XPocalypse Now: Security experts size up the cyberthreats

There are no more lifelines. In a few days, Microsoft will pull the plug on Windows XP support for consumers. With no more updates or security patches available (other than some bare-bones malware support), it’s forecast to be open season on the legacy operating system. But just how bad will the “Windows XPocalypse” be? We spoke to several security experts to find out. 

The real risk: relentless attack The end of support may not seem like a big deal. Windows XP has been under almost constant attack from malware and cyber criminals since it was released in 2001. Windows XP users have managed so far to defend themselves with relative success, so what will be different once Microsoft support ends? 

Security experts predict a couple of scenarios. The more ominous is that attackers have already developed an arsenal of Windows XP “zero day” exploits, and they’re just waiting until Microsoft support ends to unleash them. 

While the deadline makes for good drama, some security folks reject the notion that attackers are lying in wait. “If the ‘apocalypse’ were going to happen, don’t you think it would have already happened?” says Andrew Storms, director of DevOps for CloudPassage. He notes that with so little time for Microsoft to triage an exploit, develop a patch, and properly test it before April 8, it would be just as effective for those cybercriminals to launch their attacks now.

More likely is that cyber crooks will use every Patch Tuesday–Microsoft’s monthly release of security fixes–as a new opportunity to find holes in Windows XP, because many of its vulnerabilities span all of the supported versions of Windows. Because Microsoft will continue to identify security holes in Windows Vista, Windows 7, and Windows 8, malicious developers can reverse-engineer the patches to locate the weakness, then check to see if that same vulnerability exists in Windows XP and develop an exploit for it.

‘All vulnerabilities will live forever’ The mounting doomsday hype has the ring of that other acronymic apocalypse–Y2K. But TK Keanini, CTO of Lancope, says the comparison is inaccurate. “It is important to note that what takes place on April 8 is not like Y2K where something will break or suddenly have a vulnerability–it is the fact that any new vulnerability discovery cannot be fixed. … any and all [Windows XP] vulnerabilities will live forever post April 8.”

That should be alarming considering there are still hundreds of millions of machines using Windows XP, and new data from Fiberlink claims that 44 percent of businesses are still running the operating system in some capacity. 

According to John Steven, CTO of Cigital, this is largely due to the time and effort invested in the platform and a willingness to gamble rather than start from scratch, evaluating and refining a new operating system and applications. “Ultimately, firms tend to choose to stay with devil they know–even without prayer of improvement–over moving to the devil they don’t.”

Despite his skepticism about an April 8 assault on Windows XP, Storms believes there will be some notable attack after that date. But he stresses that businesses and individuals have had years to prepare for this moment. He warns that anyone who insists on continuing to use Windows XP should do the sensible thing and isolate it–disconnect it from their network and from the public Internet to minimize its exposure to risk.

Lancope’s Keanini is more blunt. “If you have an XP variant that is coming to end of support on April 8, you need to treat it as if it were already dead and move that quickly to get it replaced,” he says. “Pretend it caught fire, and you will be moving with the right amount of urgency.”

Keanini also warns that businesses need to think beyond their own “four walls.” They need to understand the end-of-life/support schedules for their IT assets–hardware and software–and proactively migrate, update, or replace assets rather than wait for it become a crisis.

But Bryce Schroeder, senior director of systems engineering for Tripwire, points out that it may not be inevitable doom for Windows XP holdouts. He says many security vendors have committed to supporting protection for Windows XP for another two years. He also notes you can run Windows XP in a virtual environment on newer operating systems if you want to run legacy applications, while also gaining the peace of mind of using a more secure platform. 

Proceed at your own risk Whether Windows XP support ends with a bang or a whimper, there’s no question infection rates will rise, maybe by as much as two-thirds. And with no more rescues from Microsoft, users will be at greater risk with each passing month. Will it be Zero Day every day? Are you feeling lucky?