Feeds

Microsoft warns of post-April zero day hack bonanza on Windows XP

Beginning April 2014, patches will bring new threats

SANS - Survey on application security programs

Microsoft has a Windows XP problem: people still like it and aren't willing to upgrade just yet. So it's warning users that if they don’t upgrade soon, hackers will lie in wait each new Patch Tuesday to reverse-engineer a full set of new vulnerabilities.

"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," said Tim Rains, Microsoft's director of trustworthy computing, in a blog post.

"If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever."

He points out that from July 2012 through July 2013, Windows XP received 45 patches, 30 of which were relevant to Windows 7 and 8 as well, and there is considerable flaw cross-over found among the three operating systems. XP is also by far the most malware-infected operating systems, he points out.

Windows XP virus infection rates

Open season on XP from malware

Hackers have learned to get around XP systems like Data Execution Prevention (DEP), Rains warned, although it has forced attackers to up their game somewhat. The threat landscape has also changed significantly since the last service pack for XP came out in 2008 – five years is a very long time in the malware industry, after all.

Windows XP, despite being 12 years old, is still Microsoft's second most popular operating system with 37.2 per cent of desktops compared to 44.5 per cent for Windows 7. Don't ask about Windows 8 – that has only just overtaken the much-reviled Vista.

Despite the ending of free XP security updates on April 8 of next year, Rains says he still meets businesses that run XP on some systems and plan to continue doing so until the hardware fails. According to recent data, 15 per cent of IT managers running XP don't even realize support is ending, and they are going to have to shell out for premium support for security holes.

But it now looks certain that a large percentage of XP users still won't be upgrading any time soon. Certainly if you're running an enterprise XP system, you may have postponed an upgrade for too long to ensure an orderly transition – although resellers will be happy to help.

At last year's Worldwide Partners Conference, Microsoft described the upgrade market for Windows XP as a $12bn opportunity for the channel. Based on current usage stats, resellers have a long way to go before realizing that kind of cash. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.