Imagine a scenario where you have burglars sitting in your neighborhood waiting on your neighbor to post your garage code to Facebook for all the world to see.
This is exactly what we have, except instead of burglars it is hackers. There are exactly 215 days until support ends for Windows XP. We all know the story and I do have good news to report. Windows XP usage worldwide is down to 19.19% and in the United States it is about 11.82% (using stats from StatCounter).
The reason for this post is to provide you with additional information related to security patches you may not have thought about. It’s not the April 8, 2014 date that I’m most concerned with (4/8/14 is when Windows XP is End-of-Life)… it is April 9th, 2014. Why? After April 8th, if Microsoft releases a security update for supported systems (i.e. Windows 7 and Windows 8), hackers can take this security update and try to reverse engineer to see if Windows XP has the same vulnerability. It would be like giving the burglar the access code to your home.
There was a recent security blog post by Tim Rains, Director of Product Management – Trustworthy Computing, that summarizes this quite well:
The Risk of Running Windows XP After Support Ends April 2014
(read the entire article, but this is what I wanted to share)
When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality. For example, if a vulnerability is addressed in one version of Windows, researchers investigate whether other versions of Windows have the same vulnerability. To ensure that our customers are not at a disadvantage to attackers who employ such practices, one long standing principle that the Microsoft Security Response Center (MSRC) uses when managing security update releases is to release security updates for all affected products simultaneously. This practice ensures customers have the advantage over such attackers, as they get security updates for all affected products before attackers have a chance to reverse engineer them.
But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.