XP Z: Microsoft scares Windows XP users straight with undead bug warning
Jumps on XP-is-doomed bandwagon as it urges everyone to put down the OS
Computerworld - Microsoft yesterday warned Windows XP customers that they face never-patched, never-dead "zero-day" vulnerabilities if they don't dump the 12-year-old operating system before its April 2014 retirement deadline.
Call them the "walking dead" of vulnerabilities. Call it XP Z -- "Z" for zombies.
The warning -- just the latest in a two-year campaign to denigrate XP and convince users to leave it behind -- was similar to one given earlier this week by a long-time SANS security trainer, who predicted that hackers would save their vulnerabilities until after XP's retirement, then unleash them on unprotected PCs.
"The very first month [after April 2014] that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," said Tim Rains, a director in Microsoft's Trustworthy Computing group, in a Thursday blog.
"If [XP shares the vulnerabilities], attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains said.
Reverse-engineering of patches is a common practice by both security researchers and cyber criminals.
Once a patch is released -- say for Windows 7 in May 2014 -- hackers can do a code comparison between the updated and non-updated versions to locate the changes. With the changes in hand, astute researchers can figure out where the vulnerability was. Finally, they can use that information to poke around Windows XP to see if it, too, has buggy code similar to the non-patched Windows 7.
As Rains pointed out -- and history has shown -- it's certain that a number of the flaws fixed in the future in Windows Vista, Windows 7, even Windows 8, will also exist in Windows XP, if only because Microsoft has dragged copious amounts of legacy code, some pre-dating XP, into its newer OSes.
That's one of the reasons why when Microsoft patches a bug in Windows 8, it often also patches the same vulnerability in older editions.
Of the three security updates that applied to Windows XP in the collection Microsoft shipped on Tuesday, for example, two also applied to Vista, Windows 7 and Windows 8. According to statistics Rains cited, over the last year the same percentage of XP vulnerabilities would have been game for reverse-engineering: Of the 45 security bulletins that applied to XP between July 2012 and July 2013, 30 affected Windows 7 and Windows 8.
Rains also ran down XP's security prowess, saying that its primary defense, DEP, for Data Execution Prevention, has become less effective as hackers have learned how to bypass it. (Windows XP lacks another defensive technology, ASLR (address space layout randomization, that is enabled by default on Vista, Windows 7 and Windows 8.)
That's been part of Microsoft's get-off-XP strategy, to disparage its most successful operating system.
In June 2011, a Microsoft manager claimed it was "time to move on" from XP, while even earlier that year an executive on the Internet Explorer team belittled XP as the "lowest common denominator" when he explained why the OS wouldn't run the then-new IE9.
The truth is, XP isn't going anywhere. According to projections based on data from metrics firm Net Applications, XP will be powering about one-third of the world's Windows PCs after its April 2014 retirement. In the U.S., the forecast predicts that XP will still drive one-in-10 Windows systems that month.
Those numbers have prompted some to suspect that Microsoft will renege on its promise to end support for XP on April 8, 2014, and continue to patch the OS. But Rains gave no hint that that's part of the plan.
Also due for retirement next April is Internet Explorer 6 (IE6), the browser that launched in August 2001. In July, IE6 was used by 6% of those who went online, or nearly 11% of those who ran one edition or another of Internet Explorer.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Windows XP lives
- Update: Microsoft reacts to XP upgrade critics with free file transfer tool
- No special treatment for China on XP, patches end April 8 in the PRC, too
- Microsoft misjudges customer loyalty with kill-XP plea
- Users mock Microsoft for asking their help on XP-to-Windows 8.1 upgrades
- Backlash slaps Microsoft's 'help-a-friend-dump-XP' plea
- Perspective: Microsoft asks for volunteers to join its kill-XP army
- Users postpone ditch-XP decision as Windows 8 runs to stay in place
- Microsoft retains weapon to silently scrub XP
- Microsoft will furnish malware assassin to XP users until mid-2015
- Microsoft retreats from XP's antivirus kill notice
Read more about Windows in Computerworld's Windows Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Windows White Papers | Webcasts