Hackers now crave patches, and Microsoft’s giving them just that
12 May 2014 | 0
Hackers will have at least one, perhaps as many as four, patches next week to investigate as they search for unfixed flaws in Windows XP, the 13-year-old operating system that Microsoft retired from support on 8 April.
“Come Tuesday, Microsoft will be patching some vulnerabilities in Windows, and it is realistic to assume that at least one of these will also affect Windows XP,” said Kasper Lindgaard, director of research and security at Secunia, in an email. “Generally speaking, newly discovered vulnerabilities in XP will be unpatchable for private users, and therefore we will see a rise in attacks.”
On 13 May, Microsoft’s regularly-scheduled monthly Patch Tuesday, Redmond will issue eight security updates for its software. But because it has stopped providing updates to owners of Windows XP PCs, those customers will not see any of the eight.
Hackers looking for vulnerabilities in Windows XP will be using the patches to find vulnerabilities in XP, Microsoft and security experts have said. By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7, which will be patched, then sniff around the same part of XP’s code until they discover the bug there. From that point, it will be relatively straight forward for them to craft an exploit and use it against unprotected XP PCs.
“Patches to the other Windows operating systems will be reverse engineered by hackers, seeking to discover which vulnerabilities were fixed by Microsoft, and if applicable, modified to work against Windows XP,” Lindgaard said.
He is not the only one who believes hackers will leverage updates to find unpatched bugs in XP. So does Microsoft.
“After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP,” said Dustin Childs, director of Microsoft’s Trustworthy Computing group, last October. “If they succeed, attackers will have the capability to develop exploit code to take advantage of them.”
Four of the eight scheduled security updates that Microsoft plans to ship next week look like candidates for hackers because they will affect all client versions of Windows, including Windows Vista, Windows 7, Windows 8 and Windows 8.1. Before Microsoft stopped pushing patches to XP, it was rare for an update to fix one or more newer editions of Windows, but not patch XP at the same time.
Patches to the other Windows operating systems will be reverse engineered by hackers, seeking to discover which vulnerabilities were fixed by Microsoft, and if applicable, modified to work against Windows XP
One of the four will impact all instances of IE, so there is a very high chance that that update would have patched the pertinent editions of the browser — IE6, IE7 and IE8 — on Windows XP if Microsoft had continued updating the old OS. The upcoming fix for IE was rated “critical,” Microsoft’s highest threat warning, and was also tagged with the phrase “remote code execution” in last week’s advance notification, meaning that if successfully exploited, attackers could hijack the PC and plant malware on its drive.
Two of the remaining three updates also strongly hint at XP vulnerabilities, albeit less threatening ones, since they will apply not only to the newer client editions, like Windows 7 and 8, but also to the still-supported Windows Server 2003, which has a considerable amount of code in common with XP.
The only good news, said Secunia, was that Windows XP’s retirement triggered a sharp decline in its share of US PC operating systems. In the three weeks after April 8, XP’s share dropped nearly 17%, said the Danish security company.
The decline of one percentage point each week took Windows XP from an 18% share before retirement to 15% for the week April 23-29. The three-point drop represented one-sixth, or 16.7%, of the original 18% share.
Secunia measured operating system share by tallying the machines that accessed its patch management tools, including the free Personal Software Inspector (PSI), a utility that identifies out-of-date Windows applications and add-ons, then delivers security updates.
Other measurements of Windows XP, including a global estimate by Net Applications earlier this month, pegged Windows XP’s presence considerably higher, mostly because huge numbers of Chinese computers still run the OS. Net Applications reported that XP powered about 26% of all desktop and notebook personal computers in April.
StatCounter, the Irish analytics company, said that XP’s share in the US averaged 13% last month, a drop from 15% the month prior.
Secunia’s numbers imply that the demise of patch support for Windows XP has prompted a significant portion of American die-hards to finally discard the operating system, presumably replacing it with Windows 7, 8 or 8.1, or in some instances, with a Mac or another type of computing device, such as a tablet.
Gregg Keizer, Computerworld