Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will April 9, 2014 be a Very Bad Day for Windows XP Users?

Transcript (Lightly Edited)

Hey everyone, I’m Leo Notenboom for askleo.com.

I had someone ask me a question this morning. Basically, they pointed me at an article from an online publication called networkworld.com. The title was “Targeted attacks spotted in the wild exploiting Windows XP zero-day”. The article goes on to talk about the possibility that:

Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hot-fixes for XP is released in April 2014, that their exploits will work forever …”

Become a Patron of Ask Leo! and go ad-free!

Now the writer led in with a discussion about some kind of zero-day vulnerability that’s apparently been discovered in the wild today or recently, and centers much of their fear around that specific vulnerability as an example, I guess.

The problem is that one [vulnerability] really doesn’t concern me because it’s been discovered before the cutoff date. What that means, of course, is that I expect that one is going to get fixed. If it’s severe enough, if it’s important enough, it will get fixed with that last round of hot-fixes that they’re talking about. And I really do think that this concept of the cutoff date and what happens before and after is a really, really big important issue to understand when we start talking about what it sets the stage for… and that’s a really, really big unknown.

The end of XP support this year really means one and only one thing. It means that Microsoft will no longer make any security fixes to Windows XP. That’s it.

All they’ve been doing for the last couple of years [for Windows XP] is making security fixes. All the normal bug fixes, all the other issues; they haven’t been fixing those for a long time. This is the final stage – the last step. This where they stop fixing security-related issues.

So, if a serious enough vulnerability is found in Windows XP before that date, it will likely get fixed. If it’s found after that date, well, it won’t.

The worry is that malware authors know of several, maybe even many vulnerabilities in Windows XP right now that Microsoft does not know about. They’re holding on to that; they’re keeping it secret so that Microsoft doesn’t find out. They’re holding on to that malware that uses those vulnerabilities until the end-of-support date finally passes, because after that date, Microsoft has said that they won’t fix anything, even if they do know about it.

Then things get interesting.

The malware authors would, theoretically, be free then to unleash their malware on the world. In what some are calling the “XPocalypse”, Windows XP users would be vulnerable to and unprotected from this new wave of malware; malware that exploits vulnerabilities that will never, ever be fixed.

Here’s the real problem: we don’t know just how worried we should be.

There’s no data that I’m aware of that says the malware authors are in fact holding on to this big pile of vulnerability knowledge. There’s also no data that says they aren’t, or if they are, just how many there might be. How bad is it really? We just don’t know.

Everything around this issue, as I understand it, is complete speculation. It’s plausible, but it’s certainly not proven. It’s very possible that this could be Y2K all over again and the end of support for Windows XP will be, effectively, a non-issue; the date will come and nothing will happen. It’s also possible that April 9th (currently the day after the end of support) could be a very, very bad day for people running Windows XP.

If something were in fact truly, seriously apocalyptic in nature, something that would seriously affect many, if not most Windows XP users, I personally have to believe that Microsoft would step in; that they would respond somehow.

Now, the problem of course is they can’t say that. That may be their plan, but they can’t say “Ok, if there’s something bad enough we’ll fix it”.

No, they can’t say that. Why?

Because it would be another excuse for people who could and should move away from XP to procrastinate or wait even longer, or have the mistaken impression that no matter what goes wrong, Microsoft has their back.

I don’t think they’d fix just anything; I really don’t. I think it would have to be really, really serious. And that’s reason enough, right there, not to count on it. Even a moderately serious issue that affects just a few people is still pretty darned serious to those people. And there’s no way to know if you’re going to be one of them.

The bottom line here is that we really just have no idea what’s going to happen next month. Only time will tell.

If you can, moving away from XP is still highly recommended for security and a variety of other reasons.

If you can’t or won’t, well, next month could be really interesting, or it could be really boring.

I’m hoping for boring. Just like Y2K.

I’m Leo Notenboom for askleo.com.

 

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

15 comments on “Will April 9, 2014 be a Very Bad Day for Windows XP Users?”

  1. Nothing lost, the world keeps on turning.
    It’s a bit of a pity they end their support, but understandable. Money wise anyway.
    But not a reason for panic, if you back up your important stuff, that is.
    It’s only software, so if things go bad and you’re not a dedicated Windows freak install Linux on your old machine that’s still valuable for you but doesn’t have any economical value anymore.
    I’ve 3 running for the kids, and I noticed they are pretty flexible in adapting to another OS.
    And if you don’t know: Google your problem. Works 99.99995%
    Most users never use the full capabilities of their system anyway.
    There’s a lot of overkill around.

    Reply
  2. Question on cross infection between PC’s: If W7 PC is my only access to the Internet (FiOS & Ethernet) but linked to my XP machine by KVM for single KB & monitor — then is pulling the Ethernet plug on my XP enough protection? At present I exchange documents between machines by LAN & wifi and really want to keep XP software. Thanks for advice.

