Zero day forever--move away from Windows XP, now

Microsoft has reminded, cajoled, and pleaded with users to move off of Windows XP before support for its old OS expires next year. Now Microsoft warns users that they may be subject to “zero-day” threats for the rest of their lives if they don’t migrate.

After April 8, 2014, Microsoft will halt support for Windows XP. That means Microsoft won’t issue patches or other security fixes for its opeating system.

What does that mean, in terms of security? Tim Rains, director of Trustworthy Computing for Microsoft, sums it up:

“The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities,” he wrote. “If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero-day’ vulnerability forever.”

Zero-day vulnerabilities refer to the way in which hackers can attack an operating system or other code before a patch is released, fixing the vulnerability. Since Microsoft will never patch Windows XP again after April 2014, eventually some vulneability that affects XP will be found.

Between July 2012 and July 2013, Windows XP was an affected product in 45 Microsoft security bulletins. Thirty of those also affected Windows 7 and Windows 8, Rains wrote.

Windows Infection RatesMicrosoft
Windows XP was a prime target for malware, according to Microsoft.

Rains acknowledges that some protections in XP will help mitigate attacks, and third-party antimalware software might offer some protection.

“The challenge here is that you’ll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice,” Rains wrote.

That’s the same argument that some have recently used, claiming that hackers will “bank” their zero-day XP attacks until after next April, then unleash them on the unprotected herds of XP machines. As Rains notes, the sophistication of malware has only improved, meaning that your XP machine is even more vulnerable, not less. PCWorld’s Answer Line columnist, Lincoln Spector, agrees.

The problem that some XP users have is that they’re so in love with the way that Windows XP does things that they’re reluctant to migrate, especially to Windows 8. Well, Windows 7 machines do exist, that offer functionality similar to XP: here’s how to find them.

The bottom line is this: while Microsoft stands to gain from arguing that consumers need to upgrade, the truth is: they do. So if you are still on Windows XP, start thinking about a migration strategy. Now.

Subscribe to the Security Watch Newsletter

Comments