There’s money to be made in the fact that Microsoft Corp. is ending support for Windows XP, and not where you’d think. True, solution providers and consultants are looking for business from organizations needing help migrating off XP to new desktop operating systems. But security experts say other people are hoping to make money when support ends next April: Makers of malware.
These bad guys sell their wares over the Internet to people eager to spread havoc. The prices of their goods are based on the law of supply and demand. Some security researchers believe these malware makers are holding back some juicy exploits for the day XP support ends and Microsoft no longer plugs holes in the OS. Then they’ll jack up their prices.
“That’s entrepreneurship at work,” Alex Watson, a director of security research at security gateway maker Websense Inc. said in an interview. It’s what happened earlier this year when Oracle Corp. ended support for Java 6 in February, he added.
“All of a sudden there was an increase in value to any type of zero day vulnerability,” he said in an interview, “because you have a tremendous base of users, and no fix.” It was no coincidence that Java 6 malware has increased, he added. “So I think over the next months you’ll see increased attention on XP again (by malware makers) looking at vulnerabilities that haven’t been patched.”
He noted that in the past 12 months Microsoft issued 45 security bulletins for XP-related vulnerabilities (some also covered Win7 and 8, he added). In other words for a time XP is going to become more dangerous on your PCs, not less. “I’m sure (XP) vulnerabilities will continue to surface over the next year.”
One solution for those who don’t migrate will be to rely on firewalls or intrusion protection devices in the hope they will suffice, he added. Despite adequate advance warnings from Microsoft, he said, there are still many XP systems in organizations in places they don’t think to look — like point of sale PCs that sit unobtrusively in stores that no one thinks to update.
“Hackers are going to go where there’s the biggest return on their investment. They’re going to look for software that’s installed in the largest user base possible, and develop exploits. And there’s a big return on investment for attackers in targeting older versions of Windows or Java. “Running out of data software support leaves you more exposed to a lower degree of sophistication of attack from a criminal.”
Malware makers post framework kits for a monthly fee that deliver exploits such as Black Hole and Metasploit that make it easy to profile an XP machine and send an exploit crafted for it, he said. Charles Henderson, a leader of the Trustwave Holdings Inc.’s threat intelligence team also agrees malware creators are likely to be holding on to exploits until April. Trustwave sells security solutions. The first day Microsoft ends support might not be the end of the world, he acknowledged. “The real end of the world for XP users happens the first day a vulnerability is discovered,” he added, “because it’s not going to be fixed.”
He suspects that most large North American organizations are well on their way to migrating off XP for two reasons: They have contracts with Microsoft allowing their PCs to be upgraded for a minimal cost, and they likely have compliance regimes that oblige them to run only supported software.
Others, though, don’t want to upgrade until “it’s absolutely necessary” – either the day support ends, or when the first new XP exploit is discovered that can’t be fixed. Waiting for either day is a mistake, he says.