Kurt Shintaku's Blog

UPDATE 3/20/14:
It turns out that Tim Rains from Microsoft Trustworthy Computing did actually address this about 6 months ago on the Microsoft Security Blog but apparently it went under the radar for most.

• The Risk of Running Windows XP After Support Ends April 2014
  http://blogs.technet.com/b/security/archive/
  2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx

Paul Brennan from WhySettle, an IT network management company, wrote a straight to the point post about this exact matter as well:

• Reverse engineering patches exposes security gaps
  http://www.whysettle.co.uk/2014/01/reverse-engineering-patches-exposes-security-gaps

————–
ORIGINAL POST:

These are my thoughts on why Windows XP users will dangerously exposed after April 8th as I understand it.

SUMMARY:

1. After April 8th, 2014, Microsoft will publish security patches for Vista/Win7/Win8 that are not patched on Windows XP.
2. Malware writers reverse engineer these post-April 8th Windows Vista/7/8 patches to learn how to take advantage of the vulnerabilities they fix as they’re made available.
3. Windows XP, as a result, will be exposed to zero-day threats after every monthly Microsoft security patch Tuesday at possibly an increasing speed.

DETAIL:
I’ve read a lot of people that don’t believe that the end of support of Windows XP is a concern.  I really think this is foolish & here’s why:  There’s a number of things that people don’t often understand or take into consideration when they discount the “End of Support for Windows XP”:

• Microsoft can’t/doesn’t fix every vulnerability. 
  Microsoft receives information about lots & lots of vulnerabilities from both internal & external folks.  Most people know that Microsoft prioritizes the resources it has to focus on fixing vulnerabilities based on the threat they poses.  Of the worst potential threats, if the vulnerability is either actively being taken advantage of (“in the wild”) or about to release in the form of malware as an imminent threat, it gets the highest priority.
  … this leaves vulnerabilities on the table to be worked on next month when resources are freed up.
• It takes much longer to create a patch for Windows XP than it does for Windows Vista/7/8.
  The reason not every vulnerability is fixed is that it takes more resources & a longer amount of time to write patches for Windows XP than any current Windows OS – up to 6x as much.  The reason for this is Windows XP’s source code was designed/written during another programming era at Microsoft & is much harder to debug & test than Windows Vista & beyond.  One of the most significant fundamental improvements of Windows Vista was that it was much easier to understand the cascading impact of fixes/patches on the codebase than in prior releases.  The result is that patching Vista/7/8 is done in a fraction of the time of XP.
• Malware writers use security patches to write malware.
  This isn’t news to those in the security community but for non-techfolk, malware writers don’t need to discover new vulnerabilities:  They just simply wait until Microsoft releases security patches then reverse engineers them – i.e. picks them apart – to determine what flaw they patch, where in the OS the vulnerabilities are, then write malware to take advantage of unpatched systems.  This “piggybacking” technique was used, for example, in two of the largest, most notorious malware threats to hit the Internet – “SQL Slammer” and “MSBlast” – and caused hundreds of millions of dollars in damage.
• Windows Vista/7/8 patch releases should increase once no longer tied to Windows XP’s patch availability.
  Today’s vulnerability patches are uniformly released on a monthly basis across all supported versions of Windows on “Patch Tuesday”.  This is because the majority of Windows vulnerabilities often apply to other versions as well.  For example: If a vulnerability for Windows 7 was quickly patched & released but not Windows XP or Windows Vista, it would be easy for criminals to reverse engineer the Windows 7 patch, then write malware targeting the older OS’s for the same vulnerability.
  What this also means however, is that Windows Vista/7/8 patches are “held back” until Windows XP has the same patches written for it.  Remember what I said about Windows XP taking a ‘really long time’ to write patches for?  Yup.  Windows Vista/7/8 security is thus, effectively held back because of Windows XP.  So once Windows XP patch support ends, all other versions of Windows will start to have patches released for them, at a much quicker rate.

A few conclusions:

1. There’s a lot of vulnerabilities out there that remain unpatched.
2. After Windows XP support ends, those vulnerabilities will be patched on Windows Vista/7/8 at an increasingly rapid pace… but not for Windows XP.
3. Malware will be written targeting Windows XP computers, based on the release of these patches for newer versions of Windows.

Don’t be left vulnerable – Upgrade from Windows XP to Windows 7 or 8 today!  Visit http://www.windowsxp.com for more information.

Learn to make amazing Windows Phone apps at the upcoming Nokia DVLUP Day in San Diego and win big prizes just for participating. Join Nokia Developer Ambassadors as they provide hands-on Windows Phone development training in a dynamic and fun event. Whether you’re a seasoned developer or barely know how to code, you will walk away with the ability to write a mobile app.

With full sample source code and step-by-step instructions, you will learn how to make an app or game from scratch, or learn new techniques to enhance your current apps & games. No matter what you want to build – an app or a game – or what your programming skill level is, there are four individual tracks to choose from, which means there is something for everyone.

