By switching to a non-Microsoft browser, Windows XP users can halve the number of vulnerabilities that apply to the OS, according to a survey of flaws Microsoft fixed in the second half of 2013.
The statistics support the advice from security professionals, who have recommended users run a rival browser to avoid some of the attacks aimed at their unprotected PCs.
Microsoft stopped sending patches to Windows XP PCs last month. The ban also applies to any version of IE that runs on the aged operating system. But a tally of Windows and IE vulnerabilities patched from July to December 2013 shows that the browser poses a greater security risk to XP bitter-enders than does the OS itself.
During the six-month stretch, Microsoft patched 19 separate critical vulnerabilities in the versions of IE -- IE6, IE7 and IE8 -- that run on Windows XP. "Critical" is Microsoft's most-serious threat label, and indicates that hackers who successfully exploit such bugs can probably compromise the PC and plant malware on its drive.
In the same period, Microsoft patched 16 critical vulnerabilities in Windows XP. All but one was also patched in either Windows 7 or Windows 8, or both, at the same time as for Windows XP.
That last line is important.
Security experts, including those at Microsoft, have predicted that hackers will analyze the patches provided for other versions of the operating system to find flaws in XP. By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in, say, Windows 7, which will be patched, then sniff around the same part of XP's code until they discover the bug there. From that point, it will be relatively straight forward for them to craft an exploit and use it against unprotected XP PCs.
"After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Dustin Childs, director of Microsoft's Trustworthy Computing group, in an October 2013 blog. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."
Of the 16 critical Windows XP flaws fixed in the second half of 2013, 14 were also patched in Windows 7 and Windows 8, one was also addressed just in Windows 7, and one was found only in Windows XP. In other words, 15 of the vulnerabilities fit Microsoft's criteria as reverse engineer-able.
Cyber criminals will have an easier time locating bugs in IE, as IE6, IE7 and IE8 will continue to be patched on other flavors of Windows. Even IE6, which shipped before Windows XP, will be patched until July 2015, when Windows Server 2003 retires.
Hackers can apply the same code-comparison techniques to the IE patches to create exploits for the browser on XP.
For those keeping score, that's 19 IE vulnerabilities and 15 Windows XP bugs with reverse engineering potential. Put another way, eliminating IE from the XP scenario would have reduced the attack surface by 57% last year.
Microsoft doesn't see it that way.
"Changing browsers won't mitigate this risk, as most of the exploits used in such attacks aren't related to browsers," Tim Rains, a director in Microsoft's Trustworthy Computing group said in March when he named Web browsing the No. 1 risk to users still running Windows XP.
The numbers say different, as do experts who don't work for Microsoft.
"You shouldn't be using IE on XP," said Michael Silver, an analyst with Gartner, in an interview last week. "The only reason to run IE on XP is to get to an enterprise's internal websites."
Silver gave his no-IE-on-XP advice after Microsoft patched the browser on May 1 to quash a bug that hackers had already been exploiting. Microsoft patched all versions of IE, but more importantly, broke with policy by offering the fixes to Windows XP users. At the time, Microsoft said it had decided to patch IE on XP -- even though the latter had exited support -- because it was just weeks after XP's retirement.
"For most enterprises, another lesson to learn [from the patch exception of May 1] is that users are pretty comfortable using multiple browsers," said John Pescatore, director of emerging security trends at the SANS Institute, a security training organization. "Most have tried to lock users into one browser, but that's a problem. The world has changed. Companies should get away from requiring just one browser."
In March, the U.S. Computer Emergency Readiness Team (US-CERT) told people who planned to stick with Windows XP to dump IE and replace it with a different browser to eliminate the former's now-unpatched vulnerabilities.
Google will continue to patch Chrome on XP until at least April 2015, and neither Mozilla or Opera Software have plans to drop support for Firefox and Opera any time soon.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.