Security Experts:

Microsoft: Windows XP Usage Means Zero-Day Attacks Forever

Microsoft has a blunt warning for computer users still using Windows XP: Upgrade to a newer operating system now or risk exposure to zero-day attacks forever.

The company's support for Windows XP -- including the shipping of patches for critical software vulnerabilities -- ends on April 8, 2014. This effectively means that those systems will forever be exposed to attacks targeting Windows flaws that will never be fixed.

The warning came directly from Tim Rains, a director in the Microsoft Trustworthy Computing group. In a blog post pleading with Windows users to upgrade to modern operating systems like Windows 7 or Windows 8, Rains outlined the urgency.

"There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft," he explained.

Rains said the company is aware of hesitance by some Windows users who won't migrate from Windows XP for a various reasons but he insists the risks are just too much to tolerate.

"One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders," he declared.

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever," Rains added.

He provided a comparison chart to show that Windows XP offers only "limited" anti-exploit mitigations like ASLR (Address Space Layout Randomization) and heap hardening. These are significant roadblocks to hacker attacks and Microsoft is sounding alarm bells that advanced attackers will reverse-engineer future patches to take aim at Windows XP users.

When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality, Rains explained

If, for example, a vulnerability is addressed in one version of Windows, Microsoft is warning that hackers will investigate whether other versions of Windows have the same vulnerability.

After April 8, 2014, organizations and users will be at a severe disadvantage because when it's obvious that an exploitable vulnerability affects Windows XP, live attacks will be inevitable.

He provided hard data to show that the Windows XP operating system is often affected by software flaws fixed in Microsoft security bulletins.

"The security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see. The data we have on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8," Rains warned.

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is a regular speaker at cybersecurity conferences around the world. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.