Microsoft yesterday pulled out the big guns — a fear-of-God approach — to scare users into dumping Windows XP, telling them that the most popular tasks done on a PC will put them in the crosshairs of cyber criminals.
While the advice wasn't this specific, it amounted to telling customers to switch off their older PCs and never turn them back on.
The Tuesday post by Tim Rains, director of Microsoft's Trustworthy Computing group, was similar in theme but more urgent in tone than one he wrote last October when he said that after April 8, the chance that malware will infect XP PCs could jump by two-thirds.
"I want to share some of the specific threats to Windows XP-based systems that attackers may attempt after support ends, so that these customers can understand the risks and hopefully decide to immediately upgrade to a more secure version of Windows, or accelerate existing plans to do so," Rains wrote.
Microsoft will issue the final public security updates for Windows XP on April 8, marking the official retirement of the 13-year-old operating system. XP-powered PCs will continue to run, but any vulnerabilities uncovered by researchers — whether white hat, gray hat or black hat — will not be patched.
The assumption by Microsoft and virtually every security expert is that hackers will then begin targeting XP machines more aggressively because of the aged OS's prominence. According to Web measurement vendor Net Applications, nearly a third of all Windows systems still run XP.
Citing statistics that Microsoft compiles from its antivirus software and its regularly-updated malware cleaning tool, Rains said that the top two risks for XP users after April 8 are browsing the Web and opening email.
"Since browsing the Internet is a risky proposition if running on out-of- support systems like Windows XP after April, small businesses and consumers should limit where they go to on the Internet to help manage the risk," Rains advised. He also said opening email or using an instant messaging (IM) client would be a bad idea, as exploits could be "integrated into phishing attacks, malicious emails and IMs."
Rains contended that switching browsers would not help. "Changing browsers won't mitigate this risk as most of the exploits used in such attacks aren't related to browsers," Rains said when he warned XP users to be careful on the Web.
While that's true — most attacks don't rely on browser vulnerabilities — Rain's advice was also disingenuous: Microsoft will stop serving security updates to Internet Explorer (IE), no matter what version, if the browser is on an XP system. Even IE8, which most XP users are now running, will not be patched even though it will be repaired on other editions, such as Vista and Windows 7, until 2017 and 2020, respectively.