Hackers will have at least one, perhaps as many as four, patches next week to investigate as they search for unfixed flaws in Windows XP, the 13-year-old operating system that Microsoft retired from support April 8.
"Come Tuesday, Microsoft will be patching some vulnerabilities in Windows, and it is realistic to assume that at least one of these will also affect Windows XP," said Kasper Lindgaard, director of research and security at Secunia, in an email Friday. "Generally speaking, newly discovered vulnerabilities in XP will be unpatchable for private users, and therefore we will see a rise in attacks."
On May 13, Microsoft's regularly-scheduled monthly Patch Tuesday, the Redmond, Wash. company will issue eight security updates for its software. But because it has stopped providing updates to owners of Windows XP PCs, those customers will not see any of the eight.
Hackers looking for vulnerabilities in Windows XP will be using the patches to find vulnerabilities in XP, Microsoft and security experts have said. By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7 — which will be patched — then sniff around the same part of XP's code until they discover the bug there. From that point, it will be relatively straight forward for them to craft an exploit and use it against unprotected XP PCs.
"Patches to the other Windows operating systems will be reverse engineered by hackers, seeking to discover which vulnerabilities were fixed by Microsoft, and if applicable, modified to work against Windows XP," Lindgaard said.
He's not the only one who believes hackers will leverage updates to find unpatched bugs in XP. So does Microsoft.
"After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Dustin Childs, director of Microsoft's Trustworthy Computing group, last October. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."
Four of the eight scheduled security updates that Microsoft plans to ship next week look like candidates for hackers because they will affect all client versions of Windows, including Windows Vista, Windows 7, Windows 8 and Windows 8.1. Before Microsoft stopped pushing patches to XP, it was rare for an update to fix one or more newer editions of Windows, but not patch XP at the same time.
One of the four will impact all instances of IE, so there's a very high chance that that update would have patched the pertinent editions of the browser — IE6, IE7 and IE8 — on Windows XP if Microsoft had continued updating the old OS. The upcoming fix for IE was rated "critical," Microsoft's highest threat warning, and was also tagged with the phrase "remote code execution" in last week's advance notification, meaning that if successfully exploited, attackers could hijack the PC and plant malware on its drive.
Sign up for CIO Asia eNewsletters.