The Risk of Running Windows XP After Support Ends April 2014

[SnakeMasteR]

The Risk of Running Windows XP After Support Ends April 2014

Back in April I published a post about the end of support for Windows XP called The Countdown Begins:

Support for Windows XP Ends on April 8, 2014. Since then, many of the customers I have talked to have

moved, or are in the process of moving, their organizations from Windows XP to modern operating

systems like Windows 7 or Windows 8.

There is a sense of urgency because after April 8, Windows XP Service Pack 3 (SP3) customers will no

longer receive new security updates, non-security hotfixes, free or paid assisted support options or online

technical content updates. This means that any new vulnerabilities discovered in Windows XP after its

“end of life” will not be addressed by new security updates from Microsoft. Still, I have talked to some

customers who, for one reason or another, will not have completely migrated from Windows XP before

April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the

hardware it’s running on fails.

What is the risk of continuing to run Windows XP after its end of support date? One risk is that attackers

will have the advantage over defenders who choose to run Windows XP because attackers will likely have

more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the

case.

When Microsoft releases a security update, security researchers and criminals will often times reverse

engineer the security update in short order in an effort to identify the specific section of code that contains

the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop

code that will allow them to exploit it on systems that do not have the security update installed on them.

They also try to identify whether the vulnerability exists in other products with the same or similar

functionality. For example, if a vulnerability is addressed in one version of Windows, researchers investigate

whether other versions of Windows have the same vulnerability. To ensure that our customers are not at

a disadvantage to attackers who employ such practices, one long standing principle that the Microsoft

Security Response Center (MSRC) uses when managing security update releases is to release security

updates for all affected products simultaneously. This practice ensures customers have the advantage

over such attackers, as they get security updates for all affected products before attackers have a chance

to reverse engineer them.

But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over

attackers any longer. The very first month that Microsoft releases security updates for supported versions

of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to

see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take

advantage of those vulnerabilities on Windows XP. Since a security update will never become available for

Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability

forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an

affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.

Some of the people I have discussed this scenario with are quick to point out that there are security

mitigations built into Windows XP that can make it harder for such exploits to be successful. There is also

anti-virus software that can help block attacks and clean up infections if they occur. The challenge here is

that you’ll never know, with any confidence, if the trusted computing base of the system can actually be

trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that

could enable them to compromise the system and possibly run the code of their choice. Furthermore, can

the system’s APIs that anti-virus software uses be trusted under these circumstances? For some customers,

this level of confidence in the integrity of their systems might be okay, but for most it won’t be acceptable.

As for the security mitigations that Windows XP Service Pack 3 has, they were state of the art when they

were developed many years ago. But we can see from data published in the Microsoft Security Intelligence

Report that the security mitigations built into Windows XP are no longer sufficient to blunt many of the

modern day attacks we currently see. The data we have on malware infection rates for Windows operating

systems indicates that the infection rate for Windows XP is significantly higher than those for modern

day operating systems like Windows 7 and Windows 8.

Figure 1: Infection rate (CCM) by operating system and service pack in the fourth quarter of 2012 as reported in the Microsoft Security Intelligence

Report volume 14

I recently wrote about the findings of a new study on exploit activity that we just published: Software

Vulnerability Exploitation Trends - Exploring the impact of software mitigations on patterns of vulnerability

exploitation. This seven-year study indicates that attackers have evolved their attacks to overcome one of

the key security mitigations that Windows XP has: Data Execution Prevention (DEP). Figure 3 shows the

number of common vulnerabilities and exposures (CVEs) that had exploits that would have been mitigated

if DEP were enabled compared to the number of CVEs that had exploits that bypassed DEP. With the

exception of 2007 and 2008, there appears to be a clear downward trend in DEP’s ability to retroactively

break exploits. This trend is not because DEP is no longer effective; rather, it is an indication that attackers

have been forced to adapt to environments in which DEP is already enabled—at increased cost and

complexity. The evidence is the increasing number of CVEs that had exploits that bypassed DEP.

