Related Stories

Top 5 Stories


Microsoft Warns of Permanent Zero-Day Exploits for Windows XP

20 August 2013

When Microsoft announced that it would discontinue support for Windows XP starting on April 8, 2014, many companies began the long process of transitioning to modern operating systems like Windows 7 or Windows 8. But there are others that won’t – and the software giant is raising the spectre of a zero-day onslaught as a result.

After April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. That also means any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft.

“Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8,” said Tim Rains, director of trustworthy computing at Microsoft, in a blog. “I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails.” 

Clearly, attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders, he noted.

“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities,” Rains explained. “If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero day’ vulnerability forever.”

How often could this scenario occur? Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8. Rains also said that the data on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern-day operating systems like Windows 7 and Windows 8.

While there are security mitigations built into Windows XP that can make it harder for such exploits to be successful, and anti-virus software that can help block attacks and clean up infections if they occur, Rains warned that this won’t be enough.

“The challenge here is that you’ll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero-day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice,” Rains continued. “Furthermore, can the system’s APIs that anti-virus software uses be trusted under these circumstances? For some customers, this level of confidence in the integrity of their systems might be okay, but for most it won’t be acceptable.”

This article is featured in:
Industry News  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×