Microsoft warns of Windows XP zero day vulnerability

Danger sign

Microsoft continues to urge Windows XP users to upgrade to either Windows 7 or Windows 8 before support for the older operating system ends in 2014.

When support for Windows XP ends in April 2014, systems running the OS will effectively have a 'zero date' vulnerability forever, warned Tim Rains, a director of Microsoft's Trustworthy Computing group.

"When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update," Rains noted in a blog post entitledThe risk of running Windows XP after support ends April 2014'.

"But after April 8, 2014, organizations that continue to run Windows XP won't have this advantage over attackers any longer."

Rains claimed hackers will reverse engineer updates in the first security package released after XP is no longer supported as soon as it is issued and attempt to apply them to the older operating system.

"Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever," he said.

"As for the security mitigations that Windows XP Service Pack 3 has, they were state of the art when they were developed many years ago. But ... the security mitigations built into Windows XP are no longer sufficient to blunt many of the modern day attacks we currently see," Rains added.

Microsoft began a countdown for the end of Windows XP support in July 2011. With one year to go before the end of support, on 8 April 2013, the company also warned 600 million PC users would be at serious risk if they did not upgrade to a more recent operating system.

However analyst house Ovum said in users should not feel pressured to upgrade to Windows 7 or 8.

"If we assume that Windows XP systems have the latest patches, fixes and up-to-date security software installed ... there is no reason to believe that life after [April 2014] will be any different than before," Richard Edwards, principal analyst at Ovum said.

Nevertheless, Rains concluded his blog post by warning "organisations need a level of certainty about the integrity of their systems. Minimising the number of systems running unsupported operating systems is helpful in achieving that".

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.