Figure 2 (left): The number of CVEs that were exploited using specific exploitation techniques; Figure 3 (right): The number of CVEs for which exploits

were written that could have been mitigated by enabling DEP as compared to the number of CVEs that had exploits that bypassed DEP

This new data shows us that the predominate threats that individuals and organizations face are now much

different than they were when Windows XP Service Pack 3 was released. Turning on the Windows Firewall in

Windows XP Service Pack 2 and later operating systems forced attackers to evolve their attacks. Rather than

actively targeting remote services, attackers now primarily focus on exploiting vulnerabilities in client

applications such as web browsers and document readers. In addition, attackers have refined their tools and

techniques over the past decade to make them more effective at exploiting vulnerabilities. As a result, the

security features that are built into Windows XP are no longer sufficient to defend against modern threats.

Windows 8 has significantly superior security mitigations compared to Windows XP as Figure 4 illustrates.

Detailed information on the new security mitigations built into Windows 8 is available in the aforementioned

research paper.

Figure 4: The table below compares the mitigation features supported by Internet Explorer 8 on Windows XP Service Pack 3 with the features supported

by Internet Explorer 10 on Windows 8. As this table shows, Internet Explorer 10 on Windows 8 benefits from an extensive number of platform security

improvements that simply are not available to Internet Explorer 8 on Windows XP.

Organizations need a level of certainty about the integrity of their systems. Minimizing the number of

systems running unsupported operating systems is helpful in achieving that. End of support for Windows

XP is April 8, 2014.

Tim Rains

Director

Trustworthy Computing

Source

[speedy57]

Thanks for the info...

[bwop]

Makes ya wonder if MS has been dogging it all along on making XP more secure, relative to Visa, 7 and 8.

[stylemessiah]

If you think the above is bad, think about all the loonies out there still running Windows 98, yes,some people are.

I saw an update to the unofficial windows 98 service pack the other week and thought to myself "those fuc$ers are probably still listening to their music on 8 track"

Its time to move on XP users,

Just stop at Windows 7, is all, dont get the fugly productivity sapping new one

[MidnightDistortions]

This seems to be a scare tactic as in, when was Windows 98 compromised when Microsoft abandoned it? I never had any problems with running it in 2008 so why should XP be any different? Even though i am running Windows 7 i still use XP for all my printing needs. If there really will be an attack on Windows XP after a month after it is gone, then those people affected will have learned a lesson. I presume some are waiting because they are not liking the new systems or if it's not broken yet why fix it? It might be harder to find a Windows 7 copy so that might be why some people are waiting but like i said, if XP systems are suddenly hacked into a month or so after the support date has been dropped these people will be learning the hard way or they might be lucky and have no problems with it. If i didn't have major browser problems with Windows 98 2 years after the drop date i might have continued using it. Well that and the system resource management was better on XP. I predict some XP systems will die before the OS itself becomes a problem, especially those running the Windows 98 machines (or older).

[smallhagrid]

"The Risk of Running Windows XP After Support Ends April 2014"

Please pardon me, but...Meh.

(If it weren't for driver problems & a few assorted other small things, I'd still be using win2kpro.)

[danieltex]

The problem with migrating is one of overall cost.

My PC fulfils all my needs and is perfectly adequate, but will in all likelyhood either not run win7 or run it like a dog.

I have win7 on another secondary PC and it does not run well because it is old.Xp ran perfectly.

I had to use odd drivers to get the sound working and quite frankly I don't like it. Its odd how there are lots of programs to "put start back" and make "it look and feel like XP" for win7 and especially Win8, yet there are very few to make XP act like win7. The reason is that Microsoft did the usual and changed all the wrong things.

It is no coincidence that the abilities of modern PC's have/had plateau'ed about the time of the release of service pack2 in XP.

Yes they have got faster but not actually any better. The hardware sellers need to push product you see, so hand in glove with microsoft, they also made sure that new software only runs on new hardware properly.

So that means a new computer - but why stop using something that is perfectly useful and simply works.

There is also the fact that I have some software which is NOT win7 compatible, and cannot be replaced easily or cheaply.

