For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves.
The official end of security support for Windows XP is upon us, but it’s important to check some anxiety at the door and keep some perspective.
“I’ve been a forensics investigator 14 years and in my experience, I don’t know I’ve come across one incident, or very few anyway, where a vulnerability was exploited where an unpatched system wasn’t the source of a breach,” said Christopher Pogue, director at Trustwave. Pogue said breaches are much more likely to be blamed on poor passwords, weak access control systems or a poorly configured firewall and a glaring hole in the underlying operating system.
“All the administration stuff in place around these systems falls down. Attackers leverage that because they want the path of least resistance,” Pogue said. “You have to presume that before they get their exploit on an unpatched XP machine, they have to breach the environment, bypass firewalls get to the system, pivot to the unpatched system and hope it has critical data on it so they can run exploit code. There are a whole lot of items that have to line up for that to happen.”
The hype and hyperbole around April 8, the latest in a long line of security Doomsdays, is rooted in theories that because a good number of XP systems remain in use storing data and processing transactions, that any previously unreported XP vulnerabilities will be perpetual zero-days. The theory continues that attackers have been building and hording XP exploits, anxiously wringing their hands waiting for April 8, 2014 to come and go.
Now to dismiss all of that as FUD is foolhardy; some attackers who do have XP exploits that will be zero days in a matter of five days are going to wait. Others are less patient (see the recent XP Rich Text Format zero day that will be patched on Tuesday). And for those smaller organizations with fewer IT resources that may still be running XP machines that still hum along carrying out their mission day after day, their risk posture will be slouching a little more come Tuesday.
Big picture, however, people are moving off of XP. Qualys CTO Wolfgang Kandek published some numbers based off the company’s flagship vulnerability scanning service that indicate the XP installed base had dipped to below 15 percent, down from 35 percent 14 months ago. Migrations in the transportation and health care industries are much more dramatic, he said.
“These are two extremes, but all industries are showing a downward slope (migrating off XP); none are stagnant,” Kandek said.
Kandek is in the camp that attackers will intensify their targeting of XP machines and in particular will look at patches for modern Windows 7 and 8 systems and determine whether those vulnerabilities could be present in no-longer supported XP machines. He also urges organizations that must use XP to isolate those machines off the network, keep them for a specialized purpose and keep them offline.
“In May, Microsoft will publish bulletins and patches, and those can be taken by a hacker and reverse-engineered. They will ask ‘What does fix?’ And once they know what it does on Windows 7 or 8, that it changes a DLL or fixes an overflow, they could go into XP and figure out whether the same DLL exist or overflow vulnerability exists,” Kandek said. “Patches map to vulnerabilities that could be in XP. Sometimes they’re only in a new component of Windows 7, but most of the time you can find those vulnerabilities in XP.”
Kandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.
“I don’t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It’s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker’s work much easier.”
A key difference to point out, however, is that Windows 7 and 8, for example, are radically different under the hood than XP. Microsoft has invested time and money into building mitigations for a number of dangerous memory-based attacks. Technologies such as ASLR and DEP make it much more challenging and costly for an attacker to execute malicious code against vulnerabilities in the operating system. Looking for bugs in XP that live in Windows 7 or 8 just may not be the best use of resources for an attacker.
“An attacker has always chose the path of least resistance to gain access to a system; they don’t have to exploit the operating system, and for the most part, haven’t,” Trustwave’s Pogue said. “While it’s still possible, if I were a small business owner and running XP to store and process data, I’d be concerned about it and take steps run and updated and patched operating system. Even so, it’s important to remember that’s not a silver bullet. Updating to Windows 7 doesn’t mean you’re necessarily safe. You have to build up defense-in-depth mechanisms. XP has been updated and patched up to now, and I’ve investigated thousands of breaches on XP systems. An updated OS does not always equal security.”