News

Microsoft: Windows XP Faces Endless 'Zero Day' After Support Ends

Microsoft recently warned organizations against continuing to use Windows XP after its "extended support" phase ends on April 8, 2014.

After Windows XP leaves the extended support phase of its lifecycle, organizations still using the operating system will lose Microsoft's security patch support and be open to exploits. It will be a perpetual zero-day exploit situation for organizations, according to Tim Rains, Microsoft's director of Trustworthy Computing.

"Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains wrote in a Microsoft blog post.

A zero-day vulnerability usually describes a software flaw that's unknown to the software maker. However, after April 8, Microsoft simply won't be expected to respond to any flaws found in Windows XP, except perhaps for some customers paying for the expensive option of reactive support via Microsoft's Premier Support Services. However, organizations have to qualify to get that sort of support, which is designed to fix problems on a per-incident basis.

Rains explained that hackers tend to reverse-engineer Microsoft's security updates each month to apply the exploit to other Microsoft products, which is why Microsoft releases patches that apply to multiple products all at once. However, the advantage of that proactive approach will be lost after April 8.

He also argued against the effectiveness of Windows XP defensive "mitigations" to stave off future attacks. Rains offered a chart from the latest Microsoft Security Intelligence Report showing that Windows XP exploits currently far outstrip those of Microsoft's newer Windows OSes.

[Click on image for larger view.] Windows infection rate in the fourth quarter of 2012. (Source: Microsoft Security Intelligence Report Volume 14.)

Attacks of a decade ago are different than todays' attacks, Rains argued. Client applications get targeted more these days. "As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats," he said.

One big problem is that a lot of organizations are still using Windows XP. The downward-use trend of Windows XP almost seemed to stall this month, according to Net Applications' data. While Windows XP use was at 37.17 percent in June, it actually edged up in mid-August to 37.19 percent.

[Click on image for larger view.] Operating system use from January to mid-August, 2013. (Source: Net Applications, sampled 8/16/13.)

Microsoft will provide no security support at all for Windows XP users after April 8, except for those larger organizations able to qualify for paid support via Microsoft Premier Support Services. Still, many organizations appear stuck in getting off the 12-year-old OS.

It's already a crunch time for organizations trying to move off Windows XP before April 8 because of the planning and application compatibility testing involved before making a move to a new OS. Third-party vendors are offering services and solutions to either facilitate the migrations or provide temporary measures, such as virtualization. For a summary of some approaches and solutions toward getting off Windows XP, see this article.

Featured

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • Microsoft Ends Development on Windows To Go

    The May 2019 update of Windows 10, also known as version 1903, will be the last Windows client OS to have support for Windows To Go.

  • Microsoft Finally Releases Hyper-V Server 2019

    Conceding that it has taken "way too long," Microsoft has announced that Hyper-V Server 2019 is now available for download.