Last week a huge security flaw was discovered exploiting a security hole in old versions of Internet Explorer. Attackers lured IE users to websites, which then used malicious code to remotely steal users data. Days later, Microsoft patched the security hole. What’s most notable about this patch, however, is that it was extended to Windows XP.
For background: three weeks ago Microsoft stopped providing updates for the 12-year-old operating system. This didn’t come as a surprise; the company announced its plans to do this nearly three years ago. Still, the adoption rate for newer Windows operating systems has been slow. The UK Government was even granted a one-year extension because so many of its financial services still used the archaic software.
Yet the announcement of this XP lifeline shouldn’t be considered an omen for things to come. In fact, this should probably be the wake up call for XP users. As Karl Sigler, a threat intelligence manager at the online security firm Trustwave, explained to me, he does not see any XP security patches forthcoming.
In his eyes, as someone who researches online security flaws for a living, this should be the time for those using XP to realize they need to update and fast. He says there will definitely be another security flaw to occur like this, “probably in the next three to six months.”
As he explained it, this sort of exploit is actually quite common. What’s more, they are both “difficult to detect and difficult to defend.” With that in mind, he foresees attackers seeking out these kinds of flaws given the recent end-of-life status for XP. “They are absolutely focusing and attacking on Windows XP,” he said.
But will this get people to switch? Sigler isn’t so sure. He is aware at how annoying and expensive it is to upgrade operating systems, especially for cash-strapped companies. “It can be a big shift… it takes a lot of planning,” he said. People also are unable to see the risks because the operating system appears to be functioning normally. Sigler explains this rationale as, “If it doesn’t appear broken, don’t fix it.”
This mentality leaves Windows XP users completely vulnerable: “They are most definitely opening themselves up for attack.”
So why did Microsoft allow the XP patch? Shouldn’t it have left these stragglers out in the cold to suffer? Sigler says the close proximity of time from when the end-of-life occurred really “forced Microsoft’s hand.” Others disagree. Forbes contributor Gordon Kelly explained Microsoft’s move as an “utter act of stupidity.”
Whether the XP patch was warranted or not, this gives those with XP operating systems the chance to update before it’s too late, although a real breach (sans patch) may be the only way to wake XP users up. If a new breach does happen (and Sigler is sure it will), it “may just be enough to force people.”
But heed the expert’s words: “I don’t see any patches forthcoming.” In conclusion: Update your OS, people.
[illustration by Brad Jonas for Pando]