Zero day forever--move away from Windows XP, now

Microsoft reminds users--again--that Windows XP support ends in April. But this time, it attempts to demonstrate the security risks of XP.

Windows XP was a prime target for malware, according to Microsoft.

Windows XP was a prime target for malware, according to Microsoft.

Microsoft has reminded, cajoled, and pleaded with users to move off of Windows XP before support for its old OS expires next year. Now Microsoft warns users that they may be subject to "zero-day" threats for the rest of their lives if they don't migrate.

After April 8, 2014, Microsoft will halt support for Windows XP. That means Microsoft won't issue patches or other security fixes for its operating system.

What does that mean, in terms of security? Tim Rains, director of Trustworthy Computing for Microsoft, sums it up:

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities," he wrote. "If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero-day' vulnerability forever."

Zero-day vulnerabilities refer to the way in which hackers can attack an operating system or other code before a patch is released, fixing the vulnerability. Since Microsoft will never patch Windows XP again after April 2014, eventually some vulnerability that affects XP will be found.

Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins. Thirty of those also affected Windows 7 and Windows 8, Rains wrote.

Rains acknowledges that some protections in XP will help mitigate attacks, and third-party antimalware software might offer some protection.

"The challenge here is that you'll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice," Rains wrote.

That's the same argument that some have recently used, claiming that hackers will "bank" their zero-day XP attacks until after next April, then unleash them on the unprotected herds of XP machines. As Rains notes, the sophistication of malware has only improved, meaning that your XP machine is even more vulnerable, not less. PCWorld's Answer Line columnist, Lincoln Spector, agrees.

The problem that some XP users have is that they're so in love with the way that Windows XP does things that they're reluctant to migrate, especially to Windows 8. Well, Windows 7 machines do exist, that offer functionality similar to XP: here's how to find them.

The bottom line is this: while Microsoft stands to gain from arguing that consumers need to upgrade, the truth is: they do. So if you are still on Windows XP, start thinking about a migration strategy. Now.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Microsoftmalware

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Mark Hachman

Latest Videos

More videos

Blog Posts