There is also the point that XP is much more user adaptable.

I will continue to have an XP machine if for nothing else but to run my old irreplacable software. And I think we all know that no one in their right mind is going to give up XP for Win8. We will all wait for the next bus please.

Edited August 21, 2013 by danieltex

[smallhagrid]

Bravo Danieltex !!!

It is no coincidence that the abilities of modern PC's have/had plateau'ed about the time of the release of service pack2 in XP.

Yes they have got faster but not actually any better. the hardware sellers need to push product you see so hand in glove with microsoft they also made sure that new software only runs on new hardware properly.

So that means a new computer - but why stop using something that is perfectly useful and simply works.

There is also the fact that I have some software which is NOT win7 compatible, and cannot be replaced easily or cheaply.

There is also the point that XP is much more user adaptable.

I will continue to have an XP machine if for nothing else but to run my old irreplacable software. And I think we all know that no one in there right mind is going to give up XP for Win8. We will all wait for the next bus please.

Spend, spend, spend=> and get WHAT ???

IMO the biggest mistakeS have been how lobotomized everything after XP has become.

Also IMO there is zero future for such brain-dead OSes that mostly remove user controls.

My PC is exactly that...MINE.

It is not a phone, has no touchscreen, and is not being used by any small children who need to be protected from their own ignorance - for them, sure, buy a new PC and the latest anti-user OS with it.

Right here and right now I am the living creature who controls this machine - and that is how I want it, thanks.

Until (and/or IF) there ever is a really pro-user version of windows again, and despite how so many folks think it is not as good, it will be Linux for me with XP in a VM for all the goodies not yet made for Linux.

(My siggy says the rest !!!)

[bob92132]

Bravo Danieltex !!!

It is no coincidence that the abilities of modern PC's have/had plateau'ed about the time of the release of service pack2 in XP.

Yes they have got faster but not actually any better. the hardware sellers need to push product you see so hand in glove with microsoft they also made sure that new software only runs on new hardware properly.

So that means a new computer - but why stop using something that is perfectly useful and simply works.

There is also the fact that I have some software which is NOT win7 compatible, and cannot be replaced easily or cheaply.

There is also the point that XP is much more user adaptable.

I will continue to have an XP machine if for nothing else but to run my old irreplacable software. And I think we all know that no one in there right mind is going to give up XP for Win8. We will all wait for the next bus please.

Spend, spend, spend=> and get WHAT ???

IMO the biggest mistakeS have been how lobotomized everything after XP has become.

Also IMO there is zero future for such brain-dead OSes that mostly remove user controls.

My PC is exactly that...MINE.

It is not a phone, has no touchscreen, and is not being used by any small children who need to be protected from their own ignorance - for them, sure, buy a new PC and the latest anti-user OS with it.

Right here and right now I am the living creature who controls this machine - and that is how I want it, thanks.

Until (and/or IF) there ever is a really pro-user version of windows again, and despite how so many folks think it is not as good, it will be Linux for me with XP in a VM for all the goodies not yet made for Linux.

(My siggy says the rest !!!)

Historians say this is how it went, though since records were destroyed the exact events are unknown.

1. First the government lobotomized the people.

2. Then the people lobomotized their software.

3. Then the software started demanding .NET Framework 4.0 Client Profile to be installed to do anything.

[MidnightDistortions]

Bravo Danieltex !!!

It is no coincidence that the abilities of modern PC's have/had plateau'ed about the time of the release of service pack2 in XP.

Yes they have got faster but not actually any better. the hardware sellers need to push product you see so hand in glove with microsoft they also made sure that new software only runs on new hardware properly.

So that means a new computer - but why stop using something that is perfectly useful and simply works.

There is also the fact that I have some software which is NOT win7 compatible, and cannot be replaced easily or cheaply.

There is also the point that XP is much more user adaptable.

I will continue to have an XP machine if for nothing else but to run my old irreplacable software. And I think we all know that no one in there right mind is going to give up XP for Win8. We will all wait for the next bus please.

Spend, spend, spend=> and get WHAT ???

