Microsoft yesterday warned Windows XP customers that they face never-patched, never-dead "zero-day" vulnerabilities if they don't dump the 12-year-old operating system before its April 2014 retirement deadline.
Call them the "walking dead" of vulnerabilities. Call it XP Z -- "Z" for zombies.
The warning -- just the latest in a two-year campaign to denigrate XP and convince users to leave it behind -- was similar to one given earlier this week by a long-time SANS security trainer, who predicted that hackers would save their vulnerabilities until after XP's retirement, then unleash them on unprotected PCs.
"The very first month [after April 2014] that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," said Tim Rains, a director in Microsoft's Trustworthy Computing group, in a Thursday blog.
"If [XP shares the vulnerabilities], attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains said.
Reverse-engineering of patches is a common practice by both security researchers and cyber criminals.
Once a patch is released -- say for Windows 7 in May 2014 -- hackers can do a code comparison between the updated and non-updated versions to locate the changes. With the changes in hand, astute researchers can figure out where the vulnerability was. Finally, they can use that information to poke around Windows XP to see if it, too, has buggy code similar to the non-patched Windows 7.
As Rains pointed out -- and history has shown -- it's certain that a number of the flaws fixed in the future in Windows Vista, Windows 7, even Windows 8, will also exist in Windows XP, if only because Microsoft has dragged copious amounts of legacy code, some pre-dating XP, into its newer OSes.
That's one of the reasons why when Microsoft patches a bug in Windows 8, it often also patches the same vulnerability in older editions.
Of the three security updates that applied to Windows XP in the collection Microsoft shipped on Tuesday, for example, two also applied to Vista, Windows 7 and Windows 8. According to statistics Rains cited, over the last year the same percentage of XP vulnerabilities would have been game for reverse-engineering: Of the 45 security bulletins that applied to XP between July 2012 and July 2013, 30 affected Windows 7 and Windows 8.
Rains also ran down XP's security prowess, saying that its primary defense, DEP, for Data Execution Prevention, has become less effective as hackers have learned how to bypass it. (Windows XP lacks another defensive technology, ASLR (address space layout randomization, that is enabled by default on Vista, Windows 7 and Windows 8.)
That's been part of Microsoft's get-off-XP strategy, to disparage its most successful operating system.
In June 2011, a Microsoft manager claimed it was "time to move on" from XP, while even earlier that year an executive on the Internet Explorer team belittled XP as the "lowest common denominator" when he explained why the OS wouldn't run the then-new IE9.
The truth is, XP isn't going anywhere. According to projections based on data from metrics firm Net Applications, XP will be powering about one-third of the world's Windows PCs after its April 2014 retirement. In the U.S., the forecast predicts that XP will still drive one-in-10 Windows systems that month.
Those numbers have prompted some to suspect that Microsoft will renege on its promise to end support for XP on April 8, 2014, and continue to patch the OS. But Rains gave no hint that that's part of the plan.
Also due for retirement next April is Internet Explorer 6 (IE6), the browser that launched in August 2001. In July, IE6 was used by 6% of those who went online, or nearly 11% of those who ran one edition or another of Internet Explorer.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.