Zero day forever--move away from Windows XP, now

Microsoft reminds users--again--that Windows XP support ends in April. But this time, it attempts to demonstrate the security risks of XP.

Windows XP was a prime target for malware, according to Microsoft.

Windows XP was a prime target for malware, according to Microsoft.

Microsoft has reminded, cajoled, and pleaded with users to move off of Windows XP before support for its old OS expires next year. Now Microsoft warns users that they may be subject to "zero-day" threats for the rest of their lives if they don't migrate.

After April 8, 2014, Microsoft will halt support for Windows XP. That means Microsoft won't issue patches or other security fixes for its operating system.

What does that mean, in terms of security? Tim Rains, director of Trustworthy Computing for Microsoft, sums it up:

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities," he wrote. "If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero-day' vulnerability forever."

Zero-day vulnerabilities refer to the way in which hackers can attack an operating system or other code before a patch is released, fixing the vulnerability. Since Microsoft will never patch Windows XP again after April 2014, eventually some vulnerability that affects XP will be found.

Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins. Thirty of those also affected Windows 7 and Windows 8, Rains wrote.

Rains acknowledges that some protections in XP will help mitigate attacks, and third-party antimalware software might offer some protection.

"The challenge here is that you'll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice," Rains wrote.

That's the same argument that some have recently used, claiming that hackers will "bank" their zero-day XP attacks until after next April, then unleash them on the unprotected herds of XP machines. As Rains notes, the sophistication of malware has only improved, meaning that your XP machine is even more vulnerable, not less. PCWorld's Answer Line columnist, Lincoln Spector, agrees.

The problem that some XP users have is that they're so in love with the way that Windows XP does things that they're reluctant to migrate, especially to Windows 8. Well, Windows 7 machines do exist, that offer functionality similar to XP: here's how to find them.

The bottom line is this: while Microsoft stands to gain from arguing that consumers need to upgrade, the truth is: they do. So if you are still on Windows XP, start thinking about a migration strategy. Now.

Tags securityMicrosoftmalware

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.