I said in September 2013 that the security situation around Java 6 had gotten much worse. In our recently released 2013 Annual Threat Roundup one thing we looked into is the current state of attacks against Java vulnerabilities. What we see in that report confirms that as of the end of 2013, the Java 6 security situation has indeed gotten worse. And if we take what we see about attacks against Java 6 and apply it to Windows XP when it goes out of support in April 2014, it paints a grim picture of what we can expect in 2014. Our 2013 Annual Threat Roundup shows that the clouds are gathering for a possible perfect storm when Windows XP goes out of support where Java 6 and Windows XP lead to 160 unpatched vulnerabilities per year combined.
First, what does the 2013 Annual Threat Roundup tell us about the current Java 6 situation? Our analysis showed that in 2013 attacks against Java constituted 91% of all web-based attacks. That’s not surprising given the rash of zero day vulnerabilities affecting all versions of Java throughout 2013. Our analysis also shows that at the end of 2013, 50% of all attacks against Java targeted, two vulnerabilities will never be patched on Java 6: CVE-2013-2465 (30%) and CVE-2013-2463 (20%). These two vulnerabilities are relatively new; they were only publicly known as part of Oracle’s June 2013 quarterly patch release and attacks against them only surfaced in August 2013. The fact that these vulnerabilities skyrocketed to capture 50% of the attack “market” in such short time tells us that attackers recognize the value in targeting vulnerabilities that won’t ever be patched.
There’s good reason for attackers to make this shift. We note in our report that when support for Java 6 ended, 76% of organizations were still running it. It’s doubtful that number has diminished much since then. And the pool of unpatched Java 6 vulnerabilities will only get bigger and bigger since these will never be patched. By the end of Q3 2013, we note there were already 31 unpatched vulnerabilities for Java 6. That encompasses two of Oracle’s patch releases, so we can roughly extrapolate about 60 unpatched vulnerabilities per year for Java 6.
What does this tell us we can expect when Windows XP goes out of support in April? First, Windows XP still accounts for 30% of Windows systems out there at the end of 2013. Like Java 6, Windows will be widely used when support ends and unpatched vulnerabilities start to accumulate. And we can make an educated guess of how many vulnerabilities will be disclosed for supported versions of Windows that affect Windows XP and won’t be patched, similar to what happened with Java 6 and CVE-2013-2465 and CVE-2013-2463.
To make this estimate, I analyzed Microsoft’s Security Bulletin data for Windows vulnerabilities in 2013. I show that there were 104 vulnerabilities affecting Windows XP. Eighty-eight of these vulnerabilities also occurred on Windows Vista and/or Windows 7 (I didn’t count Windows 8). In other words, if Windows XP had been out of support in 2013, we would be counting 88 unpatched vulnerabilities for that platform from Microsoft’s own security bulletins. This isn’t counting the finding of other vulnerabilities by independent researchers. If we estimate one vulnerability found independently per month (very conservative) it’s reasonable to estimate about 100 unpatched vulnerabilities for Windows XP in one year. Not every vulnerability leads to an attack, but a pool of 100 unpatched vulnerabilities per year is a large pool of vulnerabilities.
The pool of potential targets is large too. Windows XP will likely remain above 20% of systems connected to the Internet for a while. The situation is worse in some industries, too. It’s estimated that 95% of ATMs are still running Windows XP and there’s no rush to change that. My colleague at Microsoft, Tim Rains, noted: “I have talked to some customers who, for one reason or another, will not have completely migrated from Windows XP before April 8. I have even talked to some customers that say they won’t migrate from Windows XP until the hardware is running on fails.” A large number of unpatched vulnerabilities affecting a large number of potential targets is frightening.
With this all in mind, we can extrapolate from what we’re seeing with Java 6 that attackers will aggressively target unpatched Windows XP vulnerabilities as soon as they become known. And given that many of these Windows XP machines will have Java 6 on them as well, these systems will be vulnerable to the aggregate unpatched vulnerabilities affecting Java 6 and Windows XP. Based on my calculations, that’s in the neighborhood of 160 unpatched vulnerabilities combined per year.
Our 2014 predictions talk about attacks against unpatched vulnerabilities as a major trend in the coming year. Thanks to our 2013 threat round up and some analysis of Microsoft’s and Oracle’s patch data, we now have a more concrete picture of what this might look like. It’s fair to say that we have never seen anything like this before. This truly is unprecedented territory.