Zero day forever--move away from Windows XP, now

Microsoft reminds users--again--that Windows XP support ends in April. But this time, it attempts to demonstrate the security risks of XP.

Windows XP was a prime target for malware, according to Microsoft.

Windows XP was a prime target for malware, according to Microsoft.

Microsoft has reminded, cajoled, and pleaded with users to move off of Windows XP before support for its old OS expires next year. Now Microsoft warns users that they may be subject to "zero-day" threats for the rest of their lives if they don't migrate.

After April 8, 2014, Microsoft will halt support for Windows XP. That means Microsoft won't issue patches or other security fixes for its operating system.

What does that mean, in terms of security? Tim Rains, director of Trustworthy Computing for Microsoft, sums it up:

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities," he wrote. "If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero-day' vulnerability forever."

Zero-day vulnerabilities refer to the way in which hackers can attack an operating system or other code before a patch is released, fixing the vulnerability. Since Microsoft will never patch Windows XP again after April 2014, eventually some vulnerability that affects XP will be found.

Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins. Thirty of those also affected Windows 7 and Windows 8, Rains wrote.

Rains acknowledges that some protections in XP will help mitigate attacks, and third-party antimalware software might offer some protection.

"The challenge here is that you'll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice," Rains wrote.

That's the same argument that some have recently used, claiming that hackers will "bank" their zero-day XP attacks until after next April, then unleash them on the unprotected herds of XP machines. As Rains notes, the sophistication of malware has only improved, meaning that your XP machine is even more vulnerable, not less. PCWorld's Answer Line columnist, Lincoln Spector, agrees.

The problem that some XP users have is that they're so in love with the way that Windows XP does things that they're reluctant to migrate, especially to Windows 8. Well, Windows 7 machines do exist, that offer functionality similar to XP: here's how to find them.

The bottom line is this: while Microsoft stands to gain from arguing that consumers need to upgrade, the truth is: they do. So if you are still on Windows XP, start thinking about a migration strategy. Now.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecuritymalware

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Hachman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place