Transcript (Lightly Edited)
Hey everyone, I’m Leo Notenboom for askleo.com.
I had someone ask me a question this morning. Basically, they pointed me at an article from an online publication called networkworld.com. The title was “Targeted attacks spotted in the wild exploiting Windows XP zero-day”. The article goes on to talk about the possibility that:
“Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hot-fixes for XP is released in April 2014, that their exploits will work forever …”
Become a Patron of Ask Leo! and go ad-free!
Now the writer led in with a discussion about some kind of zero-day vulnerability that’s apparently been discovered in the wild today or recently, and centers much of their fear around that specific vulnerability as an example, I guess.
The problem is that one [vulnerability] really doesn’t concern me because it’s been discovered before the cutoff date. What that means, of course, is that I expect that one is going to get fixed. If it’s severe enough, if it’s important enough, it will get fixed with that last round of hot-fixes that they’re talking about. And I really do think that this concept of the cutoff date and what happens before and after is a really, really big important issue to understand when we start talking about what it sets the stage for… and that’s a really, really big unknown.
The end of XP support this year really means one and only one thing. It means that Microsoft will no longer make any security fixes to Windows XP. That’s it.
All they’ve been doing for the last couple of years [for Windows XP] is making security fixes. All the normal bug fixes, all the other issues; they haven’t been fixing those for a long time. This is the final stage – the last step. This where they stop fixing security-related issues.
So, if a serious enough vulnerability is found in Windows XP before that date, it will likely get fixed. If it’s found after that date, well, it won’t.
The worry is that malware authors know of several, maybe even many vulnerabilities in Windows XP right now that Microsoft does not know about. They’re holding on to that; they’re keeping it secret so that Microsoft doesn’t find out. They’re holding on to that malware that uses those vulnerabilities until the end-of-support date finally passes, because after that date, Microsoft has said that they won’t fix anything, even if they do know about it.
Then things get interesting.
The malware authors would, theoretically, be free then to unleash their malware on the world. In what some are calling the “XPocalypse”, Windows XP users would be vulnerable to and unprotected from this new wave of malware; malware that exploits vulnerabilities that will never, ever be fixed.
Here’s the real problem: we don’t know just how worried we should be.
There’s no data that I’m aware of that says the malware authors are in fact holding on to this big pile of vulnerability knowledge. There’s also no data that says they aren’t, or if they are, just how many there might be. How bad is it really? We just don’t know.
Everything around this issue, as I understand it, is complete speculation. It’s plausible, but it’s certainly not proven. It’s very possible that this could be Y2K all over again and the end of support for Windows XP will be, effectively, a non-issue; the date will come and nothing will happen. It’s also possible that April 9th (currently the day after the end of support) could be a very, very bad day for people running Windows XP.
If something were in fact truly, seriously apocalyptic in nature, something that would seriously affect many, if not most Windows XP users, I personally have to believe that Microsoft would step in; that they would respond somehow.
Now, the problem of course is they can’t say that. That may be their plan, but they can’t say “Ok, if there’s something bad enough we’ll fix it”.
No, they can’t say that. Why?
Because it would be another excuse for people who could and should move away from XP to procrastinate or wait even longer, or have the mistaken impression that no matter what goes wrong, Microsoft has their back.
I don’t think they’d fix just anything; I really don’t. I think it would have to be really, really serious. And that’s reason enough, right there, not to count on it. Even a moderately serious issue that affects just a few people is still pretty darned serious to those people. And there’s no way to know if you’re going to be one of them.
The bottom line here is that we really just have no idea what’s going to happen next month. Only time will tell.
If you can, moving away from XP is still highly recommended for security and a variety of other reasons.
If you can’t or won’t, well, next month could be really interesting, or it could be really boring.
I’m hoping for boring. Just like Y2K.
I’m Leo Notenboom for askleo.com.