News

Microsoft: Windows XP Faces Endless 'Zero Day' After Support Ends

Microsoft recently warned organizations against continuing to use Windows XP after its "extended support" phase ends on April 8, 2014.

After Windows XP leaves the extended support phase of its lifecycle, organizations still using the operating system will lose Microsoft's security patch support and be open to exploits. It will be a perpetual zero-day exploit situation for organizations, according to Tim Rains, Microsoft's director of Trustworthy Computing.

"Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains wrote in a Microsoft blog post.

A zero-day vulnerability usually describes a software flaw that's unknown to the software maker. However, after April 8, Microsoft simply won't be expected to respond to any flaws found in Windows XP, except perhaps for some customers paying for the expensive option of reactive support via Microsoft's Premier Support Services. However, organizations have to qualify to get that sort of support, which is designed to fix problems on a per-incident basis.

Rains explained that hackers tend to reverse-engineer Microsoft's security updates each month to apply the exploit to other Microsoft products, which is why Microsoft releases patches that apply to multiple products all at once. However, the advantage of that proactive approach will be lost after April 8.

He also argued against the effectiveness of Windows XP defensive "mitigations" to stave off future attacks. Rains offered a chart from the latest Microsoft Security Intelligence Report showing that Windows XP exploits currently far outstrip those of Microsoft's newer Windows OSes.

[Click on image for larger view.] Windows infection rate in the fourth quarter of 2012. (Source: Microsoft Security Intelligence Report Volume 14.)

Attacks of a decade ago are different than todays' attacks, Rains argued. Client applications get targeted more these days. "As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats," he said.

One big problem is that a lot of organizations are still using Windows XP. The downward-use trend of Windows XP almost seemed to stall this month, according to Net Applications' data. While Windows XP use was at 37.17 percent in June, it actually edged up in mid-August to 37.19 percent.

[Click on image for larger view.] Operating system use from January to mid-August, 2013. (Source: Net Applications, sampled 8/16/13.)

Microsoft will provide no security support at all for Windows XP users after April 8, except for those larger organizations able to qualify for paid support via Microsoft Premier Support Services. Still, many organizations appear stuck in getting off the 12-year-old OS.

It's already a crunch time for organizations trying to move off Windows XP before April 8 because of the planning and application compatibility testing involved before making a move to a new OS. Third-party vendors are offering services and solutions to either facilitate the migrations or provide temporary measures, such as virtualization. For a summary of some approaches and solutions toward getting off Windows XP, see this article.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • Microsoft Says System Center 2022 Will Arrive Early Next Year

    Microsoft is planning to release its new System Center product in the first quarter of 2022, with a private preview arriving within months.

  • Microsoft Talks Up Windows Server 2022's Azure Integrations

    Windows Server became available on Sept. 1; last week, Microsoft gave the product its official unveiling, focusing on all of the other products and services it will work with.

  • 2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.