metasploits as well as custom malware droppers to gain illegitimate access to computers, extend their botnets, and steal information. According to Common Vulnerabilities and Exposures (CVE) tracking, information about 726 vulnerabilities have been published since XP’s release in 2001.

These vulnerabilities vary but 3 of the 4 most consistently exploited vulnerabilities were interrelated and intended to (1) bypass security controls to (2) gain privileges for the purposes of (3) executing code – often via buffer overflows or memory corruption/injection attacks. This isn’t really a revelation though, right?  Actually this is what attackers do – whether via SQL injection, XSS scripting, or phishing/waterholing with malicious droppers.

Why not just upgrade?

There are estimates that XP still occupies 70% of global managed IT estates and 20% of home users—including this author. The reason for continued IT and home use is simple. The software or associated hardware that is relied upon for continuity of services sometimes is incompatible with later versions of Windows Operating Systems. In some cases the licenses to older software, or installable versions of software, are no longer available; in other cases the associated hardware has drivers that are not tested or certified for later versions of Windows. And believe it or not, sometimes Windows XP computers are still being used for “mission critical” utilities that will not allow a replacement or upgrade window (even if one is available). Fortunately, companies have been aggressively replacing and upgrading their corporate use computers, and home users have been steadily purchasing replacement computers with later Windows versions as new features and capabilities (including security) are released, and corresponding hardware helps the computers perform their processing tasks faster and more reliably. 

These systems (other than home users’) are most commonly found in the largest segments of global managed IT estates: retail (POS), financial services (teller stations, ATMs, and insurance terminals), and infrastructure (building, utilities, and industrial controls) systems. That is why support for “Embedded” systems has been extended to January 2017. Embedded does not refer to RTOS-style systems like RTU’s or Robots etc., rather it refers to a small-footprint (minimum 64MB) Windows XP installation on a device that boots to the Original Equipment Manufacturer’s (OEM) Application.

What does this mean for security?

The first question that we're faced with is: will attacks intent on exploiting Windows XP vulnerabilities increase? Secondly: will more vulnerabilities be discovered?

First it is important to distinguish what types of vulnerabilities exploits there are:

1. Zero days – These get a lot of sensational attention. They are commonly misrepresented though by the media, because if the media knows about them so do others. Zero days are exploits of vulnerabilities that only a few actually know about or how to exploit. There are no patches available – simply because they are unknown.
   
   
2. ½ days – These are the exploits that the media is actually talking about. These are also the exploits represented in malware – because once they are embodied in malware they have been distributed and Pandora’s Box has been opened. Of course targeted attacks may employ zero day exploits in malware that only the attackers know about – but once installed on a system they effectively make their identity known. People know about these, and there may be public metasploits developed, but there are no patches yet available.
   
   
3. Single days – These are exploits that people know about, are used by varied threat actors, and patches to remediate their risks or prevent their use are available, but the patches have not been applied… either because they cannot be, or simply have not yet been.
   
   
4. Forever days – These are exploits for vulnerabilities that simply cannot be patched; a full replacement is necessary. The vulnerabilities exist for all time to come; therefore other security controls and wrappers are needed to defend against their exploitation.

So to the question – will exploit attacks continue to increase? In the short run, probably. Windows XP, as of April 8^th, 2014 will effectively place itself into a “Forever day” category. Thus, the subordinate categories will advance—through use and publication—from Zero, to ½, to Single, and ultimately to Forever day vulnerabilities that attackers will exploit. Along the way new vulnerabilities will be discovered—and eventually published—by the attackers or by security researchers/malware analysts who examine the malware used to compromise systems through the use of the exploits. But eventually XP will find itself in a Forever day category.

What will be interesting, however, is what will happen in the meantime. Part of the reason for the increasing number of “x”day exploits is that there is very public collaboration of published exploits. Supported product vulnerabilities are publicly published by Vendors, and patches are made available – which are actually utilized by researchers (white and black hats) to discover additional vulnerabilities, or to identify the vulnerabilities with precision that allow the creation of manual or automated exploitation techniques. It is possible, and even likely, that a reduced amount of vendor-published information (from Microsoft) will reduce the accessibility of vulnerability information that many attackers depend upon. Basically when the head of the river dries up, eventually the riverbed will appear.

