Windows XP Users To Face Perpetual 'Zero Day'
Microsoft this week cautioned organizations about continuing to use Windows XP after its "extended support" phase ends.
After April 8, 2014, organizations will lose Microsoft's security patch support as the extended support phase of the operating system's lifecycle ends. Without that proactive patching support from Microsoft, systems will be open to exploits. It will be a perpetual zero-day exploit situation for organizations, according to Tim Rains, Microsoft's director of Trustworthy Computing.
"Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains wrote in a Microsoft blog post.
A zero-day vulnerability usually describes a software flaw that's unknown to the software maker. However, after April 8, Microsoft simply won't be expected to respond to any flaws found in Windows XP, except perhaps for some customers paying for the expensive option of reactive support via Microsoft's Premier Support Services. However, organizations have to qualify to get that sort of support, which is designed to fix problems on a per-incident basis.
Rains explained that hackers tend to reverse-engineer Microsoft's security updates each month to apply the exploit to other Microsoft products, which is why Microsoft releases patches that apply to multiple products all at once. However, the advantage of that proactive approach will be lost after April 8.
He also argued against the effectiveness of Windows XP defensive "mitigations" to stave off future attacks. Rains offered a chart from the latest Microsoft Security Intelligence Report showing that Windows XP exploits currently far outstrip those of Microsoft's newer Windows OSes.
[Click on image for larger view.] Figure 1.
Windows infection rate in the fourth quarter of 2012. Source: Microsoft Security Intelligence Report Volume 14.
Attacks of a decade ago are different than todays' attacks, Rains argued. Client applications get targeted more these days. "As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats," he said.
One big problem is that a lot of organizations are still using Windows XP. The downward-use trend of Windows XP almost seemed to stall this month, according to Net Applications' data. While Windows XP use was at 37.17 percent in June, it actually edged up in mid-August to 37.19 percent.
[Click on image for larger view.] Figure 2.
Operating system use from January to mid-August, 2013. Source: Net Applications, sampled 8/16/13.
Microsoft will provide no security support at all for Windows XP users after April 8, except for those larger organizations able to qualify for paid support via Microsoft Premier Support Services. Still, many organizations appear stuck in getting off the 12-year-old OS.
It's already a crunch time for organizations trying to move off Windows XP before April 8 because of the planning and application compatibility testing involved before making a move to a new OS. Third-party vendors are offering services and solutions to either facilitate the migrations or provide temporary measures, such as virtualization. For a summary of some approaches and solutions toward getting off Windows XP, see this article.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.