I was chatting with a mate at TechED AU and he idly wondered if malware developers were starting to stockpile their zero day exploits for Windows XP given that the end of support deadline of April 2014 is drawing closer.
It’s an interesting question. After 13 years being serviced, how many as yet publically undisclosed substantive vulnerabilities still exist in the operating system and if they did, would malware developers wait until Microsoft is no longer actively patching these systems before publically releasing them?
When XP falls out of support there will be tens, if not up to 250 millions of computers still using the operating system. This is based on the guestimate that over a billion computers are in circulation and connected to the internet and that by April 2014 roughly a quarter of them will still be running Windows XP.
There’s a couple of reasons I suspect that the zero days aren’t being hoarded. The first of which is that if someone else discovers the same zero day and sells it first, the hoarded zero day becomes worthless. If you are in that game, you’ll probably want to sell as soon as possible as the longer you wait, the more likely someone is to find and capitalize on the same exploit. The second is that most of the top tier malware developers have already moved on from Windows XP to other targets. In general you don’t need a zero day exploit to attack a computer running Windows XP as the OS is still vulnerable to many more established attacks even when it’s fully up-to-date. This means that the price you can get for a shiny new exploit for Windows XP is substantially less than the price you could get for a Windows 8, iOS, or Mac OS X exploit. So while it's possible that people are hoarding exploits, it seems unlikly that they'd actually do so. Time will tell and the security landscape post April 2014 will definitely count as "interesting times".