Hacking in a World Without Windows XP
The 'Bliss' photograph that was the default desktop image for Windows XP.
This is the third story in a multipart series looking at the future of digital security.
To malicious hackers, the deeply flawed, sporadically patched security of Windows XP is the gift that keeps on giving, more than 10 years after the operating system was first released. But the user base for Windows XP is shrinking quickly as newer machines ship with Windows 7, and Microsoft plans to withdraw support for XP in 2014.
Will cybercriminals be able to keep up their lucrative activities by exploiting the tougher-to-crack Windows 7? Or will they move to another platform — possibly Android?
There's no question that Windows XP is losing ground, even if it's still got nearly half the world's user base. The first of this year saw it with a 46 percent global market share. Windows 7 has risen to a 37 percent share, while Vista trailed with 8 percent and Mac and Linux brought up the rear.
While migration from the limping OS to its flashy younger cousins isn't moving as fast as security experts might like, XP will be on the endangered species list soon enough, even if its utter extinction is still years away.
XP is notorious for its many security holes, patched but never thoroughly expunged by frequent updates flowing out of Microsoft headquarters. With Windows Vista, and especially with Windows 7, Microsoft has claimed that each offers tightened security, fewer holes and a generally safer user experience.
The company's progressively utopian PR campaign — ads for Vista and Windows 7 have featured pre-schoolers and other less savvy users painlessly surfing the Web and producing multimedia masterpieces — sounds to some like the promise of an inevitable disaster for the thriving underground industry of hackers, crackers and other cybercriminals.
But is that truly the hackers' death knell we hear, or is it just Microsoft blowing its own horn?
No operating system is impregnable
To be clear: Windows 7 is an excellent operating system. On its release, reviewers were mostly impressed. MaximumPC called it a "massive leap forward in usability, security, and support," and specifically called out security improvements as a major selling point for XP users trading up.
While specialists can argue back and forth over interface design and underlying functionality, few deny that Windows 7 is technologically superior to its predecessors.
However, when any software purveyor touts the airtight security of its latest product, experts know the other shoe will soon drop. It didn't take long after Windows 7's October 2009 release for key security holes to show up.
In 2010, HD Moore, chief security officer at Boston-based Rapid7, released information about a critical flaw affecting dozens of Windows 7 applications. In 2011, Jerry Bryant at the Microsoft Security Response Center revealed that the company was investigating "an elevation of privilege vulnerability that may reside in the Windows kernel."
But maybe we're asking the wrong question. Much as the average Internet surfer might wish otherwise, there's simply no such thing as airtight security. To boil it down, the safety of a modern operating system has less to do with how well-defended it is than with how many attacks target it.
A wider target
The very fact that Windows 7 will likely supplant XP as the world's most-used operating system tells us it will remain victim to a host of threats and invasions. It's short-sighted to blame Microsoft's troubles on operating-system vulnerabilities alone.
"XP has a wider installation base," explained Steve Santorelli, formerly with Scotland Yard's Computer Crime Unit and now a member of Lake Mary, Fla.-based Team Cymru Research NFP.
"If you've got a limited R&D budget," Santorelli said, referring to digital villains, "you want a maximum return on your investment. So you're going to put it where you get the maximum install base."
In some ways, strong security is the result of the prevalence of security threats. Hackers follow the data, and have little motivation to poke at security holes in less popular or valuable venues. Meanwhile, security that is rarely under fire improves slowly, if at all. (If Apple's success spreads beyond the consumer-device market and into the enterprise, Mac users will quickly discover just how easily their systems can be taken down.)
Hackers don't find the flaws in a system because there are more flaws; they find the flaws in a system because they're looking for the flaws. This is the simple, honest explanation for the comparative scarcity of malware on mobile operating systems such as Apple's iOS or Google's Android — but that may change soon.
"There's already a significant upsurge in discussion [regarding mobile devices] amongst the underground economy," Santorelli reports. "You go where the money is. People are starting to do their tax returns on their tablet devices; they're trying to log in to their Bank of America accounts using their Android apps."
But, Santorelli said, the bad guys still make a fortune focusing on Windows, with its massive market share.
"There's no need for them to suddenly drop everything and move into mobile malware," he said. "But there's definitely interest."
The weak spot is you
The brunt of responsibility falls on those most invested in the security and, in many cases, least prepared to take it on.
"More often than not, the greatest weakness in a system isn't the security flaws, but the user," said Chet Wisniewski, senior security advisor in the Vancouver, B.C. office of British security firm Sophos. "Attackers are using social engineering more and more as their ticket to entry."
Wisniewski provides evidence from Microsoft's latest security intelligence report: 45 percent of active infections were the result of "user interaction."
No single operating system will ever put the final nail in cybercrime's coffin, and cybercriminals have no reason to change horses until they've ridden the Microsoft stallion into the ground. Windows 7 remains a vulnerable and, more importantly, tempting target. That puts users in the line of fire, and demands more responsible and cautious behavior from them.
Infection resulting from negligent habits "can happen on [Mac] OS X, Linux, Android, iOS or nearly any other platform you can imagine," Wisniewski reminded users.
Santorelli invokes the Golden Rules of computer use: Keep your anti-virus software updated, your firewall maintained and your passwords strong and secure, and be careful what you click on. Those are guidelines we sometimes take as gospel, but which many users rarely follow completely.
There's just no getting around it: If you've got the shiniest, most popular gun in the West, then you're the one the black hats will come gunning for. Whether it's Windows or Mac, don't count on your gun alone — keep it locked and loaded, and watch your back.
Other stories in this series: