Hackers’ nirvana on horizon as Microsoft ends security fixes for XP SP2

Unless thousands of companies still using Windows XP SP2 computers suddenly stop procrastinating, hackers are going to be in seventh heaven next week.

On Tuesday, 13July2010,  Microsoft will stop all technical support — including issuing security fixes — for XP SP2 machines. Companies can continue to get security updates for their XP units through April 2014 — by upgrading to SP3. It’s free. Testing and deployment is not trivial, but can be automated, according to research firm Gartner.

But the reality is the switch-off will result in hundreds of millions PCs worldwide, including tens of millions in the U.S., instantly becoming ripe targets for hackers. That’s because XP SP2 desktops and laptops are still widely used in businesses and homes across the planet.

Hundreds of millions of vulnerable PCs

A service pack is a collection of updates, feature enhancements and security fixes delivered in a single download. Microsoft released SP2 in August 2004 mainly to beef up security. Then in April 2008, the company released SP3 with less fanfare, recommending that all XP units  be updated. Yet more than two years later, thousands of companies worldwide have not yet done so.

Wolfgang Kandeck, CTO of vulnerability management firm Qualys, says he expects procrastinators to continue to sit on the fence. “I believe the awareness of the upcoming change was not high enough,” says Kandeck. “In addition, existing users are very satisfied with the SP2 iteration of Windows XP and differently from the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing.”

Installing a service pack requires downtime for testing, and many companies cut back on tech maintenance during the economic recession, says Dean Williams, services development manager at tech services firm Softchoice.

Softchoice recently surveyed 117 financial, health care, manufacturing and educational organizations in the U.S. and Canada. It found eight of 10 organization continue to use XP SP2 computers widely.

Qualys also reports wide use of PCs using the older service pack.

“XP is still the most popular version of Windows and roughly half of all XP machines still run the SP2 version,” says Kandeck. “We believe we are dealing with hundreds of millions of systems. XP SP2 machines can be found both in corporate installations and also very often as the operating system on home machines.”

Deadline widely ignored

Kandek and Williams worry that companies won’t pay much attention to Microsoft’s deadline for upgrading to XP SP3 — or replacing old XP machines with new Windows 7 PCs.

“It’s a virtual guarantee laggards will miss this deadline,” says Dean Williams, services development manager at Softchoice. XP SP2 computers will “become fair game,” says Williams. “There will just simply be more ways to hack in.”

Microsoft typically issues security fixes, called patches, for freshly-discovered flaws on each second Tuesday of the month. This helps the company keep pace with grey hat and black hat vulnerability researchers who continually flush out fresh  security holes in Windows, Internet Explorer and Office.

Qualys provided LastWatchdog with metrics showing Mircrsoft has patched at least 1 fresh vulnerability in XP SP2 in 18 of the last 19 months, with May 2009 being the notable exception.

And Softchoice notes that some 131 vulnerabilities were documented for Internet Explorer over the past 24 months. Since June 2008, Microsoft has issued 16 Critical Security Bulletins pertaining to Internet Explorer. Last month, June 2010,  Microsoft issued 10 security updates, including a critical Internet Explorer update – to which XP SP 2 was vulnerable, says Williams.

Continuous supply of fresh zero-day threats

In the summer of 2004, when I first began researching cyber threats, it took the cyber underground 26 days from the time Microsoft issued a Windows patch for a security flaw in RPC-DCOM to a  bad guy  releasing the MSBlast worm. Today, black hat researchers continuously flush out zero-day vulnerabilities and begin exploiting them before any patches are ready.

Cyber gangs are adept at locating and taking over control of Internet-connected PCs with unpatched security holes. Cybercriminals typically embed, then activate a malicious program inside the web browser. They harvest all of the PC owner’s sensitive data, then use the compromised PC to spread spam, sell worthless antivirus protection and probe deepeer into corporate networks.

Cyberattacks have steadily escalated in recent years. “As soon as the next suitable vulnerability appears, I am expecting that attackers will seize the opportunity created by the large pool of unpatched SP2 machines,” says Kandek.

Frank Fellows, senior manager of press/analyst relations at Microsoft Services, says the software giant is optimistic. Says Fellows:

We are seeing an increasing number of customers migrate from Windows XP SP2 to SP3 or Windows 7. We are confident that as the word gets out and as customers understand the value of staying on a supported version of Windows that they will upgrade their PC to the version that’s right for them. Customers are highly encouraged to migrate to the latest supported service pack which is the latest and most secure version of their product. Staying on a supported service pack is the only way to ensure continued access to security updates and the ability to escalate support issues within Microsoft.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone