Cybercriminals “saving up” wave of Windows XP attacks for when Microsoft stops support

Cybercriminals will unleash a wave of “zero-day” vulnerabilities to attack Windows XP machines after April 8, 2014, a security expert has claimed. Microsoft will stop releasing security updates for the OS on that date.

Criminals will “sit on” such vulnerabilities until that date to make more money from their exploits, according to Jason Fossen of security training company SANS.

At present, vulnerabilities are patched by Microsoft. After April, only companies paying for custom support will be protected – and up to a third of organizations are expected to still use Windows XP machines.

“The average price on the black market for a Windows XP exploit is $50,000 to $150,000 – a relatively low price that reflects Microsoft’s response,” said Fossen, speaking to ComputerWorld.

“When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks. But if they sit on a vulnerability, the price for it could very well double.”

Fossen’s thesis is based on the still-significant number of PCs using Windows XP.

Windows XP, which came out in 2001, is still the second most popular version of Windows – 38.7% of PCs used XP as of the second quarter this year, according to NetMarketShare.

ComputerWorld has projected that 33-34% will still run the OS when Microsoft stops patching it. That’s a stark contrast, Fossen says, to the low numbers using Windows 2000 when it was retired in July 2010 – four-tenths of 1%, according to monitoring firm Net Applications. Even so, there were reports of zero-days targeting Windows 2000 when it was retired, according to ComputerWorld‘s report.

Research by Camwood, a British software consultancy, found earlier this year that  just 42% of firms running Windows XP have begun the migration process.

Microsoft recommends leaving at least 18 months to migrate. One in five of the IT people surveyed said that they intended to continue using the operating system, despite being aware of the risks.

An ESET podcast offers some new security tips for the ageing OS here.

Author , We Live Security

  • viscountalpha

    Sounds like gloom and doom for those of us who still use XP. I’m still skeptical. I wouldn’t put it past microsoft to push windows 7 or 8 on people who just don’t see any significant need for it. XP works just fine.


    • An OS that remains widely used but is no longer getting security updates really will represent a security risk to its users, I’m afraid. I’m not saying Microsoft doesn’t have a vested interest in getting people to upgrade, but the fact is that if XP isn’t broken now – and that’s a matter of definition – it will be once there are no patches for it.

Follow us

Copyright © 2017 ESET, All Rights Reserved.