Are old operating systems putting the NHS at risk in 2020?

With reports suggesting that Microsoft source code relating to Windows XP has been shared online, our cyber security columnist, Davey Winder looks into whether old operating systems are putting the NHS at risk in 2020.

The news that Microsoft source code relating to Windows XP had apparently been leaked to a number of file-sharing sites online may well have passed you by. After all, who uses Windows XP these days and what difference does it make if the source code is out there?

Although it has yet to be confirmed by Microsoft, which is investigating, if this is the actual source code to Windows XP Service Pack 1, there are potential security risks.

It would appear that the source code leak is actually a combination of various files, which would impact Windows Server 2003 and even Windows CE and MS-DOS. Most of these files had been floating around the dark web for some time, but this marks the first public distribution.

Windows XP itself was released way back in October 2001, with the final release in 2008. It reached end of life status on April 8, 2014, when general support, including security updates ceased. A security patch was later released by Microsoft in May 2017, in response to the WannaCry ransomware attack that hit the NHS so hard.

Exploiting vulnerabilities

The general availability of source code to an operating system will make the life of those wishing to exploit vulnerabilities much easier and it does highlight the risk posed by older Windows systems such as Windows 7 for example.

The NHS has been migrating devices, where possible, from both XP and Windows 7 to Windows 10 for some months now. However in some cases, such migration does attract compatibility challenges. There is also financial considerations when talking about replacing machines where software cannot be updated.

“Legacy systems running out of date operating systems continue to be a huge problem for the NHS,” Bharat Mistry, principal security strategist at Trend Micro, told me.

“In some cases, these systems are used for critical processing of data and, because of the risk of significant disruption, these systems never get updated,” he added.

Stopping determined hackers

For Ray Walsh, a digital privacy expert at ProPrivacy, he is not convinced that the small market share of XP will stop determined attackers from exploiting any new vulnerabilities if they are found lurking within this leaked code.

“With the realisation that sensitive targets like hospitals and the military still employ these outdated systems, there is a real danger that cybercriminal groups and government-sponsored hackers could potentially seek to make use of the source code to launch a cyber-attack,” he adds.

Don’t become a victim

For Boris Cipot, a senior security engineer at Synopsys, those who use outdated software are putting themselves at higher risk of attack.

“At the end of the day if you’re using outdated software, you’re running the risk of becoming a victim,” he said.

The alleged leak of the Windows XP source code poses a great risk to users by “opening new doors for vulnerabilities to surface”, Cipot adds.

The most appropriate action, he advises, “is to replace outdated systems to those that are maintained securely.”

How doable this is, at least in the short term, for healthcare in the UK remains to be seen. It is, however, a conversation that security teams need to be having and will be made more of a priority, in my never humble opinion.

As Doug Tognarelli, senior cybersecurity consultant at SureCloud, pointed out in conversation, this could impact more than just XP itself.

“Source code is often redeveloped and reused in later editions,” Tognarelli says.

“Any new vulnerabilities discovered in Windows XP have the potential to also be reflected in newer versions of Windows which may pose a higher risk.”

Therefore the NHS needs to be watching carefully as this story unfolds and, according to Tognarelli, “outdated and unsupported software installations are upgraded, replaced, or removed to ensure that systems remain secure”.