Microsoft yesterday warned Windows XP customers that they face never-patched, never-dead "zero-day" vulnerabilities if they don't dump the 12-year-old operating system before its April 2014 retirement deadline.
Call them the "walking dead" of vulnerabilities. Call it XP Z -- "Z" for zombies.
The warning -- just the latest in a two-year campaign to denigrate XP and convince users to leave it behind -- was similar to one given earlier this week by a long-time SANS security trainer, who predicted that hackers would save their vulnerabilities until after XP's retirement, then unleash them on unprotected PCs.
"The very first month [after April 2014] that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," said Tim Rains, a director in Microsoft's Trustworthy Computing group, in a Thursday blog.
"If [XP shares the vulnerabilities], attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," Rains said.
Reverse-engineering of patches is a common practice by both security researchers and cyber criminals.
Once a patch is released -- say for Windows 7 in May 2014 -- hackers can do a code comparison between the updated and non-updated versions to locate the changes. With the changes in hand, astute researchers can figure out where the vulnerability was. Finally, they can use that information to poke around Windows XP to see if it, too, has buggy code similar to the non-patched Windows 7.
As Rains pointed out -- and history has shown -- it's certain that a number of the flaws fixed in the future in Windows Vista, Windows 7, even Windows 8, will also exist in Windows XP, if only because Microsoft has dragged copious amounts of legacy code, some pre-dating XP, into its newer OSes.
That's one of the reasons why when Microsoft patches a bug in Windows 8, it often also patches the same vulnerability in older editions.
Of the three security updates that applied to Windows XP in the collection Microsoft shipped on Tuesday, for example, two also applied to Vista, Windows 7 and Windows 8. According to statistics Rains cited, over the last year the same percentage of XP vulnerabilities would have been game for reverse-engineering: Of the 45 security bulletins that applied to XP between July 2012 and July 2013, 30 affected Windows 7 and Windows 8.
Rains also ran down XP's security prowess, saying that its primary defense, DEP, for Data Execution Prevention, has become less effective as hackers have learned how to bypass it. (Windows XP lacks another defensive technology, ASLR (address space layout randomization, that is enabled by default on Vista, Windows 7 and Windows 8.)
Sign up for CIO Asia eNewsletters.