Microsoft warns Windows XP users risk 'zero day forever'

Microsoft warns Windows XP users risk 'zero day forever'

Summary: Microsoft's latest tack in trying to wean users off Windows XP is to warn them of a possible 'zero day forever' scenario in the post-April 2014 support cut-off world.


If you think you've heard it all about the impending end of support for Windows XP, get ready for messaging overload over the next eight-plus months.


Microsoft has been beating increasingly louder the XP end-of-support drum. Earlier this summer, Microsoft gave its reseller partners marching orders to step up their warnings about the end of support for Windows XP on April 8, 2014. This week, Microsoft echoed that warning, adding a new twist, via an August 15 post on the Microsoft Security Blog.

As Microsoft execs have been cautioning for more than a year, after April 8, 2014, users running Windows XP Service Pack (SP) 3 -- the last service pack delivered for the 11-year-old operating system -- won't get any more updates. That includes both security and "non-security" hot fixes, free or paid support options and online technical content updates.

Despite that fact, Microsoft officials admit they know of customers who still won't have competed their migration off XP by that date. And some customers are still maintaining they won't migrate off XP until the hardware it is on fails, officials conceded.

In the new Security Blog post, Tim Rains, Microsoft's Director of Trustworthy Computing threw in some new cautions about ignoring the April 8 XP support cut-off date.

The mitigations Microsoft developed for XP SP3 were "state of the art" when they were published years ago, but are no longer enough to block the kinds of attacks Microsoft is currently seeing, Rains said. (The chart embedded in the post above shows Microsoft's data on infection rate by Windows release for Q4 2012. The red bar is XP.)

Rains noted that after April 8, "attackers will likely have more information about vulnerabilities in Windows XP than defenders." Microsoft's Security Response Center currently releases security updates for all affected products simultaneously, giving users an advantage over attackers, Rains said, reducing the time that attackers have to reverse engineer vulnerabilities.

Rains continued:

"But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP."

Because a security update will never become available for XP after April 8, "Windows XP will essentially have a 'zero day' vulnerability forever," Rains said.

How likely is this scenario, realistically? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8, Rains said.

Windows XP still had more than 37 percent desktop OS share as of June 2013, according to Despite that fact, Microsoft officials have said they have no plans to extend yet again the cut-off date for support for XP.

I know we have a number of XP holdouts reading ZDNet. Do these stats sway you? If not, I'm curious why you aren't afraid to continue running XP after support ends?

Topics: Security, Microsoft, Windows


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • My migration plan

    My plan is to wind down Windows XP on the ten year old desktop in my office and replace it with Ubuntu.
    • How many machines?

      Is it just you?
    • Why wait?

      It'd probably be best if you started to move over everything as soon as you have the time.
      Michael Alan Goff
      • No, this ends here.

        I'm not migrating. XP is the best that humanity has come up with as a Desktop operating system. It deserves to die along with the class of machines it helped shape and define. Goodbye, PC era. I salute as we drive into the future, the Post-PC-era.
        Han CNX
    • Something wrong with Windows 7?

      Something wrong with Windows 7?
      • Win7 works for me . . .

        I'm holding out on XP on my ancient classroom computers until I need to replace them. And I'm happy with Win7 at home and on the ones that have been replaced. I hope to avoid Win8, but that's going to depend on how soon Win7 disappears.
        • Good Luck! You're going to need it!

          I hope that none of your "ancient classroom computers" are on the Internet or networked after April 8, 2014! If they are, you are asking for trouble! I had a handful of computers running Windows 2000 on a network with Internet access a few months after Microsoft pulled the plug on Windows 2000, and most of the computers on our network got infected with several pieces of malware that made use of a security hole that Microsoft had a Windows XP patch for, but did not write a Windows 2000 patch for. After our Windows XP machines were brought up-to-date, they could be cleaned and stay clean, but the Windows 2000 machines couldn't be put back on the network for more than a few minutes before getting infected again. Unfortunately, some of the NAS units were running proprietary pseudo-Windows operating systems that were vulnerable, and there were no patches for them. I'm not a great fan of Windows 7 ("It's better than Vista and Windows 8!"), but we're in the middle of replacing all of our Windows XP desktops with Windows 7 machines (or in some cases upgrading them to Windows 7.) I don't want to have to spend MONTHS cleaning up computers because they are unprotected from security holes that Microsoft has only patches for supported OS's.
          • Hmm...

