Hackers cash in on Windows XP retirement, exploit kit prices to surge?

Hackers cash in on Windows XP retirement, exploit kit prices to surge?

Summary: Are cybercriminals looking to reap the rewards the day Microsoft stops patching Windows XP?

TOPICS: Security, Microsoft

Perhaps Microsoft's warning of 'zero day forever' scenarios if users fail to upgrade from Windows XP will come to pass, as hackers look to cash in on the day the operating system is retired.

Earlier this month, the Redmond giant said that users who refuse to update their systems before the April 8, 2014 cut-off point for Windows XP are going to be more vulnerable to hacking attempts.

Once Microsoft officially retires the system, there will be no more fixes or patches available for Windows XP. In addition, support options and online technical content updates will be off the cards, and users will essentially "have a 'zero day' vulnerability forever."

Past April 8, hackers will have more information at their fingertips to poke holes in the system. In a blog post, Tim Rains, Microsoft's Director of Trustworthy Computing wrote:

"After April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP."

Jason Fossen from the Sans Institute appears inclined to agree. The security expert believes that once the system is no longer patched, hackers who have zero-day exploits for XP stored up will either let them cause chaos on vulnerable systems or sell them on for a hefty profit.

As reported by Computer World, Fossen believes that once Microsoft stops patching the ageing system, new vulnerabilities will push the price of exploits up on the market. Fossen says that the current average price per vulnerability is $50,000 to $150,000, but this is likely to shoot up once the tech giant stops investigating zero-day exploits and releasing patches to fix them.

"When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks," Fossen says. "But if they sit on a vulnerability, the price for it could very well double."

See also: Your perilous future on Windows XP

If this theory proves to be true, we will probably see signs of "bug banking" -- a reduction in XP vulnerabilities disclosed or let loose in the wild as cybercriminals choose to sit on them in order to profit later and keep Microsoft in the dark until after the cut-off point.

Although there is no true precedent to back up the security expert's claims, considering that Windows XP still had over 37 percent desktop OS share as of June this year -- according to NetMarketshare.com -- and Microsoft's data on infection rates, it seems likely.

microsoft system infection rates
Infection rate (CCM) by operating system and service pack in the fourth quarter of 2012 as reported in the Microsoft Security Intelligence Report volume 14.

Despite the high number of users still working with the ageing operating system, Microsoft has no plans to extend the deadline.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Windows 8 64bit

    Now that seems like a pretty secure place to be in :)
    Dreyer Smit
    • lol

      Hi :)
      Yeh, "security by obscurity" but once more people are using it then exploits will soar.
      Regards from
      Tom :)
      • Security By Obscurity

        Hey! I got that! I have a Mac! =D
    • A pretty secure place

      Arch Linux and dynamic IP.
      " Now that seems like a pretty secure place to be in :) "
      Theon Fox
  • Get off the Internet

    The best way to avoid these exploits is by not putting theses systems on the internet.
    • Or by simply UPDATING...

      Simple enough...
      • Update How?

        But if Microsoft are no longer providing patches, then how would one update?
        • RE: Update How?

          Custom support. Very expensive.
          Rabid Howler Monkey
        • Buy the latest OS instead of running XP

          Seems pretty obvious to me, XP is dead in the water in April. Upgrade or have your computer become the latest member of a botnet.
          • How about having one's cake and eating it too?

            With Windows 8 Professional, one can run Windows XP inside the Hyper-V client. Perhaps, one's Windows XP applications will be fully supported in Hyper-V, perhaps, not. And, to the extent possible, use Windows 8 applications for Internet-related activities. Here's a HowTo from TechRepublic:

            "Install Windows XP in Windows 8 Client Hyper-V

            And learn how to manage snapshots with Windows 8 Client Hyper-V for both third party software updates and Internet usage.

            For those that cannot afford a new desktop/laptop PC with Windows 8 Professional, there are some preventive measures that can be taken to avoid one's Windows XP-based PC becoming a member of a botnet. Why preventive measures? Because there's no protection available for Windows exploits based on unpatched Windows kernel vulnerabilities. Consider reboot-to-restore software as a possible solution.

