The phrase “perfect storm” is overused in our field; only “digital Pearl Harbor” is more overused in my experience. This is a problem because when the conditions that merit this phrase do occur, we can be slow to respond appropriately because we tune out the phrase. As we outlined in our predictions for 2014, “Blurring Boundaries: Trend Micro Security Predictions for 2014 and Beyond”, when it comes to Windows XP and Java 6, we really do have unprecedented conditions coming together for a perfect storm for attacks against these legacy platforms. The coming end of support for Windows XP combined with Java 6 (which is already out of support) and the issue of how broadly these legacy platforms are deployed means we are likely looking at the largest number of unpatched and attackable vulnerabilities in history. If that doesn’t describe a perfect storm, I don’t know what does.
To understand why this situation is so serious, we should look first at Java 6. Oracle stopped providing updates to address security issues in Java 6 in February 2013. By August 2013 we were seeing widespread, active attacks against unpatched vulnerabilities on Java 6. By September we saw additional attacks and increased sophistication in those attacks. Because there is never another security update coming for Java 6, the effect of each new attack is cumulative in terms of the risk to those running Java 6. It’s appropriate to think of Java 6 now as platform that is becoming ever more riddled with holes as each day goes by. In August we said that 50 percent of users were still using Java 6 and there’s no indication that number has changed significantly. This creates a huge pool of vulnerable users and systems, all the more so when we remember that Java is present in a whole host of devices that can’t ever be updated. Java 6 helped power some of the first stages of the “Internet of Everything” (IoE). And now that part of the Internet of Everything is permanently vulnerable to attack.
The Java 6 situation is a harbinger of what we can expect will start to happen on April 12, 2014, the day after the last security updates for Windows XP are released. On that day, Windows XP will be subject to the same problem of the cumulative effects of new vulnerabilities being found as we see with Java 6. Each new vulnerability found will permanently damage the soundness of the operating system. We can expect the situation to worsen regularly month-by-month as attackers use the security fixes for the supported versions of Windows as a roadmap to possible vulnerabilities in Windows XP. Given that nearly every vulnerability affecting all versions of Windows released since Windows XP also affects Windows XP, it’s a sure thing that the roadmap will lead attackers to attackable vulnerabilities. As of today, about 20 percent of computers, or 500 million people, are running Windows XP. An informal survey by me shows restaurants, doctors’ offices, small businesses all happily running Windows XP today. And, unfortunately, the broad resistance to (or outright rejection of) of Windows 8 by users only makes this situation worse: people are choosing to stay on an increasingly dangerous operating system because, to them, the new version is perceived as unusable and is a greater risk than abstract security risks. As we approach April 2014, we have more people running a version of Windows that’s about to go out of support than we’ve ever seen before (I should know, I dealt with this for 10 years at Microsoft). This situation is truly unprecedented in that regard.
Come April 2014, the pool of no-longer-supported Windows XP systems will combine with the pool of unsupported Java 6 systems. These will combine to create the largest collective pool of unpatched vulnerabilities. And it will only get worse over time.
At Trend Micro, we are working to help mitigate this situation. Our products Deep Security and OfficeScan with the Intrusion Defense Firewall module will provide some protections for unpatched vulnerabilities on Java 6 and Windows XP. But that’s only a mitigation: the best solution for everyone is to remove Java 6 and Windows XP as soon as possible. Because, come May 2014, things may get very, very ugly.