XP Apocalypse

By

Redmond warns that zero day could last forever.

Back in April of this year, when Microsoft declared it was discontinuing security updates for Windows XP in April of next year, the public responded with the usual procrastination accorded to any event that is almost a year away. Millions of home users, and even millions of business users, are still running Windows XP, and many have vowed to continue until the hardware ceases to function. Since the original announcement, Redmond has been looking for new ways to lend some urgency to XP's end-of-life vigil.

The latest attempt came from Tim Rains, Director of Product Management in Microsoft's Trustworthy Computing group, whose blog post titled "The Risk of Running Windows XP After Support Ends April 2014" tried to put the issue in context. Rains pointed out that, after security updates cease, Windows XP will essentially retain "zero day" vulnerabilities forever, and attackers will receive continuous clues about those vulnerabilities by watching updates to other Microsoft systems.

According to Rains, "When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update." By reverse engineering the update itself, an attacker gets an easy recipe for attacking systems that haven't received the update. Unfortunately, the same vulnerability might apply to several Microsoft systems, which is why security patches are often released for all systems simultaneously. Rains points out, "Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8." Therefore, when the later systems receive an update, intruders will learn about a possible new attack that is very likely to affect the abandoned XP. Since the XP system will never receive a fix, that vulnerability, and others that follow, will simply exist forever.

08/20/2013
comments powered by Disqus