By Derek Manky
In June 2008, Microsoft officially announced that it planned to discontinue support for its popular but aging Windows XP operating system by April 2014.
To many system administrators’ chagrin, the move will galvanize many organizations to begin migrating to newer operating systems, such as Windows 7 or the much anticipated and soon-to-be-released Windows 8. Unfortunately, during this process, legacy XP systems will become increasingly vulnerable to zero-day attacks and other security threats. The sudden absence of support for XP leaves a void that will likely be filled by a slew of old and/or soon-to-be-discovered vulnerabilities and subsequently give rise to a new crop of security exploits that specifically target these legacy systems, which are now devoid of security updates or support.
After a recent FortiGuard Labs malware database query where our threat research team looked at the same day of each year for the last 13 years, the team analyzed the number of vulnerabilities the systems captured and concluded that older operating systems typically have more exploit activity due to the fact that myriad exploit kits and existing malicious code have had ample time to mature and circulate. It’s also harder today to get a working rootkit for Windows 7 than Windows XP thanks to Microsoft technology such as PatchGuard, which protects the kernel of an operating system from being unduly modified.
An August 2012 snapshot of reported attacks from the start of this year shows that a massive number of attacks are based on exploits discovered many years ago. FortiGuard reports 47 million instances of attacks based on exploits discovered in 2004 alone!
The abrupt rise in exploit attempts represents a stark contrast to detected exploit attempts in more recent versions of Windows, all of which remain under a million from exploits discovered in 2010 and onwards.
“If you look at the number of exploits discovered in 2011, the number of attack attempts was down to around 425,000, versus the 2.9 million we saw for exploits found in 2009,” said Derek Manky, Senior Security Strategist for Fortinet. “The sad truth is that hackers are still successful going after older vulnerabilities, which really are low-hanging fruit since they have been known and unprotected against for ages.”
In comparison, the number of exploit attempts against new vulnerabilities discovered in 2012 remains well under five thousand, however that number will likely increase significantly in just a few years, Manky continued.
“It will be interesting to see at the end of the year—there may be 5,000 or 6,000 different exploit attempts based on vulnerabilities found in 2012,” Manky continued. “And three years from now, that volume is likely going to be a lot higher as tools are developed to exploit these newly-found exploits.”
The reason for the direct correlation between an operating system’s age and the number of exploit attempts often boils down to more complicated patch management issues and a lack of vendor support and security mechanisms coupled with a remaining base of users who continue to rely on their legacy systems, Manky says.
“You look at older operating systems now that are end of life, and there’s no more support. That’s part of the problem,” he says.
The other part of the problem is the exponential rise of exploits in aging systems; specifically, the rise of crimeware as a service. Simply put—the older the vulnerability, the more time there is for hackers to obtain the necessary code in order to create and execute successful attacks against users.
Compounding the rise of legacy exploits is the issue of piracy, illustrated by the proliferation of the Conficker worm in 2009. Numerous versions of the sophisticated Conficker worm wreaked havoc on millions of users’ Windows machines worldwide after springing from a patched RPC vulnerability. Experts attributed the proliferation of attacks to the pervasiveness of pirated software, which prevented users from installing the update that repaired the flaw.
“A large part problem is the fact that the longer a vulnerability remains unpatched on a PC, the more likely it is hackers will have built automated tools or aggressive worms that scan large chunks of the Internet looking for these unpatched devices to exploit,” Manky says. “Our data clearly shows massive spikes in attacks where worms such as Slammer, Sasser and Blaster exploited vulnerabilities in those years.”
And looking forward, there is not much that users of legacy systems can do to protect themselves except to apply all the same security best practices, such as keeping their systems updated with the latest patches whenever possible and having a security solution in place to protect against known legacy attacks, as well as any newly discovered attacks.
And ultimately, when the operating system is nearing end of life, administrators need to carefully consider the true cost of maintaining these legacy systems: is it worth keeping these easily-exploited machines online? Or is it time to send them to pasture? Eventually, they’re going to have to retire.
Thanks to Fortinet!
Please keep in mind that comments are moderated and
rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let us have a personal and meaningful conversation instead.
You must be logged in to post a comment.