Posted by: kurtsh | March 17, 2014

COMMENTARY: Why users need to upgrade from Windows XP in 2 words: “Reverse Engineering”


UPDATE 3/20/14:
It turns out that Tim Rains from Microsoft Trustworthy Computing did actually address this about 6 months ago on the Microsoft Security Blog but apparently it went under the radar for most.

Paul Brennan from WhySettle, an IT network management company, wrote a straight to the point post about this exact matter as well:


These are my thoughts on why Windows XP users will dangerously exposed after April 8th as I understand it.


  1. After April 8th, 2014, Microsoft will publish security patches for Vista/Win7/Win8 that are not patched on Windows XP.
  2. Malware writers reverse engineer these post-April 8th Windows Vista/7/8 patches to learn how to take advantage of the vulnerabilities they fix as they’re made available.
  3. Windows XP, as a result, will be exposed to zero-day threats after every monthly Microsoft security patch Tuesday at possibly an increasing speed.

I’ve read a lot of people that don’t believe that the end of support of Windows XP is a concern.  I really think this is foolish & here’s why:  There’s a number of things that people don’t often understand or take into consideration when they discount the “End of Support for Windows XP”:

  • Microsoft can’t/doesn’t fix every vulnerability
    Microsoft receives information about lots & lots of vulnerabilities from both internal & external folks.  Most people know that Microsoft prioritizes the resources it has to focus on fixing vulnerabilities based on the threat they poses.  Of the worst potential threats, if the vulnerability is either actively being taken advantage of (“in the wild”) or about to release in the form of malware as an imminent threat, it gets the highest priority.
    … this leaves vulnerabilities on the table to be worked on next month when resources are freed up.
  • It takes much longer to create a patch for Windows XP than it does for Windows Vista/7/8.
    The reason not every vulnerability is fixed is that it takes more resources & a longer amount of time to write patches for Windows XP than any current Windows OS – up to 6x as much.  The reason for this is Windows XP’s source code was designed/written during another programming era at Microsoft & is much harder to debug & test than Windows Vista & beyond.  One of the most significant fundamental improvements of Windows Vista was that it was much easier to understand the cascading impact of fixes/patches on the codebase than in prior releases.  The result is that patching Vista/7/8 is done in a fraction of the time of XP.
  • Malware writers use security patches to write malware.
    This isn’t news to those in the security community but for non-techfolk, malware writers don’t need to discover new vulnerabilities:  They just simply wait until Microsoft releases security patches then reverse engineers them – i.e. picks them apart – to determine what flaw they patch, where in the OS the vulnerabilities are, then write malware to take advantage of unpatched systems.  This “piggybacking” technique was used, for example, in two of the largest, most notorious malware threats to hit the Internet – “SQL Slammer” and “MSBlast” – and caused hundreds of millions of dollars in damage.
  • Windows Vista/7/8 patch releases should increase once no longer tied to Windows XP’s patch availability.
    Today’s vulnerability patches are uniformly released on a monthly basis across all supported versions of Windows on “Patch Tuesday”.  This is because the majority of Windows vulnerabilities often apply to other versions as well.  For example: If a vulnerability for Windows 7 was quickly patched & released but not Windows XP or Windows Vista, it would be easy for criminals to reverse engineer the Windows 7 patch, then write malware targeting the older OS’s for the same vulnerability.
    What this also means however, is that Windows Vista/7/8 patches are “held back” until Windows XP has the same patches written for it.  Remember what I said about Windows XP taking a ‘really long time’ to write patches for?  Yup.  Windows Vista/7/8 security is thus, effectively held back because of Windows XP.  So once Windows XP patch support ends, all other versions of Windows will start to have patches released for them, at a much quicker rate.

A few conclusions:

  1. There’s a lot of vulnerabilities out there that remain unpatched.
  2. After Windows XP support ends, those vulnerabilities will be patched on Windows Vista/7/8 at an increasingly rapid pace… but not for Windows XP.
  3. Malware will be written targeting Windows XP computers, based on the release of these patches for newer versions of Windows.

Don’t be left vulnerable – Upgrade from Windows XP to Windows 7 or 8 today!  Visit for more information.


%d bloggers like this: