Security Experts:

Microsoft: Windows XP Usage Means Zero-Day Attacks Forever

Microsoft has a blunt warning for computer users still using Windows XP: Upgrade to a newer operating system now or risk exposure to zero-day attacks forever.

The company's support for Windows XP -- including the shipping of patches for critical software vulnerabilities -- ends on April 8, 2014. This effectively means that those systems will forever be exposed to attacks targeting Windows flaws that will never be fixed.

The warning came directly from Tim Rains, a director in the Microsoft Trustworthy Computing group. In a blog post pleading with Windows users to upgrade to modern operating systems like Windows 7 or Windows 8, Rains outlined the urgency.

"There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. This means that any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft," he explained.

Rains said the company is aware of hesitance by some Windows users who won't migrate from Windows XP for a various reasons but he insists the risks are just too much to tolerate.

"One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders," he declared.

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever," Rains added.

He provided a comparison chart to show that Windows XP offers only "limited" anti-exploit mitigations like ASLR (Address Space Layout Randomization) and heap hardening. These are significant roadblocks to hacker attacks and Microsoft is sounding alarm bells that advanced attackers will reverse-engineer future patches to take aim at Windows XP users.

When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality, Rains explained

If, for example, a vulnerability is addressed in one version of Windows, Microsoft is warning that hackers will investigate whether other versions of Windows have the same vulnerability.

After April 8, 2014, organizations and users will be at a severe disadvantage because when it's obvious that an exploitable vulnerability affects Windows XP, live attacks will be inevitable.

He provided hard data to show that the Windows XP operating system is often affected by software flaws fixed in Microsoft security bulletins.

"The security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see. The data we have on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern day operating systems like Windows 7 and Windows 8," Rains warned.

view counter
Ryan is the host of the SecurityWeek podcast series "Security Conversations". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.