With reports suggesting that Microsoft source code relating to Windows XP has been shared online, Digital Health’s cyber security columnist, Davey Winder, looks into whether old operating systems are putting the NHS at risk
CREDIT: This is an edited version of an article that originally appeared on Digital Health
The news that Microsoft source code relating to Windows XP had apparently been leaked to a number of file-sharing sites online may well have passed you by; after all, who uses Windows XP these days, and what difference does it make if the source code is out there? Although it has yet to be confirmed by Microsoft, which is investigating, if this is the actual source code to Windows XP Service Pack 1, there are potential security risks.
It would appear that the source code leak is actually a combination of various files, which would impact Windows Server 2003 and even Windows CE and MS-DOS; most of these files have been floating around the dark web for some time, but this marks the first public distribution.
Windows XP itself was released way back in October 2001, with the final release in 2008. It reached end-of-life status on April 8 2014 when general support, including security updates, ceased. A security patch was later released by Microsoft, in May 2017, in response to the WannaCry ransomware attack that hit the NHS so hard.
The general availability of source code to an operating system will make the life of those wishing to exploit vulnerabilities much easier – and it does highlight the risk posed by older Windows systems such as Windows 7, for example. The NHS has been migrating devices, where possible, from both XP and Windows 7 to Windows 10 for some months now; however, in some cases, such migration does attract compatibility challenges. There are also financial considerations when talking about replacing machines where software cannot be updated.
“Legacy systems running out-of-date operating systems continue to be a huge problem for the NHS,” Bharat Mistry, principal security strategist at Trend Micro, told me. “In some cases, these systems are used for critical processing of data and, because of the risk of significant disruption, these systems never get updated.”
Stopping determined hackers
Ray Walsh, a digital privacy expert at ProPrivacy, is not convinced that the small market share of XP will stop determined attackers from exploiting any new vulnerabilities found lurking within this leaked code. “The realisation that sensitive targets like hospitals and the military still employ these outdated systems poses a real danger that cybercriminal groups and government-sponsored hackers could, potentially, seek to make use of the source code to launch a cyber-attack,” he says.
Don’t become a victim
For Boris Cipot, a senior security engineer at Synopsys, those who use outdated software are putting themselves at higher risk of attack. “If you’re using outdated software, you’re running the risk of becoming a victim,” he said. The alleged leak of the Windows XP source code poses a great risk to users by “opening new doors for vulnerabilities to surface”, he adds. The most appropriate action, he advises, “is to replace outdated systems with those that are maintained securely.”
How doable this is, at least in the short term, for healthcare in the UK remains to be seen. It is, however, a conversation that security teams need to be having and will be made more of a priority, in my never humble opinion. As Doug Tognarelli, senior cybersecurity consultant at SureCloud, pointed out in conversation, this could impact more than just XP itself. “Source code is often redeveloped and reused in later editions,” he says. “Any new vulnerabilities discovered in Windows XP have the potential to also be reflected in newer versions of Windows which may pose a higher risk.
“Outdated and unsupported software installations are upgraded, replaced, or removed to ensure that systems remain secure,” Doug warns. The NHS needs to be watching very carefully as this story unfolds,