Hackers May Cash in When XP is Retired
Hackers may bank their Windows XP zero-day exploits and cash them in after Microsoft stops patching the aged operating system next April.
Mon, August 26, 2013
Computerworld — Hackers could find themselves in the catbird seat on April 8, 2014 -- the day Microsoft plans to stop patching Windows XP. As security expert Jason Fossen sees it, those who have zero-day exploits for XP will bank them until that day and then sell them to crooks or loose them themselves on unprotected PCs.
It's simply economics at work, said Fossen, a trainer for the SANS Institute since 1998.
"The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft's response," said Fossen. When a new vulnerability -- dubbed a "zero-day" -- is detected, Microsoft investigates, pulls together a patch and releases it to XP users.
But the price will go up when Microsoft stops patching its aged operating system.
Fossen acknowledged that there really aren't any precedents to back up his speculation, because the last time Microsoft retired an operating system was in July 2010, when it pulled the plug on Windows 2000, which wasn't nearly as widely used as XP is.
Computerworld has projected that Windows XP will still run 33% to 34% of the world's PCs at the end of April 2014.
HD Moore, creator of the popular Metasploit penetration testing toolkit and chief security officer at security company Rapid7, agreed that XP hacks would become more valuable after the operating system's retirement in April 2014, but he contended that all Windows vulnerabilities would jump in value at that time.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.