As the Windows XP end-of-life date finally arrives, Microsoft will ship the last of 452 total security bulletins for its long-lasting operating system today. While some may fear an immediate flurry of zero-day attacks, experts cautioned that XP security problems are more likely to mount over time, not right away.
Sean Sullivansecurity researcher, F-Secure Labs
Today represents the end of Microsoft's long farewell to its Windows XP operating system, first introduced to the public in October 2001. Also today, the Redmond, Wash.-based software giant ends support for Office 2003, the last version of its productivity suite devoid of the opinion-splitting ribbon layout.
Microsoft had warned users as far back as 2007 that the end of XP was coming, but despite providing XP customers with ample warning and even once extending the end-of-support date, the aged OS remains a popular choice at home and in offices worldwide. More than a quarter of all PCs worldwide still run XP, according to recent numbers from research firm Net Applications, while Redwood City, Calif.-based vulnerability management vendor Qualys Inc. has recently estimated that around 14% of enterprises still have an XP footprint.
As a result of that sizable market share, the cutoff date for Windows XP support has long been a cause for concern, with some worrying that attackers are hoarding zero-day exploits for XP vulnerabilities after April 8.
Experts that spoke to SearchSecurity, however, largely poured a bucket of cold water on those concerns.
Sean Sullivan, security advisor at Helsinki, Finland-based security vendor F-Secure Labs, downplayed the likelihood of an explosion of XP zero-days. He noted that the intense competition among exploit developers would make holding a valuable vulnerability for any period of time a risk on their initial investment. The exception, he noted, could be sophisticated nation-state intelligence agencies.
"I think the economics of selling zero days [immediately] outweighs the economics of holding onto them until they're no longer patched," said Sullivan.
XP threatened by patch reverse-engineering
Though today's end-of-life date may not bring a flood of new XP exploits, Sullivan warned that enterprises shouldn't view a lack of immediate activity as a sign that criminals are no longer targeting XP. Instead, he said, most exploit kit authors are likely to wait until future Patch Tuesday releases to reverse-engineer vulnerabilities that Microsoft fixes in Windows 7 and Windows 8.
Christopher Budd, threat communications manager for Japan-based Trend Micro Inc., agreed with Sullivan, emphasizing that enterprises running XP are unlikely to face a markedly increased risk in the weeks following April 8.
Budd, who wrote the first security bulletin for Windows XP when he was part of the Microsoft Trustworthy Computing Group, said it was a well-known fact at Microsoft that attackers looked to the Patch Tuesday releases to reverse-engineer vulnerabilities. That's because most users take a reasonable amount of time to patch software -- if they apply updates at all -- noted Budd, meaning that a vulnerability for which a patch exists can still be a valuable addition to an attacker's exploit kit.
To get an idea of the scale of this potential problem, Budd recently analyzed all of the XP vulnerabilities Microsoft patched during 2013 and then determined how many of those flaws were also in either Windows 7 or Vista. He cited 88 such vulnerabilities last year alone and cautioned that attackers are unlikely to experience diminished success reverse-engineering Windows 7 and 8 vulnerabilities in the coming years.
"One of the first things attackers are going to do on Patch Tuesday is to go see if a vulnerability works on XP," said Budd, "because if it works on XP, it's going to work until the end of time. You now have a 100% guaranteed attack on XP always."
Christopher Pogue, director of digital forensics and incident response for Chicago-based Trustwave Holdings Inc., would not completely rule out a multitude of new XP-based attacks in the near term, but said even if attackers do look to quickly take advantage of XP, enterprises should still have a number of effective security controls in place to protect XP machines, like firewalls and intrusion detection systems.
Pogue advised organizations that have yet to migrate from XP to worry less about the immediate threat landscape and more on performing a complete risk assessment. He said such an assessment should clarify which of three possible paths an enterprise should take: move away from XP as soon as it is feasible, pay Microsoft a potentially costly sum for an extended support agreement or decide that the risk posed by XP isn't grave enough to warrant the migration costs.
"It just becomes a cost benefit analysis," Pogue said, advising enterprises to make the decision by weighing the cost of the upgrade against the likelihood and cost of a breach scenario involving XP. "Even if you upgrade, it's not a silver bullet."
Future XP threats
Looking long term, experts have warned that the threat landscape for Windows XP and Office 2003 does look bleak.
In a blog post last week, Tim Rains, director of product management for Microsoft's Trustworthy Computing Group, laid out some of the top XP threats, running the typical gamut from complex Web-based attacks to run-of-the-mill phishing emails. Rains also warned small businesses and consumers -- in particular -- of the rise the company has seen in ransomware like CryptoLocker, which criminals use to extort victims by encrypting sensitive data on their systems.
With Windows XP users are unable to patch future vulnerabilities. F-Secure's Sullivan said one of the gravest scenarios would be the introduction of a threat like Conficker, a self-propagating RPC worm that wreaked havoc on millions of Windows users.
"If anything does come out that has any sort of hint of wormability," Sullivan said, "then you're screwed if you've got XP in your enterprise."
Attackers are more likely to eschew any complicated exploits in favor of simple attacks against the expiring Office 2003, which Sullivan said is often found in the same ecosystem as XP and outdated versions of Internet Explorer (IE). Recent statistics from Cambridge, Mass.-based analysis firm Forrester Research confirm that suspicion. It surveyed 155 clients in October 2013 on their currently deployed productivity suites and found that 28% were still using Office 2003.
Such ecosystems are often further completed by woefully outdated of versions of IE, he said, noting that many government agencies are mandated to run IE in order to maintain IT uniformity. In those environments, IE or Outlook may automatically open email attachments with Word or Excel, where default settings will oftentimes allow those programs to automatically run Flash objects and the like embedded in attachments.
In fact, the attackers behind the infamous 2011 RSA hack used a malicious object embedded in an Excel document to gain a foothold in the security vendor's network. Consumers that continue to use XP can largely eliminate such attacks by using alternative Web browsers like Google's Chrome and Mozilla's Firefox, as well as choosing a different email client, but Sullivan cautioned that enterprises stuck on XP often don't have those choices.
"My concern with enterprises using XP is that their entire ecosystem is probably out of date, not just XP," said Sullivan. "And that's going to be very hard for them to secure."