            Install a free reboot-to-restore solution (e.g., Reboot Restore Rx from HorizonDataSys, Returnil Virtual System 2010 Home from Returnil) and restore Windows XP after each use on the Internet. One can still update third party software such as one's web browser, email client, office suite, media player, etc. running on Windows XP to reduce their attack surface. And most current versions of reboot-to-restore software protect the master boot record (MBR) from bootkits such as Alureon/TDSS.

            Finally, just to be safe, for online financial transactions (e.g., shopping, banking, trading), use a GNU/Linux LiveCD. It's a bit inconvenient, but better than rolling the dice.
            Rabid Howler Monkey
          • Virtual won't work

            A lot of software won't run in a virtual environment, especially the old clunker programs that require XP.
          • Running VM WinXP from Win7/8 sucks

            Some programs (both 16 and 32 bit) just don't function properly, it's slow as all get out to load, even with 4GB of memory allocated. If you're not the adventurous type, I'd suggest you grab a Win7 32 bit upgrade right quick, it will run both most 16 and 32 bit programs. If you're the adventurous type, go for the VM solution with Win7 or 8 64 bit, but I don't think you'll like it at all.
      • The correct word upgrade. (NT)

  • MICROSOFT IS SNEAKY ENOUGH ... but they are actually cutting off their

    future by their strategies.
    I think this is going to backfire on Microsoft. They know they have a huge user base that they are willing to abandon to force them to update to Windows 8 so their bottom line will get better. But, given Microsoft's proclivities to throw their users under the bus if they are not contributing to their bottom line, my next stop is either Chromebook or Apple. I've already ordered my Chromebook! LOL!
    Perhaps MS doesn't see the rise of the competing OS based around Linux. Time to sell MS stock if you ask me. There is Nothing like supporting the competition!!
  • FUTURE HEADLINE: Now that Windows 9 is out, ...

    we all know how Windows 8.1 was an operating system that sucked so bad because it was constantly being attacked by malware. You'd better update as soon as possible to avoid all sorts of problems.
  • fair enough

    Most of this "archaic" Windows XP code is still present in "new" versions. So those exploits will be zero day on any Windows too.
    • Except...

      the newer OSs will be patched, XP won't.
      • still

        You might want to research why those exploits are called "zero day".
  • FUD

    This is such BS. I have 12 systems running XP without the latest patch that have NEVER had an infection. Ever. I've been running like this for 8 years now.

    I will never need Microsoft Support or patches and good luck for those hackers getting past my firewall and router.

    The only thing I may miss is their antivirus, but there are third party apps still out there. I can get an antivirus for win2k still.

    This is just to fool the lemmings into buying the latest crap. Microsoft is dying, people are switching to tablets and smart phones.

    Business will continue to run their XP systems inside their lan and most people that are behind a firewall / router will be fine as long as they don't do anything dumb.

    Use a hosts file and don't go to sketchy sites and you'll be fine forever.
    • Sketchy sites? Legitimate web sites are compromised frequently.

      Malicious ads are served and JavaScript get's inserted, often through iFrames, and users get redirected to web sites under the control of the miscreants, many of which serve exploit kits which include a exploits for a variety of software with unpatched vulnerabilities:


      A relatively new tactic used by the malware miscreants is watering hole attacks:


      The best defense against such attacks are:

      o applying security updates to one's operating system and applications
      o maintaining a whitelist of one's frequently-visited, legitimate web sites to control the execution of JavaScript

      Just because you've been lucky up till now doesn't mean that you will continue to be lucky in the future. Nor does it mean that other users of Windows XP will be lucky.

      P.S. Host files are merely a variation of web site blacklisting and blacklisting is *always* a step or two behind the malware miscreants.

      P.P.S. Anti-malware software such as anti-virus and anti-spyware are often bypassed by the malware miscreants and should not be considered as a first, or even second, line of defense these days.
      Rabid Howler Monkey