    Reply
    • Doing this will create the biggest problem that Leo was talking about. If the XP machine cannot get online, then its virus and malware protection programs can’t update… leaving you unprotected. You would do better to keep the XP machine online, at least often enough to do periodic updates, and then just be reasonable when using the machine. And above all – keep a good image backup of the XP computer, fully updated, in good working condition, sometime before XP support ends. If you end up with a problem you can simply revert to the clean installation and get on with your life.

      Reply
      • Trying Webroot for AV as they say they’ll continue XP support, + Carbonite for backup. Good advice, thanks Connie!

        Reply
  3. Hi Leo – you make some really great points here. Thank you for expressing them so concisely! I love the comparison between Windows XP and Y2K, which I believe is a very valid comparison in most senses. But there’s one very important point to note here about where the comparison abruptly ends: Y2K was the result of a very real concern about major worldwide systems breaking down due to shortsighted planning by programmers who used abbreviated 2-digit years in code rather than 4-digit years. Fortunately for us all, when zero-day came and went, Y2K ended up being a non-event. Unlike Windows XP, Y2K didn’t have hackers, who’ve demonstrated their abilities on a daily basis, poised to unleash more of the ickiness they’ve proven they can find and use to exploit the computers upon which we rely so heavily. I believe that Windows XP’s zero-day will be a frightening one, indeed, for anyone who is still running this very old and soon-unsupported operating system. Sticking with Windows XP until and past the bitter end just isn’t worth the very tangible risk involved here. And for those trying to use Windows XP and a more recent OS in the same network, who’s to say that their XP machine won’t be exploited in a way that will make it a conduit to compromise the integrity of their other, newer network devices? It’s just a bad idea to stick with XP – kick it to the curb and move on.

    Reply
  4. If you wait to update, you might get stuck with Windows 8 or Windows 9.
    My computer literate daughter does not like after being on Win 8 for about 6 mos.

    If you want a program closer to XP, get Windows 7 NOW before you cannot.
    Check sites like Amazon if you have more than one computer for the Family Pack that allows 3 computers to use. They were selling for close to $150 USD.

    Reply
  5. I’ll chance it. I can’t afford anything else. We’re behind both the Windows and the router firewalls, so I’m fairly confident nothing will get in that is not invited. We’re pretty smart when it comes to what we do online and we don’t do a lot of downloading or visit unusual websites. When we do have to download it’s usually off our Windows 7 laptop. The XP desktop is mostly email these days when someone else is using the laptop. Is there a risk for the desktop computer? Yes, but it’s a risk that I am fully informed and aware.

    Reply
  6. lets separate from the EOL Windows XP for a second. They are 2 extremely different situations:
    1. Y2K was the rational paranoia by computer geeks worried that THEIR computers may not run after the beginning of the new millennium. Preparations taken then were self-serving.
    2. EOL Win XP is possibly nowhere near the rational mindset, but more towards the reward for hackers and criminal types to prey on the people who are clueless and/or ignorant.

    The days of leaving your front door open in a small neighborhood will not apply here. An open front door in this case, is open worldwide, and there will be bad people trying to get in. How hard they try and how skilled they are the big questions.

    Reply
  7. One thing I seldom see/hear in the discussion of why “ignorant/clueless” users won’t migrate to Windows 7 or 8: MONEY. I’m not talking about grandma, who’s living on a fixed income and can’t afford to buy a new PC. I’m talking about businesses, educational institutions, and government entities. We’re talking about LOTS of money to upgrade to better hardware systems that will support Windows 7 or 8. I am in charge of maintaining the computers in a small independent school. I’ve begged and pleaded for our 60+ XP machines to be replaced – to no avail. There’s just no money available for such a large technology purchase. And please, don’t tell me to look for grant money (I have), there’s virtually nothing available to the private education system.

    Reply
  8. Virginia Smith 23 Mar 2014 posed an interesting question – one for which I haven’t seen any real good answer.

    If a computer (any OS) is connected via LAN to another computer with Internet access, but does not have Internet access itself, how is it vulnerable? Maybe my thinking is off, but it would seem that another computer would be seen as just another device to the Internet connected one.

    For example, for a long time I had my Internet modem connected to a separate router. The ISP could see the router, but not what was connected to it. In the old days this was a way to connect multiple computers to the Internet and only have to pay for one connection. I’m not sure that is true of the newer combined modem/router devices.

    So, here’s how I see it. Any malware coming in would first pass through the modem/router, then to the Internet connected computer. All it would “see” beyond that are several devices – printers, external drives, and the LAN hub/switch/router – with nothing to identify anything except the hardware addresses. How would it be able to determine that there is actually a computer connected on the LAN?

    If another computer connects to the Internet through the primary one, then I can understand how it is exposing itself to potential malware. Otherwise, it is hidden and no more vulnerable than, say, an external drive. Even if it does connect to the Internet through another computer, it is somewhat (not entirely) protected by the other computer. Everything has to pass through the Internet connected computer.

    If this is not correct, then please explain to me how malware could pass through one computer and a LAN connection to another one.

