Quo Vadis Windows XP?

Image courtesy of www.microsoft.com

Welcome to my very first blog on this website, I am going to do something a blogger probably never should do in his first post, unless of course (s)he wants to deliberately damage his reputation: make a prediction.

Before I get cold feet, here it is: ICS and critical infrastructure are in for another hit in the summer of 2014.

Ok, such systems already have a very hard time security-wise; there is Stuxnet, Flame, plus whatever other undiscovered malware is out there. We find an increasing number of reported vulnerabilities, leading senior advisors like the US Defence Secretary Leon Panetta, to talk about the risk of potential imminent attacks to critical infrastructure, causing a “digital Pearl Harbor”.

But there is a new ingredient in the pipeline to add to the mix: On April 8th 2014 Microsoft will end all extended support for Windows XP. No more extended support means no more hotfixes, security patches and service packs – or, as Gerald Himmelein from the German c’t magazine[i]puts it: “A flock of sheep without a guardian dog is a feast for a wolf”. Replace the animal references with; XP, Microsoft and black hat hacker, and you see where he is coming from.

According to StatCounter[ii], XP still has (by March 2013) a market share of 22% – almost 3 times the market share of MacOSX.  Literature and recent site visits make me believe that its market share in control systems is significantly higher, maybe as high as 40% to 50% (even though not all of these installations are necessarily easy targets for cyber-attacks).

If I was to discover and deploy a zero-day XP exploit I would wait until April 2014 maximising its effectiveness. Alas, there is another important factor: the increasing trade of zero-day exploits. In other words if I was to discover and trade a zero-day XP exploit I would wait until April 2014 before I sell it, maximising its value.

Putting all this together means that there is potentially a wave of cyber attacks based on XP zero-days exploits looming around the corner. Control systems might not be the primary target of such attacks, but there is plenty of opportunity for collateral damage.

Time will tell how big this wave will be, and maybe I should have listened to Robert Storm Petersen (aka Storm P) the Danish humorist who once said: “It’s hard to make predictions – especially about the future.”, but as the old saying goes ‘fail to prepare and you prepare to fail’. How are you preparing for the drop of XP support?

Speak Your Mind