DVLUP Day is a unique community event that combines presentations by Windows Phone experts along with a hands-on workshop to help attendees get started on their apps. BRING YOUR LAPTOP! Work with our experts, get started on your app or game, publish it within 3 weeks after the event and get a free Windows Phone 8 device!

DVLUP Day was a huge hit with developers in 2013, with stops in Boston, Tampa, Sunnyvale and Vancouver. Just for showing up and learning, you’ll get hooked up with some cool DVLUP swag. This is going to be an awesome day in San Diego and we look forward to seeing you all there!

To pre-register and be notified once formal registration opens, please send an email to ext-becky.andrews@nokia.com.

• DATE/TIME:
  Apr 26, 2014 8AM – 8PM
• WEB SITE:
  http://www.dvlup.com/Events/230#

Multi-Factor Authentication for Office 365 Technical Support Webcast | March 11, 2014 (Webcast)     

What : Multi-Factor Authentication for Office 365 TECHNICAL SUPPORT WEBCAST, will talk about and demo Multi-Factor Authentication for Office 365 that has been recently released and covering how to set it up, how to use it, and how to resolve some of the common issues you might see

When : March 11, 2014 @ 9:00 AM (PST), 1 hour presentation

Where : Add this meeting to your calendar by clicking the above REGISTER NOW button, or use the iCalendar link attached, then click on the Lync meeting link in your calendar at the scheduled time to join the call

Who : Bill Fiddes is the Support Technical Readiness Program Manager for Windows Azure Active Directory and have been heavily involved in this release as well as writing support documentation

Office 365 Support Webcasts are a critical program for relieving support issues and encouraging foundation technical readiness, and are free of charge for both an internal and external audience. It is a great opportunity to have a conversation with Microsoft employees and get your questions answered. If you have questions regarding this webcast, please contact the IGNITE TEAM.

For more information on future Office Technical Webcasts visit the Ignite website.

You probably didn’t know this but we have an on going schedule of LIVE training events delivered by the Microsoft Virtual Academy – all FREE.  And the content is recorded for on-demand access after the event is over.

For example, here’s a few of the upcoming LIVE events:

• Using Git with Visual Studio 2013 Jump Start
  March 12, 2014 9:00am-5:00pm PDT
  In this demo-focused session, find out more about the excitement around Git—the wildly popular source control system. Experts Steven Borg and James Tupper give you a fundamental understanding of Git, show how it differs from other systems, and explore the benefits of using Git with Visual Studio Online and Windows Azure. If you want to learn more about Git and the benefits of using it within the Microsoft ALM stack, don’t miss this course!

• Windows 8.1 Deployment Jump Start
  March 12, 2014 9:00am-1:00pm PDT
  Do you want to deploy Windows 8.1 the "right way"? Find out how to avoid deployment pitfalls and how to streamline the process with Microsoft experts. Benefit from their real-life experience, as they teach you how to plan, configure, and manage client deployment to Windows-based computers using the Microsoft Deployment Toolkit (MDT). Save time and money by automating the process. Why learn the hard way?

• Software-Defined Networking with Windows Server and System Center Jump Start
  March 19, 2014 8:00am-1:00pm PDT
  Is your infrastructure outgrowing your current networking strategy? Want to simplify the process for managing your datacenter? Software-defined networking (SDN) can streamline implementation with self-service provisioning, take the complexity out of datacenter management, and help increase security with fully isolated environments. Join this Jump Start to get deep technical guidance, best practices, and lots of demos based on real-world datacenters with Windows Server 2012 R2 and System Center 2012 R2. Get your questions answered by the team who built this popular solution!

• DevOps – Visual Studio Release Management Jump Start
  April 9, 2014 9:00am-5:00pm PDT
  Developers and Project Managers, do you wonder how to implement DevOps principles to resolve delivery challenges? The popular "ALM Wednesdays" series continues with this fifth event, as Microsoft experts equip users of Visual Studio ALM with the necessary skills to build an effective release pipeline with the Release Management functionality provided by Visual Studio and Team Foundation Server.

Check out what’s coming up here:

• Microsoft JumpStart Series – Live Event Trainings
  http://www.microsoftvirtualacademy.com/Live-Training-Events
• RSS: Live Events – Trainings Coming Up
  http://www.microsoftvirtualacademy.com/RSS.aspx?type=liveevents&culture=en-US
• RSS: Recorded Events – Available On-Demand
  http://www.microsoftvirtualacademy.com/RSS.aspx?type=recordedevents&culture=en-US

Missed this one too.  If you’re running System Center Configuration Manager 2012/2012 R2, this is a must get.

