August 13, 2013, 12:29 PM — Cyber criminals will bank their Windows XP zero-day vulnerabilities until after Microsoft stops patching the aged operating system next April, a security expert argued today.
Jason Fossen, a trainer for SANS since 1998 and an expert on Microsoft security, said it's simply economics at work.
"The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft's response," said Fossen. When a new vulnerability -- dubbed a "zero-day" -- is spotted in the wild, Microsoft investigates, pulls together a patch and releases it to XP users.
If the bug is critical and being widely used by hackers, Microsoft will go "out-of-cycle," meaning it will issue a security update outside its usual monthly Patch Tuesday schedule.
But after April 8, 2014, Microsoft has said it will retire Windows XP and stop serving security updates. The only exceptions: Companies and other organizations, such as government agencies, that pay exorbitant fees for custom support, which provides critical security updates for an operating system that's officially been declared dead.
Because Microsoft will stop patching XP, hackers will hold zero-days they uncover between now and April, then sell them to criminals or loose them themselves on unprotected PCs after the deadline.
"When someone discovers a very reliable, remotely executable XP vulnerability, and publishes it today, Microsoft will patch it in a few weeks," said Fossen. "But if they sit on a vulnerability, the price for it could very well double."
Minus any official patching from Microsoft, XP zero-days and their associated exploits could remain effective for months, maybe even years, depending on how well security software detects and quarantines such attacks.
If Fossen's thesis is correct, there should be signs of bug banking, most notably a sharp reduction in the number of publicly-disclosed or used-in-the-wild XP vulnerabilities during the fourth quarter of 2013 and the first quarter of 2014.
"[Hackers] will be motivated to sit on them," Fossen stressed.
There really aren't precedents to back up Fossen's speculation, he acknowledged, because the last time Microsoft pulled the plug on an edition was July 2010, when it retired Windows 2000. But according to metrics firm Net Applications, at the time Windows 2000 powered just four-tenths of one percent of all PCs.
Windows XP will have a much larger share when it's retired next year: Based on XP's current rate of decline, Computerworld has projected that the old OS will still run between 33% and 34% of the world's personal computers at the end of April 2014.
That would be 80 times the share of Windows 2000 when it retired.
But even with Windows 2000's minuscule share when it left support, there were reports that an edition-specific zero-day was created and sold.
"I heard rumors of a new zero-day being found and sold after the support period expired [for Windows 2000]," said HD Moore, creator of the popular Metasploit penetration testing toolkit and the chief security officer of security company Rapid7. "But there were few if any examples that ended up in the public eye."
Moore agreed with Fossen that XP bugs would be more valuable after April 2014, but contended that all Windows vulnerabilities would jump in value.
"Something more common [three years ago] was backporting new security advisories into functional exploits on Windows 2000," said Moore in an email. "Every time a server-side vulnerability was found in Windows XP or 2003 Server, quite a few folks looked at whether this would also work against Windows 2000. My guess is that the retirement of Windows XP will result in all Windows vulnerabilities being of slightly higher value, especially given the difference in exploit mitigations between XP and newer platforms."
It's far easier to exploit flaws in Windows XP than in newer editions, such as Windows 7 and Windows 8, noted Moore, because of the additional security measures that Microsoft's baked into the newer operating systems.
Microsoft has said the same. In the second half of 2012, XP's infection rate was 11.3 machines per 1,000 scanned by the company's security software, more than double the 4.5 per 1,000 for Windows 7 SP1 32-bit and triple the 3.3 per 1,000 for Windows 7 SP1 64-bit.
"Windows XP vulnerabilities will be valuable as long as enterprises utilize that version of the operating system," said Brian Gorenc, manager of HP Security Research's Zero Day Initiative, the preeminent bug bounty program. But Gorenc also argued that any XP zero-days would be outweighed by higher-priority hacker work.
"Researchers are primarily focused on the critical applications being deployed on top of the operating system," said Gorenc in an email reply to questions today. "Attackers and exploit kit authors seem to rely on the fact that the update process and tempo for applications are not as well defined as those for operating systems."
Fossen, convinced that XP would be a big fat target after April 8, wondered whether Microsoft might find itself in a tough spot, and back away from the line in the sand it's drawn for XP's retirement.
"If hackers sit on zero-days, then after April use several of them in a short time, that could create a pain threshold [so severe] that people organize and demand patches," said Fossen.
The consensus among analysts and security experts is that Microsoft will not back down from its decision to retire XP, come hell or high water, because it would not only set an unwelcome precedent but also remove any leverage the company and its partners have in convincing laggards to upgrade to a newer edition of Windows.
But a few have held out hope.
"Suppose we get to a date post the end of Extended support, and a security problem with XP suddenly causes massive problems on the Internet, such as a massive [denial-of-service] problem?" asked Michael Cherry, an analyst with Directions on Microsoft, in an interview last December. "It is not just harming Windows XP users, it is bringing the entire Internet to its knees. At this time, there are still significant numbers of Windows XP in use, and the problem is definitely due to a problem in Windows XP. In this scenario, I believe Microsoft would have to do the right thing and issue a fix."
Jason Miller, manager of research and development at VMware, had some of the same thoughts at the time. "What if XP turns out to be a huge virus hotbed after support ends? It would be a major blow to Microsoft's security image," Miller said.
Another option for Microsoft, said Fossen, would be to take advantage of a post-retirement disaster to do what it's been doing for years, push customers to upgrade.
"They might also respond with a temporary deal on an upgrade to Windows 8," said Fossen, by discounting the current $120 price for Windows 8 or the $200 for Windows 8 Pro. "Then they could say, 'We're aware of these vulnerabilities, but you should upgrade.'"
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.