News

Windows XP Users To Face Perpetual 'Zero Day'

Microsoft this week cautioned organizations about continuing to use Windows XP after its "extended support" phase ends.

After April 8, 2014, organizations will lose Microsoft's security patch support as the extended support phase of the operating system's lifecycle ends. Without that proactive patching support from Microsoft, systems will be open to exploits. It will be a perpetual zero-day exploit situation for organizations, according to Tim Rains, Microsoft's director of Trustworthy Computing.

"Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains wrote in a Microsoft blog post.

A zero-day vulnerability usually describes a software flaw that's unknown to the software maker. However, after April 8, Microsoft simply won't be expected to respond to any flaws found in Windows XP, except perhaps for some customers paying for the expensive option of reactive support via Microsoft's Premier Support Services. However, organizations have to qualify to get that sort of support, which is designed to fix problems on a per-incident basis.

Rains explained that hackers tend to reverse-engineer Microsoft's security updates each month to apply the exploit to other Microsoft products, which is why Microsoft releases patches that apply to multiple products all at once. However, the advantage of that proactive approach will be lost after April 8.

He also argued against the effectiveness of Windows XP defensive "mitigations" to stave off future attacks. Rains offered a chart from the latest Microsoft Security Intelligence Report showing that Windows XP exploits currently far outstrip those of Microsoft's newer Windows OSes.

[Click on image for larger view.] Figure 1. Windows infection rate in the fourth quarter of 2012. Source: Microsoft Security Intelligence Report Volume 14.

Attacks of a decade ago are different than todays' attacks, Rains argued. Client applications get targeted more these days. "As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats," he said.

One big problem is that a lot of organizations are still using Windows XP. The downward-use trend of Windows XP almost seemed to stall this month, according to Net Applications' data. While Windows XP use was at 37.17 percent in June, it actually edged up in mid-August to 37.19 percent.

[Click on image for larger view.] Figure 2. Operating system use from January to mid-August, 2013. Source: Net Applications, sampled 8/16/13.

Microsoft will provide no security support at all for Windows XP users after April 8, except for those larger organizations able to qualify for paid support via Microsoft Premier Support Services. Still, many organizations appear stuck in getting off the 12-year-old OS.

It's already a crunch time for organizations trying to move off Windows XP before April 8 because of the planning and application compatibility testing involved before making a move to a new OS. Third-party vendors are offering services and solutions to either facilitate the migrations or provide temporary measures, such as virtualization. For a summary of some approaches and solutions toward getting off Windows XP, see this article.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.