This post is by Alastair Dick, Microsoft CTO – NHS.
I know that most of the NHS IT teams are currently beavering away upgrading XP machines to Windows 7 & 8. For those who are questioning the urgency to upgrade before the end of support date next year, there has been some very interesting research published by the Microsoft Security Response Center (MSRC). This research is compelling due to the sheer scale of the data. But it’s also worrying when you look at the organisation of the attacks and the future exposure to XP machines.
The Software Vulnerability Exploitation Trends document goes into some detail about how the data is collected, the technicalities of the attacks, and how later versions of our products have negated certain classes of attacks. At the end, the document shows the difference in technologies included in a Windows XP SP3 IE8 machine vs Windows 8 IE10.
Following on from this, Tim Rains of the Microsoft Security Blog gave further food for thought on the risk of running Windows XP after Support ends in April 2014:
“One risk is that attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders. Let me explain why this will be the case.”
“When Microsoft releases a security update, security researchers and criminals will often times reverse engineer the security update in short order in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will allow them to exploit it on systems that do not have the security update installed on them. They also try to identify whether the vulnerability exists in other products with the same or similar functionality. For example, if a vulnerability is addressed in one version of Windows, researchers investigate whether other versions of Windows have the same vulnerability. To ensure that our customers are not at a disadvantage to attackers who employ such practices, one long standing principle that the Microsoft Security Response Center uses when managing security update releases is to release security updates for all affected products simultaneously. This practice ensures customers have the advantage over such attackers, as they get security updates for all affected products before attackers have a chance to reverse engineer them.”
“But after April 8, 2014, organizations that continue to run Windows XP won’t have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever. How often could this scenario occur? Between July 2012 and July 2013 Windows XP was an affected product in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8.”
Read the rest of Tim’s post here.