Hackers cash in on Windows XP retirement, exploit kit prices to surge?

Are cybercriminals looking to reap the rewards the day Microsoft stops patching Windows XP?
Written by Charlie Osborne, Contributing Writer

Perhaps Microsoft's warning of 'zero day forever' scenarios if users fail to upgrade from Windows XP will come to pass, as hackers look to cash in on the day the operating system is retired.

Earlier this month, the Redmond giant said that users who refuse to update their systems before the April 8, 2014 cut-off point for Windows XP are going to be more vulnerable to hacking attempts.

Once Microsoft officially retires the system, there will be no more fixes or patches available for Windows XP. In addition, support options and online technical content updates will be off the cards, and users will essentially "have a 'zero day' vulnerability forever."

Past April 8, hackers will have more information at their fingertips to poke holes in the system. In a blog post, Tim Rains, Microsoft's Director of Trustworthy Computing wrote:

"After April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP."

Jason Fossen from the Sans Institute appears inclined to agree. The security expert believes that once the system is no longer patched, hackers who have zero-day exploits for XP stored up will either let them cause chaos on vulnerable systems or sell them on for a hefty profit.

As reported by Computer World, Fossen believes that once Microsoft stops patching the ageing system, new vulnerabilities will push the price of exploits up on the market. Fossen says that the current average price per vulnerability is $50,000 to $150,000, but this is likely to shoot up once the tech giant stops investigating zero-day exploits and releasing patches to fix them.

"When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks," Fossen says. "But if they sit on a vulnerability, the price for it could very well double."

See also: Your perilous future on Windows XP

If this theory proves to be true, we will probably see signs of "bug banking" -- a reduction in XP vulnerabilities disclosed or let loose in the wild as cybercriminals choose to sit on them in order to profit later and keep Microsoft in the dark until after the cut-off point.

Although there is no true precedent to back up the security expert's claims, considering that Windows XP still had over 37 percent desktop OS share as of June this year -- according to NetMarketshare.com -- and Microsoft's data on infection rates, it seems likely.

microsoft system infection rates
Infection rate (CCM) by operating system and service pack in the fourth quarter of 2012 as reported in the Microsoft Security Intelligence Report volume 14.

Despite the high number of users still working with the ageing operating system, Microsoft has no plans to extend the deadline.

Editorial standards