Windows XP: Microsoft’s ticking time bomb
Shona Ghosh examines the security threat posed by Microsoft’s decision to end support for its 12-year-old OS in April
The final deadline for Windows XP support will act as a starting pistol for hackers, as they target hundreds of millions of users on unpatched systems.
Microsoft has already granted the 12-year-old OS several stays of execution, but the firm has said it will finally end extended support on 8 April 2014 – despite the fact that XP remains the second-most popular OS, with almost a third of PCs running it.
These hundreds of millions of desktops and laptops will be vulnerable to hackers once XP stops receiving security updates, with Microsoft warning earlier this year that hackers could use patches issued for Windows 7 or Windows 8 to scout for XP exploits.
"The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares [them]," wrote Tim Rains, the director of Microsoft’s Trustworthy Computing group.
The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates
"If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP," Rains added. "Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a zero-day vulnerability forever."
Microsoft noted that XP shared 30 security holes with Windows 7 and Windows 8 between July 2012 and July 2013, giving hackers ample opportunity to reverse-engineer vulnerabilities.
Ed Shepley, solutions architect at migration specialist Camwood, said users don’t seem convinced by the threat. He added that he’s surprised Microsoft’s warning didn’t lead to "hundreds of people phoning us that day". According to Shepley, the end of XP support poses a "significant risk".
Failure to migrate could leave businesses open to infections, denial-of-service attacks and data theft, according to Camwood. Aside from the inconvenience and costs to address the attack, companies can also face fines.
For example, American regulators have warned that banks that fail to upgrade their software from XP will be liable if, for example, customer credit-card data is stolen. In the UK, the Information Commissioner’s Office hasn’t issued such clear-cut guidance, but it has the power to fine institutions that don’t hold credit-card information securely in their systems under data-protection laws.