The Muddy Waters of XP End-of-Life and Public Disclosures

Security researchers who have privately disclosed Windows XP vulnerabilities to Microsoft may never see patches for their bugs with XP’s end of life date at hand. Will there be a rash of public disclosures?

Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP’s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been stockpiled by hackers anxiously awaiting April 8, 2014.

But what about vulnerabilities in XP that have been responsibly shared with Microsoft and won’t be fixed? Those too are perpetual zero-days after Tuesday.

Microsoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft’s part, it has done outreach to researchers, clarified disclosure policies and processes and established bounty programs for bypasses of innate Windows mitigations.

And Microsoft isn’t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?

“I know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that’s given what I know. I’m sure there’s more I don’t know of,” said Ross Barrett, senior manager of security engineering at Rapid7. “I wouldn’t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that’s not going to happen. The only result is that it would increase the exposure for people at large.

“It’s a muddy bit of water,” Barrett said. “Microsoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they’re not seeing action.”

Microsoft did not respond to a request for comment in time for publication.

HP’s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has 203 advisories pending public disclosure listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn’t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.

“I’m sure there’s tons of stuff still out there; some of it is design flaw stuff that Microsoft can’t fix or never got around to it,” Barrett said. “I’m sure there’s a backlog of stuff, but the clock has run out on XP.”

Microsoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.

“Absolutely hackers do that,” Barrett said. “If you’ve got a vulnerability in this file, they’ll track it back to a particular DLL and see that it’s been part of the OS since 2002 and not updated since 2004, they’ll know it’s vulnerable.

“You might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you’ll start to see it fade as it’s less used.”

Qualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company’s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.

“This is an additional weakness for these (retail) systems,” Kandek said. “There are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.”

Kandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.

“I don’t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It’s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker’s work much easier.”

Suggested articles