What are the threats caused by Windows XP Server suspension?

Today, Windows XP, the oldest operating system in Microsoft's history, officially Stops providing services. Windows XP is not only a long-lived operating system, but also has a broad user base, therefore, this incident has a huge impact on China. Although people on earth know that stopping services means that security is no longer guaranteed, many people do not know what specific threats XP Server suspension brings to security assurance. As for how to deal with it, it is seen as an important opportunity for the development of information security in China. CERT, the independent security vendor in China, will explain the XP service suspension incident in terms of threats and responses.

This article describes the threats after the XP service is stopped.

First, system vulnerabilities cannot be officially repaired.

Xiao XinGuang, Chief Technical architect of Cert laboratory, said that the first threat of XP service termination is that system vulnerabilities cannot be officially repaired. XP is a system with a long history. However, the number of vulnerabilities has increased year by year in recent years, the deeper reason is the evolution of Microsoft's operating system. From early Windows to WinXP, Vista, Win7 and so on, the NT architecture has been used. The long-term continuous iterative development process and a large amount of reusable code have formed a correlation between vulnerabilities, this causes a large overlap of vulnerabilities.

In this way, the vast majority of attackers did not discover vulnerabilities in the system, but relied on the patch comparison between the new and old versions to find their overflow points during the patch release. Let's make a hypothesis, for example, after the famous MS08-067 is released, it may put a later version together with the previous version for comparison, you can find a point that Microsoft has modified to counter the vulnerability.

Therefore, after the XP service is stopped, Microsoft continues to release patches for other Windows, but XP has lost its official patch. Hackers can find the vulnerability of the XP version through vulnerability comparison, the attack and defense balance is damaged to some extent, which is the first problem.

APT attacks caused by software environment cap

The service of the XP system may also cause new security problems due to the software environment cap. For example, we use Internet Explorer and Office. It is understood that after the XP service is stopped, IE8 will not be updated in the future. In this way, IE may also be the focus of attackers in the future. For example, the CVE-2013-1347 in last May, in fact, is the use of the IE vulnerability, the specific version of the Internet Explorer for the corresponding attack, of course, each version of the Internet Explorer will have an inevitable vulnerability, however, ie browsers Based on the XP cap version may suffer more concentrated attacks.

The other is about the cap of the Office version. XP supports up to Office 2010. Although Microsoft has been improving the built-in security mechanism of its main applications, for Versions later than 2013, it will continuously improve its security mechanism, but it will only issue patches for previous versions of Office, but will not synchronize the latest security mechanism.

Xiao XinGuang said that this is an important threat distribution point. According to CERT's long-term research on APT attacks, Office-based format overflow occupies an extremely important position in APT attacks. For example, in the past, we were familiar with APT attack events, and we could find a method of format overflow in the Backtracking report. Therefore, we need to pay more attention to this aspect.

Unable to obtain updates to new security mechanisms

It must be affirmed that Microsoft is continuously improving security mechanisms, such as DEP (Data Execution Protection), ASLR (address space layout randomization), and UAC (User Account Control. However, these start points are XP's SP2, and later versions cannot be enhanced, and cannot be updated synchronously. XP will not be supported in this security capability in the future.

The XP service downtime is huge, and the potential threat landscape changes more. For the black market, the unpublished vulnerabilities of the XP system may be found based on the vulnerability disclosure of other versions, the success rate of targeted attacks will be greatly increased. vulnerabilities in software versions that are not officially corrected, including office vulnerabilities, may increase the overall general security threat, therefore, we must prepare for the risk of security threats.