So what can we do to protect our XP?

Compared to more recent versions of Windows, XP has fundamental architectural weaknesses. Although it was cutting edge in 2001, and is still one of the most popular user experiences for its simplicity of user-to-administrative functionality, it is that “feature” functionality that created the weaknesses. In short, there is little practical hope of segregating the applications that support user actions and experience from services that support the underlying operating system and hardware. 

Consider a basic credential feature – LSASS (Local Security Subsystem Authority Service). This is a service that offers “local” computer credential management for “secure” interaction of users with the Operating System.  That fact that it handles credentials makes LSASS a popular service attack vector for malicious actors.

Another concern is a basic scheduling feature – AT (automated task scheduler). This is a scheduling feature for creating scheduled application or operating system management tasks. It relies upon an administrative credential for authority but when a task is scheduled, by default it will run as the fully privileged O/S account.  This is at least as popular as LSASS attacks, but much more prevalent as most malware droppers will make some use of this “Feature” to escalate user to O/S privileges and perform required administrative tasks.

Because administrative privilege is the norm in Windows XP environments—or is at most a Forever day away— “super user” (System) access can generally be gained and a hacker can do what they choose. If the computer is attached to a network, they will likely use their full control of one system to gain Active Directory credentialed access and can exploit remote computers as well.

The intended objective of an exploit is to gain a credentialed access that provides privileges to (automatically or manually/locally or remotely) execute commands that serve the interests of the attacker. As the legacy applications that require XP commonly can't run without administrative privileges, and because XP lacks the features to enable both security and compatibility—such as User Account Control (UAC), File and Registry Virtualization, and User Interface Privilege Isolation (UIPI)—there is all too often no effective user to O/S segregation—any application can provide access to manipulate the O/S.

The good news though is that there are effectively only three types of attacks that can be performed.

1. An attack that leverages a dropped file to exploit vulnerabilities with malware.
2. An attack that injects into memory to exploit vulnerabilities and open the system to access.
3. An attack that uses remote access services that already exist, with legitimate credentials.

Unfortunately #3 represents a lateral movement or an "insider threat" which which requires an organizational understanding of who is doing what with which credentials on systems wherever and when. In Cylance terms, that requires a Compromise Assessment. However, #1 and 2 can be prevented with our flagship security product – CylancePROTECT™.

CylancePROTECT relies upon our Infinity platform to recognize malicious files by their features, without needing signatures or heuristics. Through our machine learning algorithms we can almost immediately determine whether a file is good (safe) or bad (threat), and block its execution. Antivirus and Antimalware solutions offer signature detection, behavior and sandboxing analysis – but that is slow and depends all too often upon someone having seen the specific family of threat before. CylancePROTECT does not; it is fast and is able to detect—and block—bad files without ever having seen them before. It also has memory protection to detect attempted execution of malicious code in memory that use bypass, ROP and process-hopping techniques—and watches for LSASS credential steal attempts.  CylancePROTECT is smaller, faster, and more capable than other solutions.

Here is an example of a memory injection attempt to steal credentials from LSASS in Windows XP that CylancePROTECT blocked: 

…in this example LSASS invasion was blocked, so the attacker decided to inject malicious code into a process, but failed:

The longer that XP continues to be used, the more often it will need to be assessed for compromise indicators or artifacts. This is particularly important in mixed IT estates as XP will offer attackers a tempting target of known (and evolving) vulnerabilities to exploit in order to gain network access to the entire IT infrastructure. Although there are many technical mechanisms to access systems via the described exploits, fundamentally attackers only need three things to succeed:

1. Tools to access the system
2. Credentials to use the system
3. Time to do it

CylancePROTECT can almost immediately detect these malicious tools of the trade, and even the attempted theft of credentials. A CylancePRESPONSE Compromise Assessment can detect what legitimate tools were used, which credentials were used, and over what period of time activities were performed.

Upgrade from XP if you can, but if you can’t then get an umbrella. No, the sky isn’t falling but deploying CylancePROTECT on your Windows XP systems can help you avoid the downpour.

- Shane D. Shook, PhD
CKO/Global Vice President of Consulting
Cylance Inc.