Microsoft warns Windows XP users risk 'zero day forever'

Microsoft's latest tack in trying to wean users off Windows XP is to warn them of a possible 'zero day forever' scenario in the post-April 2014 support cut-off world.
Written by Mary Jo Foley, Senior Contributing Editor

If you think you've heard it all about the impending end of support for Windows XP, get ready for messaging overload over the next eight-plus months.


Microsoft has been beating increasingly louder the XP end-of-support drum. Earlier this summer, Microsoft gave its reseller partners marching orders to step up their warnings about the end of support for Windows XP on April 8, 2014. This week, Microsoft echoed that warning, adding a new twist, via an August 15 post on the Microsoft Security Blog.

As Microsoft execs have been cautioning for more than a year, after April 8, 2014, users running Windows XP Service Pack (SP) 3 -- the last service pack delivered for the 11-year-old operating system -- won't get any more updates. That includes both security and "non-security" hot fixes, free or paid support options and online technical content updates.

Despite that fact, Microsoft officials admit they know of customers who still won't have competed their migration off XP by that date. And some customers are still maintaining they won't migrate off XP until the hardware it is on fails, officials conceded.

In the new Security Blog post, Tim Rains, Microsoft's Director of Trustworthy Computing threw in some new cautions about ignoring the April 8 XP support cut-off date.

The mitigations Microsoft developed for XP SP3 were "state of the art" when they were published years ago, but are no longer enough to block the kinds of attacks Microsoft is currently seeing, Rains said. (The chart embedded in the post above shows Microsoft's data on infection rate by Windows release for Q4 2012. The red bar is XP.)

Rains noted that after April 8, "attackers will likely have more information about vulnerabilities in Windows XP than defenders." Microsoft's Security Response Center currently releases security updates for all affected products simultaneously, giving users an advantage over attackers, Rains said, reducing the time that attackers have to reverse engineer vulnerabilities.

Rains continued:

"But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP."

Because a security update will never become available for XP after April 8, "Windows XP will essentially have a 'zero day' vulnerability forever," Rains said.

How likely is this scenario, realistically? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8, Rains said.

Windows XP still had more than 37 percent desktop OS share as of June 2013, according to NetMarketshare.com. Despite that fact, Microsoft officials have said they have no plans to extend yet again the cut-off date for support for XP.

I know we have a number of XP holdouts reading ZDNet. Do these stats sway you? If not, I'm curious why you aren't afraid to continue running XP after support ends?

Editorial standards