Tuesday April 8, 2014 is the last patch Tuesday for Windows XP. A lot of sources are stating that the malware community are sitting on a treasure trove of unused zero day exploits for Windows XP (and newer versions of Windows, but newer versions will get patched, XP won’t unless you pay for the privilege.)
The next few days will prove if this is the case or not. Tuesday when the last patches for XP are released zero day writers will check that their exploits are covered or not by the patches and if not will either then use them themselves or offer them up on the open market.
The malware community has a quite well established market. Using the tor network and bitcoins to keep anonymity while providing trust between various criminals. Some of the malware writers and zero day creators are so sophisticated that they offer development kits, APIs and even help desk services for their products.
It’s not just the “bad” guys involved in this trade as governments and security companies are also in the mix, some accuse security firms and antivirus firms of being in both sides of the transactions at times, but there is no hard evidence of this while rumors persist. A big part of this scene is state security actors who will buy zero days to use against their foes, the Flame and Stuxnet malware families being created by various American and Israeli departments and used zero day exploits purchased from malware writers. Papers released by Edward Snowden confirm that the NSA has a huge budget for acquiring zero days.
I am not 100% sure how this will unfold but it could take a couple of turns. Either every possible exploit will be used all at once on XP to take advantage of this time while users are confused about if they should move away from XP or not, OR the zero day writers may test the waters and only release a few to see if they do get patched anyway or that there will be no patching and then once they get their answer to that let go with everything either in a staged assault or free for all.
We don’t commonly see the malware writers as organised but they are showing a lot of co-ordination at the moment and they may be using strategies as opposed to opportunistic mayhem.
Don’t forget that a lot of these zero days will not just be against XP but many will be against the whole Windows line. Just upgrading won’t make you immune but because you upgraded you can later be patched.
Patching for problems with Windows 7 and 8 will provide more opportunities for malware writers to continue attacking Windows XP. Each new patch issued for the current versions of Windows will possibly patch something that is common to XP and not patched. By reverse engineering these updates and trying the same thing with Windows XP a malware writer can find “new” ways to attack XP making it even less secure than ever.
Normally I am all for open source but today brings news that may allow open source to be used against Windows users. Microsoft open sourced Dot Net. Now not all of dot net and not the first part of dot net they have open sourced but the issue is that suddenly there is a whole pile of more Windows code available to developers but is new enough that not everything will be gone through by many people. While this state is true, until the many eyes find the many bugs, there is room for malware writers to use the newly released code to find more zero day exploits. Hopefully with more eyes on the code these will be found by “good” guys before exploited but it is a new area of concern.
April will be an interesting month on the malware front. The summer may prove to be just as interesting and we have to be vigilant and proactive when new zero day exploits are discovered and patch everything as soon as there are patches and implement workarounds where we don’t have patches yet.
So what to do about it for your computer(s)? First do you know if you are using Windows XP or not? If you don’t know, if you have a My Computer Icon on your desktop right click it and select properties. The dialog that comes up will tell you what version of Windows you are running. If you don’t have a My Computer icon then press the Windows Key (the one with the windows flag) and the Pause/Break key at the same time. If that pops up a window you have Windows and the dialog will tell you the version.
Another way to tell if that is too complicated is to browse with your web browser to http://amirunningwindowsxp.com
If you are running Windows XP I suggest upgrading to a newer version of Windows immediately if not sooner. Or if the price is too high or your computer too slow and you have someone near who can help you,switch to Ubuntu Linux for free. (Download and burn the live CD from Ubuntu.)