XPocalypse, not now
- 09 June, 2014 04:53
Two months after Microsoft withdrew support for Windows XP, the catastrophic wave of exploits that security experts predicted would quickly wash over the aged operating system have failed to materialize.
Microsoft provided its last regularly-scheduled security updates for Windows XP on April 8, making only a single one-time exemption several weeks later when it patched a then-being-exploited vulnerability in Internet Explorer, including the browser on XP.
But widespread, extraordinary Windows XP-specific attacks have not unfolded. Or perhaps better put, if they have, they haven't reached a level where watchful security companies have noticed. And antivirus vendors are among the first to shout warnings, both for altruistic and self-serving reasons.
Instead, the malware landscape has been populated with the usual, an unfortunate run-of-the-mill blend of phishing attacks, exploit kits and ransomware.
That's not what some security professionals believed would happen.
"When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks," said Jason Fossen, a trainer for SANS and an expert on Microsoft security, in an August 2013 interview. "But if they sit on a vulnerability, the price for it could very well double. [So hackers] will be motivated to sit on them."
Fossen's thesis -- that cyber criminals would "bank" Windows XP vulnerabilities and put them to use only after April 8, 2014 -- was not his alone. Microsoft believed it, too.
Several times in the last 12 months, the Redmond, Wash. company warned Windows XP customers to get the lead out, ditch the creaky, leaky OS or face a certain surge in attacks. The most notable was in October 2013, when Tim Rains, director of Microsoft's Trustworthy Computing group, cited statistics from the firm's own telemetry to suggest that post-retirement Windows XP malware infection rates could jump dramatically.
So far, nothing.
To be fair, no one posted a timetable when XP would suffer additional slings and arrows, although Rains did predict late last year that in 2014 the operating system "will not be able to keep pace with attackers, and more Windows XP-based systems will get compromised." Safe bet.
In fact, a close look at the example Rains touted -- of Windows XP Service Pack 2 (SP2) -- showed that infection rates only truly spiked more than a year after it was retired and replaced by Windows XP SP3.
"If I could predict when the giant wave of XP bugs were going to hit, I could also surely predict this year's World Series winner," said Andrew Storms, director of DevOps at CloudPassage, a San Francisco security firm, when asked about the lack of public attacks.
But with each passing day that Windows XP PCs remain unassailed, complacency is sure to set in as users start to believe that Fossen, other security experts and, most of all, Microsoft were crying wolf.
That would feed right into the conspiracy theories some have grasped, that Microsoft only yanked support for XP to boost flagging sales of Windows 8.1 PCs, that it had the capability to provide patches (true, actually) but declined to do so in the expectation that it would reap a windfall from enterprises extorted of millions in extended support contracts (not true, as it significantly reduced prices of those contracts just before XP dropped from support).
One can get a glimpse of both the complacent and the conspiracist simply by looking at the coverage last month of a hack that duped Windows Update into serving Windows XP systems with patches, but patches from a cousin-once-or-twice-removed, Windows Embedded POSReady 2009. That version, admittedly based on Windows XP SP3, was designed for point-of-sale systems, particularly cash registers, and automated teller machines.
The last time we looked, our home and business PCs were not dispensing Andrew Jacksons.
The story got broad play in the tech and even mainstream media. ( Computerworld was not above the fray; it ran a story as well.) And as Microsoft warned customers not to try the hack, some scoffed, hearing yet more dissembling.
"Of course they say it is a bad idea to use the hack, they want people to move to Windows 8 and later Windows 9," chimed in a reader identified only as "nilst2011" in a comment appended to the Computerworld news story.
Complacency ruled, too, as many argued and even more assumed that the hack and its not-quite-XP patches would keep them safe -- attitudes that drove IT managers crazy. On PatchManagement.org's mailing list, where IT professionals discuss patches and patching, the XP hack has been widely panned on several levels, from its legality to whether it really will work long-term.
"If you are willing to risk everything in order to avoid dropping a 10-year-old OS, be my guest. Just stop misleading the average user that they can protect themselves while still using XP," said one clearly-frustrated commenter on the mailing list.
More important, the lack of evidence of ongoing exploits against Windows XP meant nothing, argued Storms. "We all know there are still bugs in XP and we all assume there has to be some zero-days still to be found," Storms said, using the term for an exploit of an unpatched vulnerability. "[And] there is no doubt that some XP zero-days are prancing about the black markets as we speak."
Under-the-radar attacks could be executing even now, said Storms, who contended that the most likely use of unpatched Windows XP vulnerabilities would be against what he called "high-value targets," the kind in the crosshairs of very focused, limited attacks that are aimed at specific corporations and government agencies. All it takes for a successful infiltration of a network is one careless click by one employee tricked by a well-crafted email.
"But the thing is that the available market of high-value [Windows XP] targets is quickly dwindling and has been dwindling for years," said Storms. "I'll put money on the news headline that says a big XP zero day has been released. But let's be smart here: It's not going to be immensely impactful like Code Red, the Morris worm or Conficker."
Some of Storms' examples did significant damage, spread promiscuously or were resistant to eradication. 2008's Conficker, for example, was still infecting millions of Windows PCs years after its debut.
Such massively-disruptive malware has become a thing of the past. Still, some have used the same examples as Storms when wondering aloud what Microsoft might do, after Windows XP was retired, if something similar hit the Internet. Would Microsoft retract its promise, and patch the flaw?
No one knows.
Storms had another good point: Windows XP is steadily diminishing as an attractive target simply because, although it still powers about a fourth of all personal computers, its share is shrinking.
In the last 12 months, XP has dropped 12.5 percentage points, shedding 33% of the user share it held in May 2013, according to analytics firm Net Applications. If Windows XP continues to lose user share at its current tempo, it will be powering less than 10% all personal computers a year from now.
Cross your fingers that nothing happens in the meantime.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.