After April 8, Windows XP Service Pack 3 (SP3) customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. That also means any new vulnerabilities discovered in Windows XP after its “end of life” will not be addressed by new security updates from Microsoft.
“Still, I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8,” said Tim Rains, director of trustworthy computing at Microsoft, in a blog. “I have even talked to some customers that say they won’t migrate from Windows XP until the hardware it’s running on fails.”
Clearly, attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders, he noted.
“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities,” Rains explained. “If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero day’ vulnerability forever.”
How often could this scenario occur? Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8. Rains also said that the data on malware infection rates for Windows operating systems indicates that the infection rate for Windows XP is significantly higher than those for modern-day operating systems like Windows 7 and Windows 8.
While there are security mitigations built into Windows XP that can make it harder for such exploits to be successful, and anti-virus software that can help block attacks and clean up infections if they occur, Rains warned that this won’t be enough.
“The challenge here is that you’ll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero-day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice,” Rains continued. “Furthermore, can the system’s APIs that anti-virus software uses be trusted under these circumstances? For some customers, this level of confidence in the integrity of their systems might be okay, but for most it won’t be acceptable.”