Microsoft System Center: Troubleshooting Configuration Manager
Rushi Faldu, Manoj Kumar Pal, Andre Della Monica, Kaushal Pandey, and series editor Mitch Tulloch
November 2013
108 pages

Part of a series of specialized guides on System Center—this book addresses the most common pain points for Configuration Manager administrators, providing insider and from-the-field insights to help you succeed. Written by experts on the Microsoft System Center team and with Microsoft MVP Mitch Tulloch as series editor, this title delivers concise technical guidance as you step through key concepts and tasks.

• Download the PDF (6.4 MB)
• Download the EPUB file (24.3 MB)
• Download the Mobi for Kindle file (44.2 MB)

Somehow I missed this.  We released an eBook recently about optimizing System Center Service Manager, Microsoft’s help desk & ticketing solution that natively integrates with Configuration Manager (for PC information) & Operations Manager (for alerts & ticket creation).

Microsoft System Center: Optimizing Service Manager
Thomas Ellermann, Kathleen Wilson, Karsten Nielsen, John Clark, and series editor Mitch Tulloch
December 2013
96 pages

Part of a series of specialized guides on System Center—this book provides a framework for planning and delivering a successful Service Manager project. Written by experts on the Microsoft System Center team and with Microsoft MVP Mitch Tulloch as series editor, this title delivers concise guidance, from-the-field insights, and best practices for optimizing and maintaining your Service Manager environment.

• Download the PDF (3.2 MB)
• Download the EPUB file (19.7 MB)
• Download the Mobi for Kindle file (44.2 MB)
• Download the book’s companion files (689 Bytes)

Microsoft Press just released the following 136 page eBook for free:

Microsoft System Center: Building a Virtualized Network Solution
Mitch Tulloch with Nigel Cain, Alvin Morales, Michel Luescher, Damian Flynn
February 2014
136 pages

This book is geared to private and hybrid cloud architects preparing to design and build a virtualized network solution based on Windows Server 2012 and System Center 2012 SP1, or later. Written by experts on the Microsoft System Center team and with Microsoft MVP Mitch Tulloch as series editor, this title focuses on architecture and design.

• Download the PDF (6.68 MB)
• Download the EPUB file (25.4 MB)
• Download the Mobi for Kindle file (45.4 MB)

The webcast on the NBC Olympics Live stream from Microsoft and iStreamPlanet is now available on-demand at the link below. 

• Streaming the Olympics: A case study in moving media processing to the cloud
  http://www.streamingmedia.com/Webevents/594-Streaming-the-Olympics-A-case-study-in-moving-media-processing-to-the-cloud.htm

• Video: How did iStreamPlanet Live Stream the Olympics?
  http://www.istreamplanet.com/istreamplanet-video/did-istreamplanet-stream-the-olympics/

Some of you may have seen this posted Monday on the Windows blog along with our new data transfer tool:

On March 8th, 2014, Windows XP customers using the Home or Professional editions who have elected to receive updates via Windows Update will receive an official notification on their desktop screen via Windows Update informing them that support for Windows XP will end on April 8th, 2014.

http://blogs.windows.com/windows/b/windowsexperience/archive/2014/03/03/new-windows-xp-data-transfer-tool-and-end-of-support-notifications.aspx

Please note that this pop-up only goes to consumer (unmanaged) Windows XP PCs. For those PCs affected, there is no “XP Blocker Toolkit” nor is there a registry key that can be set to block the update, however a single click on the checkbox will disable it forever. If the computer is managed by WSUS, it will not by default receive the pop-up.

Additional details on this message:

• The pop-up will recur monthly (on the 8th of every month at 3:00 p.m. local time, and the code will continue to show the message on this schedule indefinitely or until the user disables the notification)
• If the user is not logged in during the scheduled time, the message will be shown the next time s/he logs in.
• If there are multiple user accounts on the machine, the scheduled task is tied to the user who is logged in when the update is installed and only he/she will see the notification.
• The notification will direct customers to this end of support web page:
  http://windows.microsoft.com/en-US/windows/end-support-help 

If you’ve made investments in Windows Server, you may want further understand how to take advantage of Windows Azure for sending workloads to the cloud for more elastic, more cost-effective operations.

Microsoft’s growth is predominantly a result of the growth of Windows Azure: Azure now accounts for close to 90% of all web-facing computers at Microsoft. Windows Azure has grown by almost 50% since May 2013, during the February 2014 Web Server survey Netcraft found 27,000 web-facing computers (both Windows and Linux) using the cloud computing platform.  Many of Microsoft’s own services are powered by Windows Azure including Office 365, Xbox Live, Skype, and OneDrive.

Windows Azure Web Sites service — available to the general public since June 2013 — may be the driving force behind Azure’s growth. This Platform as a Service allows existing applications written in ASP, ASP.NET, PHP, Node.js, or Python to be deployed on an automatically scaling platform without managing individual computers. Microsoft also provides pre-configured software packages, such as WordPress, which can be used immediately with the Web Site service.

Read more here:
http://microsoft-news.com/report-microsoft-edges-ahead-of-amazon-to-become-the-largest-windows-hosting-company/