Zero day forever--move away from Windows XP, now

Microsoft reminds users--again--that Windows XP support ends in April. But this time, it attempts to demonstrate the security risks of XP.
  • Mark Hachman (PC World (US online))
  • — 16 August, 2013 21:58
Windows XP was a prime target for malware, according to Microsoft.

Windows XP was a prime target for malware, according to Microsoft.

Microsoft has reminded, cajoled, and pleaded with users to move off of Windows XP before support for its old OS expires next year. Now Microsoft warns users that they may be subject to "zero-day" threats for the rest of their lives if they don't migrate.

After April 8, 2014, Microsoft will halt support for Windows XP. That means Microsoft won't issue patches or other security fixes for its operating system.

What does that mean, in terms of security? Tim Rains, director of Trustworthy Computing for Microsoft, sums it up:

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities," he wrote. "If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero-day' vulnerability forever."

Zero-day vulnerabilities refer to the way in which hackers can attack an operating system or other code before a patch is released, fixing the vulnerability. Since Microsoft will never patch Windows XP again after April 2014, eventually some vulnerability that affects XP will be found.

Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins. Thirty of those also affected Windows 7 and Windows 8, Rains wrote.

Rains acknowledges that some protections in XP will help mitigate attacks, and third-party antimalware software might offer some protection.

"The challenge here is that you'll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice," Rains wrote.

That's the same argument that some have recently used, claiming that hackers will "bank" their zero-day XP attacks until after next April, then unleash them on the unprotected herds of XP machines. As Rains notes, the sophistication of malware has only improved, meaning that your XP machine is even more vulnerable, not less. PCWorld's Answer Line columnist, Lincoln Spector, agrees.

The problem that some XP users have is that they're so in love with the way that Windows XP does things that they're reluctant to migrate, especially to Windows 8. Well, Windows 7 machines do exist, that offer functionality similar to XP: here's how to find them.

The bottom line is this: while Microsoft stands to gain from arguing that consumers need to upgrade, the truth is: they do. So if you are still on Windows XP, start thinking about a migration strategy. Now.

Tags: security, Microsoft, malware

Heartbleed panic drives flood of enquiries to Symantec's Melbourne CA

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-2404

Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-2404

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.