            If you don't protect your Windows with 3rd party mechanism you get results like this ... my Millennium is still going strong
          • re:Hmmmmm

            If one is too lazy to replace XP one is not going to bother with 3rd party protection. In fact that person is probably unaware they need it. Anyone using XP after April 2008 deserves every infection they get.
      • "Something wrong with Windows 7?" -CobraA1

        Plenty. Compared to XP, too many steps needed to do the same things. Now, people are saying Win 8 is even worse. XP was a step up from Win 95 in the labor it could save. Everything since from Microsoft seems to have been a step down in that respect.
        • Good bye Microsoft, you bums.

          You are so right. I've been saying that the first time I tried that abomination called Windows 7. Too many clicks. Unnecessary added crap. The way the folders opened is tedious. XP has a great folder system and control panel. I liked the Documents and Settings folder in XP. And of course the start menu. Windows 7 start menu sucks. And I hate the glassy areo theme. That's why I won't upgrade to 7. I will be using beautiful, simple XP for right now. Then I'll have to see if I can dual boot with Zorin. The one good thing about Linux is that they give the user different interfaces.
          • I hpe that sarcasm

            Do you use a rotary phone too?
    • Ha. Ok.

      First off, Windows XP dosnt actually need some kind of wind down. I guess you must mean your trying to hammer out what all the replacement programs you will need are, or may be and to have everything in place ready to go. But seriously, Ubuntu is free. Why waste your time with dirty old Windows at all any more?

      What took you so long?

      And its pretty darn fair comment to wonder what kind off business your in/or not.

      10 year old desktop with XP? Well, I guess there go the old stories that that Windows boxes just don't hold up.

      And I guess theres validation for the what should already be well known fact that nobody is giving up the PC, they just don't need a new one.

      And sorry to say, there are certain kinds of business, like for example, lets say one was in some actual computing related business like video editing, a guy with a 10 year old PC with XP on it whos planning his next big migration to Ubuntu isn't exactly confidence inspiring.

      But to each his own. Carry on.
    • Nooo...

      Ubuntu has spyware, Every search you do gets sent to Amazon, You can turn it off though however I highly recommend you try out Linux Mint, Elementary OS Luna, Manjaro Linux - The one i use, Is much faster than all of the others since it uses Arch Linux as a base. Check it out.
      • Nooo... (Reply to Unbiased4You)

        A few things, FYI:
        1. Ubuntu doesn't have spyware; the Amazon thing is *ADWARE.* They're NOT the same thing. The Dash functions like a Google search--except it covers the Amazon web site, and not the entire web. Unless you thing the Google web site is spyware, you needn't worry! ;)
        2. You can turn off the Amazon search function easily enough; just go into your settings and privacy functions and turn off searching the web with Dash.
        3. You can also uninstall the Amazon function.
        4. The Amazon function isn't in Ubuntu's many variants, like Kubuntu, Lubuntu, or Xubuntu.

        I've had several clients switch from Windows XP to some variant of Ubuntu, and most are quite pleased. one person told me that running Lubuntu on her computer was quicker and easier than when it was new and running Windows XP! ;)
    • Ubuntu

      You might want to try Linux Mint too. I think its better than Ubuntu.
    • That's tempting.

      I've got a Dell GX620, and officially, I think it supports the same OSes as the Intel D845GVSR motherboard (RedHat 8, RHEL 4 and 5, as well as XP and earlier). I would upgrade to Windows 7, but I'd need an extra 1GB of RAM, which would overload the processor, and I don't think my onboard graphics card supports DX9, so I'd have to buy a new one of those, too. Fortunately, unlike my Intel motherboard, this Dell one has a PCIe x16 slot built in.
      Richard Estes
    • Smart Move

      See,This is Brilliant!
      • Important

        amazing rboard (RedHat 8, RHEL 4 and 5, as well as XP and earlier). I would upgrade to Windows 7, but I'd need an extra 1GB of RAM, which would overload the processor, and I don't think my onboard graphics c
    • don't need em anymore

      Ubuntu,Kbuntu,mint,knoppix....there are so many other choices to dual boot.
      If I need an XP app I go back to XP but do ALL my web work with Linux...and get updates