The source code for Microsoft Windows XP has reportedly been leaked online, after a RAR file that first circulated back in 2007 was decrypted using a previously undiscovered password. According to Cylance’s principal software architect, Greg Linares, the leaked XP source code appears to be genuine – and it has since been made publicly available via the cloud storage and file hosting service, Mega.
Potential targets and threats
On the face of it, the dissemination of source code for an operating system that was officially deprecated in 2014 doesn’t seem that newsworthy. Indeed, it is believed that only 1% of the world’s computers actually run the defunct OS. With such slim pickings in terms of potential targets, one would presume that hackers would have better things to do with their time than to search through the now-published source code for vulnerabilities.
Unfortunately, this turns out to be wildly too optimistic, because, despite the fact that Microsoft officially washed its hands of Windows XP back in 2014, some people choose to keep using the defunct operating system. In fact, the list of organizations that use XP is rather alarming – because the NHS is among those at risk.
Even before the source code for Windows XP was leaked, the use of a deprecated OS that no longer receives updates was hugely concerning. Without ongoing research to discover and fix bugs, vulnerabilities in older systems aren’t getting patched up. As a result, anybody using Windows XP is exposing themselves to a massively elevated threat of cyberattacks.
With the XP source code now available to anybody who cares to show an interest, the opportunity to find exploits has suddenly become magnified. Anybody with the technical know-how to do so could theoretically search through the source code, and uncover clues for persistent bugs that were passed down in subsequent editions of Windows. After all, operating systems constantly evolve from the previous version.
Even without considering this potential threat, the source code’s availability provides ample opportunity for cybercriminals to find ways to hack into any systems that still rely on Windows XP, and, there is plenty of cause for concern.
Reports published last year stated that the NHS was still actively using Windows XP on around 2300 computers. In 2017, evidence surfaced that demonstrated that some computers were running XP because it was the only operating system compatible with aging X-Ray machines, for example. Another report, published in August of this year by New Scientist, revealed that several hundred ambulances still depend on equipment that runs on Windows XP.
Compatibility issues like these are a common justification for continued reliance on computers running Windows XP. That unfortunate dependency continues despite Microsoft’s official advice to cease using it, meaning that critical caregiving systems are highly sensitive to malicious attacks.
With the source code for Windows XP now in the wild, there is an elevated risk of attacks from cybercriminal groups, lone wolf hackers, or even state-sponsored operatives who may seek to explore the code to find exploits that allow them to launch cyberattacks against vulnerable UK systems.
Under the worst circumstances, this could lead to cyberattacks like those experienced in 2017, when Wannacry ransomware locked up NHS systems, causing thousands of missed appointments, difficulties in clinical and patient systems, and a widespread inability to deal with emergencies at A&E departments. Following that attack on the UK’s health service, a National Audit Office report stated that the incident could have been prevented if the NHS had followed IT best practices, including updating their systems away from Windows XP.
Three years later, it has failed to do so, and the ongoing concern over these kinds of attacks is only becoming more acute – due to incidents like the one reported in Germany last week – when a patient died following a ransomware attack at a hospital in Dusseldorf.
With the source code for Windows XP now circulating, the risk of similar attacks succeeding in the UK is tangible. Systems have now become more vulnerable than ever before, and although the clock was already ticking – it is now absolutely vital for the NHS to upgrade any outdated systems to eliminate an ongoing threat that could, under the worst circumstances, lead to a loss of life.