    Note that I did not include Wi-Fi. I don’t know enough about that, but tend to think it would be about the same as a LAN.

    Reply
    • WiFi is roughly the same as LAN, yes.

      A computer on the network is typically visible to other computers on the network *as* a computer on the network. It is in no way “hidden”. Various types of protocols are at play that make it very easy to dettect that it is connected. Someone could monitor the request for an IP address when the machine boots, there’s a network naming protocol that broadcasts machine names periodically on the local LAN, and probably other things that I’m not aware of. At a minimum other machines can simply monitor traffic and note that there’s traffic of some sort coming from something at a specific IP address.

      At worst, file sharing may be enabled making it possible for malware on one infected machine to simply copy itself to the hard disk of the target computer. It’s hard to say whether that’s typical or not, but it is one of the benefits of having the computers networked to begin with. Copying files over the network is a very convenient way to move data around – all my computers have some form of sharing turned on for just that reason (not to mention remote desktop sharing as well).

      Assuming you have the machine locked down appropriately, malware on one machine can also simply start probing every device it finds on the network, look for a computer with unpatched vulnerabilities. Yes, the software that is used on a computer to connect to the network can indeed have bugs – and if those bugs are such that they create a vulnerability then it may be possible for malware to exploit that vulnerability to gain access to that machine. Many of the earlier malware infestations were actually just that – malware that found its way to one machine propagating from machine to machine via networking bugs and vulnerabilities. Naturally we believe that things are not nearly as vulnerable now, but then again – if even one vulnerability is found after 4/8, in theory it will never be fixed.

      The Windows Firewall on XP should help some, and I recommend that it be turned on. In a way it reduces the “attack surface” available to outside threats, but it doesn’t remove it completely.

      Basically if the machine IS connected to a local network it’s connected for a reason involving the net. Whatever that reason it, it’s a potential attack vector (true for any computer). The only way to hide the machine from the network is to physically disconnect it.

      Reply
      • Thank you for this detailed explanation.

        I was thinking in terms of what you said about malware being installed on external drives; it is possible, but not currently exploited. That combined with what you said about IP addresses – generally, they cannot be traced all the way to a specific computer (note the word “generally”). Applying this to a visual similitude, someone can easily see my house, but not what’s inside it. If they could look in the windows (no pun intended), they could see some of the furniture, but not all of it, nor what is inside drawers or behind closed doors. That is, they could only see so far, and no further. Anyone inside the house has the potential to access everything.

        I view malware being comparable to burglars. For the most part they go around looking for houses with obvious vulnerabilities with no idea what may be in the house, or to simply vandalize it. Then there are those who find a way to be invited into the house to see what is there and find any vulnerabilities. A special class includes those who obtained enough information from various sources to know what is there, where it is, and the best time/way to get it.

        Some malware is like the first group. It is sent out looking for computer systems with weak security; exploiting common “unlocked doors.” A good firewall and securing open ports can block most of these. Software bugs require patches and updates, so those forced to keep XP as their primary (or sole) machines will be at the greatest risk. Once all support ends, there’s not much they can do to protect themselves. This is true of anyone running unsupported software, not just XP.

        The most common type of malware is like the second group. It is most frequently send via e-mail, through junk added to downloaded files or from visiting questionable sites. This type can be avoided through good practices – don’t open suspicious e-mail, be careful in what is downloaded, and read each page before clicking on “OK” or “Next” during software installation. A good up-to-date malware checker and frequent scans can catch most of these. XP users won’t be at more risk than anyone else, except when their malware checkers stop being updated.

        So far, the third group has been limited to deliberate hacking. The news about such attacks show how hard it is to protect against this type of threat – regardless of the software used.

        For those who, like me, are keeping XP for special purposes on a LAN, we can isolate it by disabling the NIC except for when it is needed to transfer files (easier than disconnecting the cable). I don’t know if a Wi-Fi connection can be disabled – unless it is through a USB or external device, which can be unplugged.

        But then, as you’ve often said, all this is mere speculation. Everything could just continue as usual – just like the day after: each proclaimed dates for Christ’s return, the catastrophe when the Mayan calendar ended, the lining up of all the planets in our solar system, and the other doomsday predictions. They COULD have happened, but they didn’t. Many other predictions did occur, but weren’t near as bad as claimed (although some, such as hurricanes Camille and Katrina, were worse than expected). Just like spring floods – we take whatever preventive measures we can, and hope things won’t be as bad as they could be.

        Reply
  9. Understand what MS is trying to do, but on the same hand telephone companies still have people using rotary dial telephones. I wonder what would have happened when the old ‘ma Bell’ company were to have pushed for end of life support for old telephone systems ( back in the 70’s ). As a matter of fact, I know of a lot of installs that still have 4 wire POTS.

    Reply
    • Actually several phone systems are doing just that right now – pushing for an end to POTS (Plain Old Telephone System), hoping to replace it with mobile, VOIP or other digital systems.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.