Windows XP End of Life a Security Milestone

Forget for a moment the impending cryptoapocalypse because of aging and/or subverted encryption standards and algorithms. Microsoft this week put out the word on the scourge that is Windows XP.

The latest Microsoft Security Intelligence Report goes to great pains to encourage users to move off the soon-to-be unsupported version of Windows. The report, reflecting activity collected and monitored by its security tools from January to June, points out that XP computers are six times more likely to be infected than younger, more robust versions of the OS.

“Older software is easier to break into and over time, cybercriminals learn how to bypass mitigations,” said Microsoft spokesperson Holly Stewart. “XP is no different. A good example is DEP (Data Execution Prevention) which was not commonly bypassed when it was released. The utility of that mitigation has degraded year over year.”

DEP and Address Space Layout Randomization (ASLR) are memory protections built into Windows starting with Vista. They’re meant to ward off buffer overflow attacks and frustrate hackers from being able to inject code into predictable areas of memory in the operating system. In 2006, there was one DEP bypass for every 13 vulnerabilities; that’s done almost an about-face as of 2012, Microsoft said, with six bypasses happening for every three CVEs. Hackers have been found ingenious means of beating DEP and ASLR, stringing together exploits for numerous vulnerabilities to bypass these protections and jeopardize data stored on the host machine.

“Newer software is less appealing to cybercriminals,” Stewart said. “Advanced technology is harder to exploit, and there’s been a long list of platform security improvements. XP, however, is not equipped to provide these innovations.”

Microsoft will no longer support XP after next April, meaning it will no longer provide security patches and advisories for vulnerabilities discovered on the platform. Yet according to the latest desktop operating system market share numbers, XP installations trail only Windows 7; Netmarketshare.com says XP is still running on 31 percent of desktops. Windows 7 leads with 46.4 percent.

“From a security perspective, this is a really important milestone,” Stewart said. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”

Microsoft is also using a new metric, comparing infection rates with what it’s calling an encounter rate. As explained in the Security Intelligence Report, “encounters” are the number of times one of the companies security tools such as the Microsoft Malicious Software Removal Tool comes up against a piece of malware. Previously, Microsoft would count what it called Computers Cleaned per Mile, or CCM. Thes was the number of computers cleaned for every 1,000 times the MSRT was tripped by a piece of malware.

Using the new metrics, Microsoft demonstrates that XP users running SP3 are six times more likely to become infected than someone running Windows 8 RTM on their machine—9.1 XP computers cleaned per 1,000 versus 1.6 Windows 8 machines. As for the encounter rate, the numbers aren’t too staggeringly different with 16.1 percent of XP SP3 machines reporting an encounter versus 19.1 percent of Windows 7 machines and 12.4 percent of Windows 8 computers.

“The encounter rate gives you an idea of how frequently a customer is exposed to a malware threat,” Stewart said. “We’ve reached a tipping point where this dated architecture can’t be relied upon.”