Use Software with Security Updates
All software products, including operating systems and software applications, have a lifecycle. Any software products could reach their end of support date and become outdated. End of support refers to the date when the software vendor no longer provides security updates, patches or customer support, etc. Any new vulnerability discovered in the software product after its end of support will not be addressed by new security updates. For example, the end of support for Windows XP and Office 2003 was on 8 April 2014. That means, after 8 April 2014, there is no longer security updates, hotfixes, software patches nor customer technical service assistance for Windows XP and Office 2003.
Potential Security Risks
- Due to lack of security updates, attacker can intrude computer system by compromising end-of-support software product through unpatched vulnerabilities.
- New security software may not be fully compatible with end-of-support operating system, resulting in limited protection of the computer system.
- Encryption algorithm, Secure Socket Layer (SSL) protocol and other security standards supported by end-of-support software product may be less secure or become vulnerable to cyber attacks.
- Check the end of support date for software products at the official website of software vendor and prepare a viable migration plan beforehand.
- Uninstall end-of-support software products or upgrade to another software product that has security updates.
- If there is a need to use end-of-support software product in the transition period, you should assess the security risks and adopt compensating security measures before using it.
Compensating Security Measures for Mitigating Risks
- Pay attention to security news and information related to the software product and take appropriate responses, for example, stop using the product.
- Use security software which can continue to support your computer system.
- Enforce system hardening, such as disabling unnecessary software and services.
- Use normal user account for daily work and avoid the use of administrator account whenever feasible because attackers usually run malicious code with the same access right of the logged-in user account.
- Adopt software restriction tools to limit installation and execution of authorised applications only.
- Use supported and up-to-date web browsers and plug-ins.
- Avoid storing sensitive information or performing any sensitive operations such as e-shopping, stock trading or e-banking activities etc. on end-of-support computer system.
Please visit the HKCERT website for more information about the end of support for Windows XP.