While Microsoft tries desperately to increase the number of its Windows 8 sold copies, Windows XP still holds an impressive 37% market share of desktop operating systems. Redmond hopes that when it will stop support for Windows XP in April 2014, this will contribute to the increase of Windows 8 sales.
And it seems that cybercriminals are very well-prepared for that moment, readying waves of Windows XP attacks that are bound to convert into nice amounts of money, as the average price on the black market for a Windows XP exploit is said to be from $50,000 to $150,000, according to security expert Jason Fossen. When Microsoft will no longer support Windows XP, this means that it will no longer provide security patches, thus leaving it wide open for hackers to bank bugs discovered between now and April 2014.
Windows XP to become a treasure for hackers
Don’t think that Microsoft has already abandoned Windows XP; there are almost weekly critical security updates being readied for those that still use it. Usually, if Microsoft detects a critical bug that is heavily exploited by hackers, Microsoft will issue a security update as fast as it can and will not wait for its monthly Patch Tuesday schedule to do it. Jason Fossen explains:
When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks. But if they sit on a vulnerability, the price for it could very well double.
A new vulnerability is also referred to as a “zero-day” one. Most likely, cybercriminals have already started discovering “zero-day” vulnerabilities and are just waiting for Microsoft to stop security support so that they could later on sell them or use them on unprotected computers. A good sign for this theory might represent the decrease in Q4 of 2013 and Q1 of 2014 of publicly disclosed Windows XP vulnerabilities. The same Fossen says that “hackers will be motivated to sit on them” and to wait to get a “better price”.
This is a big issue because despite the fact that Microsoft will retire Windows XP, it will still have a big marketshare, something around thirty percent, which means that Windows XP will be present on millions of computers worldwide, a real gold mine for cybercriminals. There will be a few companies, organizations and government agencies that will still get Windows XP security patches, because they pay big fees for custom support.
And here are some interesting facts from the second half of 2012 about XP’s weak security protection when compared to Windows 7:
- Windows XP infection rate: 11.3 machines per 1,000
- Windows 7 SP1 32-bit infection rate: 4.5 per 1,000
- Windows 7 SP1 64-bit. infection rate: 3.3 per 1,000
There is no data yet on Windows 8, but most likely the numbers are even better. Brian Gorenc, manager of HP Security Research’s Zero Day Initiative:
Windows XP vulnerabilities will be valuable as long as enterprises utilize that version of the operating system. Researchers are primarily focused on the critical applications being deployed on top of the operating system. Attackers and exploit kit authors seem to rely on the fact that the update process and tempo for applications are not as well defined as those for operating systems.
As Fossen observes, if there will be heavily-exploited zero-day vulnerabilities in Windows XP, the users themselves will “organize and demand patches”. Jason Miller, manager of research and development at VMware:
What if XP turns out to be a huge virus hotbed after support ends? It would be a major blow to Microsoft’s security image
One of the best solutions for Microsoft would be to come up with a new upgrade offer, cheaper than previous ones, to convinces users to leave XP behind and embrace Windows 8.