XP Z: Microsoft scares Windows XP users straight with undead bug warning
Jumps on XP-is-doomed bandwagon as it urges everyone to put down the OS
Computerworld - Microsoft yesterday warned Windows XP customers that they face never-patched, never-dead "zero-day" vulnerabilities if they don't dump the 12-year-old operating system before its April 2014 retirement deadline.
Call them the "walking dead" of vulnerabilities. Call it XP Z -- "Z" for zombies.
The warning -- just the latest in a two-year campaign to denigrate XP and convince users to leave it behind -- was similar to one given earlier this week by a long-time SANS security trainer, who predicted that hackers would save their vulnerabilities until after XP's retirement, then unleash them on unprotected PCs.
"The very first month [after April 2014] that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," said Tim Rains, a director in Microsoft's Trustworthy Computing group, in a Thursday blog.
"If [XP shares the vulnerabilities], attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains said.
Reverse-engineering of patches is a common practice by both security researchers and cyber criminals.
Once a patch is released -- say for Windows 7 in May 2014 -- hackers can do a code comparison between the updated and non-updated versions to locate the changes. With the changes in hand, astute researchers can figure out where the vulnerability was. Finally, they can use that information to poke around Windows XP to see if it, too, has buggy code similar to the non-patched Windows 7.
As Rains pointed out -- and history has shown -- it's certain that a number of the flaws fixed in the future in Windows Vista, Windows 7, even Windows 8, will also exist in Windows XP, if only because Microsoft has dragged copious amounts of legacy code, some pre-dating XP, into its newer OSes.
That's one of the reasons why when Microsoft patches a bug in Windows 8, it often also patches the same vulnerability in older editions.
Of the three security updates that applied to Windows XP in the collection Microsoft shipped on Tuesday, for example, two also applied to Vista, Windows 7 and Windows 8. According to statistics Rains cited, over the last year the same percentage of XP vulnerabilities would have been game for reverse-engineering: Of the 45 security bulletins that applied to XP between July 2012 and July 2013, 30 affected Windows 7 and Windows 8.
Rains also ran down XP's security prowess, saying that its primary defense, DEP, for Data Execution Prevention, has become less effective as hackers have learned how to bypass it. (Windows XP lacks another defensive technology, ASLR (address space layout randomization, that is enabled by default on Vista, Windows 7 and Windows 8.)
That's been part of Microsoft's get-off-XP strategy, to disparage its most successful operating system.
In June 2011, a Microsoft manager claimed it was "time to move on" from XP, while even earlier that year an executive on the Internet Explorer team belittled XP as the "lowest common denominator" when he explained why the OS wouldn't run the then-new IE9.
The truth is, XP isn't going anywhere. According to projections based on data from metrics firm Net Applications, XP will be powering about one-third of the world's Windows PCs after its April 2014 retirement. In the U.S., the forecast predicts that XP will still drive one-in-10 Windows systems that month.
Those numbers have prompted some to suspect that Microsoft will renege on its promise to end support for XP on April 8, 2014, and continue to patch the OS. But Rains gave no hint that that's part of the plan.
Also due for retirement next April is Internet Explorer 6 (IE6), the browser that launched in August 2001. In July, IE6 was used by 6% of those who went online, or nearly 11% of those who ran one edition or another of Internet Explorer.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Windows XP lives
- Microsoft slashes Windows XP custom support prices just days before axing public patches
- Update: IRS misses XP deadline, will spend $30M to upgrade remaining PCs
- Microsoft Patch Tuesday bids adieu to Windows XP
- FAQ: Good-bye old pal, old paint, Windows XP
- Windows XP: The end is nigh
- How to Support Windows XP Now That Microsoft Isn't
- Microsoft sketches out final Windows XP security updates for next week
- Last-minute lazybones dump Windows XP
- Microsoft returns to scare tactic well in dump-XP campaign
- Microsoft tries to tempt XP diehards with $100 discount on new PCs
Read more about Windows in Computerworld's Windows Topic Center.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Windows White Papers | Webcasts