Hackers preparing 'wild west' zero-day assault on Windows XP

With Windows XP finally set to go end-of-life next week, Microsoft has made one final call for businesses and consumers to update to a newer version of the operating system.

Hackers preparing 'wild west' zero-day assault on Windows XP
Hackers preparing 'wild west' zero-day assault on Windows XP

Tim Rains, director of Trustworthy Computing Group, wrote a lengthy blog post on the matter today, but – in amongst all the advice – expressed concern that some SMEs remain reliant on the 13-year old OS.

“Many of the enterprise customers I've talked to recently have finished, or are in the process of finishing, technology projects that move their desktop computing environments from Windows XP to Windows 7 or Windows 8,” wrote Rains.

“However, I've also talked to some small businesses and individuals that don't plan to replace their Windows XP systems even after support for these systems ends in April.  In light of this, I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so.” 

Based his findings on data from the most recent volumes of the Microsoft Security Intelligence Report, Rains sagely noted that attacks are increasing sophisticated, and said that XP machines will likely be targeted by phishing attacks, ransomware (for which he advised restoring from back-up) and computer worms – likely distributed via infected USB thumb drives – when end-of-life comes on April 8.

He added that changing browsers, email clients or instant messaging services would likely not mitigate the risks, and instead plainly advised for customers to upgrade.

 “…The primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after April 8, 2014,” wrote Rains.

With the end-of-life deadline looming, EY's director of information security Mark Brown told SCMagazineUK.com that businesses would be well advised to embrace BYOD as an interim measure, but warned that the fact there's been no zero-day since earlier this year suggests cyber attackers are waiting for a cyber “wild wild west” after Microsoft has stopped support (it is, however, expected to continue offering antivirus signatures and security scanning from Security Essentials until at least July 2015).

“When was the last time there was a zero-day exploit for XP? Maybe earlier this year. There's a school of thought that hactivists are storing up their targeted exploits and preparing for some kind of wild wild west zero-day,” said Brown, who added that point-of-sale systems and critical infrastructure – like public control systems – are especially at risk. EY data, Brown said, suggests that 30 percent of businesses are still running XP, with this as high as 75 percent for POS.

Brown continued that the risk of a ‘wild wild west' attack – something which F-Secure also hinted at in its H2 2013 Threat Report - could even force Microsoft's hand and offer support for a greater amount of time.

“Will Microsoft be free and able to continue that support beyond what they've currently said? I don't know that.”

To mitigate some of the risks, Brown – a former CISO at SAB Miller – advised switching to an up-to-date browser (IE9, Chrome and Firefox were cited as examples), and said that SMEs should tell customers of the situation with “concise, punchy advice”.

Qualys CTO Wolfgang Kandek, meanwhile, added that Google Chrome should be the browser of choice, in an email to SCMagazineUK.com.

“I recommend Google Chrome, which will be supported for at least another year on Windows XP. It has modern security architecture with sandboxing and it updates without needing intervention form the user. It also takes care of two other common attack vectors: Adobe Flash by embedding the Flash engine and providing the same seamless automatic updates and PDF files by including a simple PDF viewer that can be used to substitute the often attacked Adobe Reader.”

He also urged Outlook and local IM client users to use webmail, as well as disable autorun to shut down attacks through infected USB sticks, and said that users should ensure they have a supported-version of anti-virus on the machine.