New research from Duo found tens of thousands of devices using Windows XP with Internet Explorer 7 and 8, a hurricane of insecurity boasting hundreds of critical vulnerabilities in software that hasn’t been officially supported for nearly three years. The problems are not hypothetical: Hackers who attacked Target in 2013 to steal millions of created cards are reported to have used a Windows XP exploit to first gain entry.
Out-of-date software used by the U.S. government has increasingly been a point of political controversy, especially since the Office of Personnel Management suffered a massive and high-profile hack that was finally revealed in 2015. Sensitive data for over 21 million individuals was stolen by the attacker, widely assumed to be the Chinese government, including vast amounts of security clearance background information.
Other agencies are increasingly under the magnifying glass as cybersecurity rises to a ubiquitous focus across government. Citing the use of old and insecure software in agencies like the Department of Education and NASA, Rep. Jason Chaffetz (R-Utah) believes more and even worse breaches are inevitable.
“I think it’s already happened,” Chaffetz warned earlier this year. “I have no proof of it but I’ve been ringing this bell for a long time.”
The Department of Defense has in recent years paid millions of dollars for extended support on Windows XP. The Pentagon updated many of its Windows XP devices to Windows 2003 within the last six months, according to Chaffetz. The DOD, Army, and Navy have been running “Windows XP eradication efforts” over the last year.
“It takes just one out-of-date device to compromise your entire organization—attackers will target devices with exploitable, older versions of software in order to steal your data,” Duo researcher Tuo Pham wrote.
Most Windows XP users are stuck on Internet Explorer, according to Duo. Twenty percent of Internet Explorer users are running unsupported versions (8, 9, 10) that are incapable of receiving security patches. Just 3 percent are using Edge, the latest Windows browser. That leaves 80 percent with Internet Explorer 11.
But Windows XP users can’t even upgrade to a supported and secure version of a Microsoft browser, leaving millions unprotected while browsing the web. Better options would be using alternative browsers like Mozilla Firefox, Google Chrome or Opera.
Windows XP’s versions of Internet Explorer use insecure add-ons that aren’t even supported in most modern browsers. Sixty-two percent of devices running Internet Explorer have an out-of-date version of Adobe Flash installed. Ninety-eight percent of the devices analyzed by Duo that use Internet Explorer also have Java installed.
Most Windows devices are running older software, including 65 percent on Windows 7, a version that will receive security updates through 2020. The Duo researchers argue that Windows 10—which 24 percent of Windows users are updated to—is a significantly more secure operating system than its popular predecessor.
“That leaves the majority of users on Microsoft operating systems and browsers open to vulnerabilities and a potential malware infection, which can be passed onto your environment if they log into your applications with risky devices,” Pham explained.