April 8, 2014: WinXPGeddon



If you still run Windows XP April 2014, you've got a timebomb on your hands if that system is still connected to the Internet. Stand-alone systems are a bit less of a risk. 

Why? Microsoft will retire XP April 8, 2014 and that means they will stop publishing securituy updates. The only exception are organizations that can afford a few million bucks a year. 

This is a big stick and Redmond is really trying to make sure that people upgrade to Windows 7 or 8. They say that WinXp Service Pack 3 is just too old and cannot protect against modern threats. In the second half of 2012, XP's infection rate was 11.3 machines per 1,000 scanned by the company's security software, more than double the 4.5 per 1,000 for Windows 7 SP1 32-bit and triple the 3.3 per 1,000 for Windows 7 SP1 64-bit.

Now, zero-day threats are vulnerabilities that are only known by the bad guys, and there are no security paches available for these "holes". Hackers will save up their WinXP 0-day exploits until after April 2014. Jason Fossen, a trainer for SANS since 1998 and an expert on Microsoft security, said it's simply economics at work.

"The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft's response," said Fossen. When a new vulnerability... is spotted in the wild, Microsoft investigates, pulls together a patch and releases it to XP users." But no more after April 2014! 

XP machines hooked up to the internet are fish in a barrel waiting to be shot. The only thing I see that will get a few more years of life out of those machines is a super lightweight Application Control product (aka whitelisting) that simply blocks any and all unauthorized software that tries to execute. More in an article over at ComputerWorld

Infoworld jusst released an article where they explain that for selected "Custom Support" customers they will charge about $200 per WinXP PC per year for security patches. 

 

 

 

 

 


Topics: IT Security

Subscribe To Our Blog


New call-to-action




Get the latest about social engineering

Subscribe to CyberheistNews