We are nearing the end of another era in the Microsoft world – Windows XP. This was arguably one of the most popular operating systems Windows has ever produced. April 8, 2014 is the grand finale for Microsoft to support XP. Here are my thoughts about it:
• To boldly risk continuing to use an aging and soon-to-be unsupported OS is to merely invite hackers and malware writers to exploit and affect your business. Malware writers and hackers are mostly after the glory, the attention. What better opportunity than to try and exploit an installed base of 40 percent of PCs that Microsoft is no longer patching?
• Begin to think strategically about end-user computing in general instead of always being reactive. I encourage you to develop a strategy that includes desktop virtualization in many of its different types like VDI, Terminal Services and others. There are many ways of addressing application incompatibilities, there are several discussions that should be had on which operating system to migrate to and the implications of doing so.
• Cyber criminals will bank their Windows XP Zero-day vulnerabilities until after Microsoft stops patching the aged OS next April.
• The average price on the black market for a Windows XP exploit is $50,000 to $150,000 - but is expected to double after EOL.
• There are already signs of bug banking, most notably a sharp reduction in the number of publicly-disclosed or used-in-the-wild XP vulnerabilities during the fourth quarter of 2013 and the first quarter of 2014.
• If hackers sit on Zero-days, then after April use several of them in a short time, that could create a pain threshold so severe that people organize and demand patches.
• The consensus among analysts and security experts is that Microsoft will not back down from its decision to retire XP, because it would not only set an unwelcome precedent but also remove any leverage the company and its partners have in convincing laggards to upgrade to a newer edition of Windows.
• What if we get to a date past the end of Extended support, and a security problem with XP suddenly causes massive problems on the Internet, such as a massive DoS problem? It is not just harming Windows XP users, it could bring the entire Internet to its knees.
• The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “Zero-day” vulnerability forever.