IMO the biggest mistakeS have been how lobotomized everything after XP has become.

Also IMO there is zero future for such brain-dead OSes that mostly remove user controls.

My PC is exactly that...MINE.

It is not a phone, has no touchscreen, and is not being used by any small children who need to be protected from their own ignorance - for them, sure, buy a new PC and the latest anti-user OS with it.

Right here and right now I am the living creature who controls this machine - and that is how I want it, thanks.

Until (and/or IF) there ever is a really pro-user version of windows again, and despite how so many folks think it is not as good, it will be Linux for me with XP in a VM for all the goodies not yet made for Linux.

(My siggy says the rest !!!)

lol smallhagrid http://www.nsaneforums.com/topic/182711-oxymoronmore-secure-says-microsoft/?p=623195

i am loving these rants and for the most part i agree with it. They might be improving the security on these OS's but i have noticed a trend, the newest ones are always the most secure because well it's new, two it hasn't been out on the market for long and while they have improved security features, once that OS becomes mainstream that's when it will receive the most attacks. Hackers won't bother with old OS's unless a good amount of users are on it. They always target the largest population. Despite each new OS getting better defenses how would we even know it? For me going to W8 is about as vulnerable as staying with XP unsecured. It's mostly luck but you look at Windows update and W7 has had some faulty updates that could almost be deemed the same as getting a virus. So do i feel more secure being on W7 than on XP? Nope, just as vulnerable. There are risks everywhere and taking the risk of using XP past it's support might be silly but if you do it correctly and the best you can do there's a 50-50 chance you might get hit. It seems like the same for going to W8 and getting a bad update.

If you buy an old car or have an old car obviously you will eventually run into some problems with it and to some people getting a newer car is better. Well that would be all fine and dandy except that new cars are not always reliable either. It seems that way with computers and the only way to get a reliable computer is to just either keep the one you have that doesn't run into many problems or get a new one from a reputable place. The same goes for OS's. XP works great for some and they don't plan on changing that. Security or not going to a new OS might perfectly seemingly be ok and for the most part you should be but with bad updates going on it might be better to just turn off automatic updating and let your computer say semi unsecured with antivirus software. If you got sensitive information (like bank records, important files ect..) you may want to upgrade to the latest OS but for me that basically use my computer as internet and media is there really anything to worry about? I mean otherwise if i upgrade to W8 and they did a crazy bad update that kills everything on my hard drive (which yeah doesn't normally happened.. but there have been some fairly bad updates from MS recently) it's like removing one threat but get another one in the process. I would just have rather leave the OS in 3rd party hands and let them deal with the security updates if they don't want to support an OS anymore. But i think MS wants and expects everyone to upgrade to W8.

[smallhagrid]

MidnightDistortions - as always - you make some wonderfully wise points !!!

My answer regarding XP remains the same.

I'm keeping it on my 'daily driver' PC until the last possible second when it is 100% dead and cannot be ressurected.

In the meantime I set up a nice dual-core box with 4gb RAM, Ubuntu 12.04 LTS with LXDE on top of it so as to have all the performance AND the best choices - and did a P2V of my XP which runs fast as can be inside VMWare Player with all my apps just as I want them.

This is how I get and keep the best of both worlds.

The Long Term Support OS is great; LXDE speeds it up; and XP runs even faster in the VM than it does natively.

Your point about old vs. new cars is also VERY worthy of consideration.

For someone who has zero interest in anything mechanical, always buying a new car is a MUST.

BUT=>

For someone who is OK with the mechanical stuff, getting a $2000-5000 car and spending $1000 per year on repairs is fine.

Not only that - but if one does the simple math, it is alot cheaper over the course of 5 or so years than just buying ONE new car.

(And lest one forget...the old car usually need not have a monthly car payment and it's value is a non-issue.)

And just for yuks - I truly think that new cars are really the province of folks with outlandishly high incomes like single execs, politicians, sports figures, celebrities, lawyers and doctors.

For family folks I think that 'debt for wheels' is a very poor fit.

Edited August 23, 2013 by smallhagrid