By switching to a non-Microsoft browser, Windows XP users can halve the number of vulnerabilities that apply to the OS, according to a survey of flaws Microsoft fixed in the second half of 2013.
The statistics support the advice from security professionals, who have recommended users run a rival browser to avoid some of the attacks aimed at their unprotected PCs.
[ Windows 8 left you blue? Then check out Windows Red, InfoWorld's plan to fix Microsoft's contested OS. | Want a new PC? InfoWorld picks the 12 best Window 7 PC models available today. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]
Microsoft stopped sending patches to Windows XP PCs last month. The ban also applies to any version of IE that runs on the aged operating system. But a tally of Windows and IE vulnerabilities patched from July to December 2013 shows that the browser poses a greater security risk to XP bitter-enders than does the OS itself.
During the six-month stretch, Microsoft patched 19 separate critical vulnerabilities in the versions of IE -- IE6, IE7 and IE8 -- that run on Windows XP. "Critical" is Microsoft's most-serious threat label, and indicates that hackers who successfully exploit such bugs can probably compromise the PC and plant malware on its drive.
In the same period, Microsoft patched 16 critical vulnerabilities in Windows XP. All but one was also patched in either Windows 7 or Windows 8, or both, at the same time as for Windows XP.
That last line is important.
Security experts, including those at Microsoft, have predicted that hackers will analyze the patches provided for other versions of the operating system to find flaws in XP. By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in, say, Windows 7, which will be patched, then sniff around the same part of XP's code until they discover the bug there. From that point, it will be relatively straight forward for them to craft an exploit and use it against unprotected XP PCs.
"After April , when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Dustin Childs, director of Microsoft's Trustworthy Computing group, in an October 2013 blog. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."
Of the 16 critical Windows XP flaws fixed in the second half of 2013, 14 were also patched in Windows 7 and Windows 8, one was also addressed just in Windows 7, and one was found only in Windows XP. In other words, 15 of the vulnerabilities fit Microsoft's criteria as reverse engineer-able.
Cyber criminals will have an easier time locating bugs in IE, as IE6, IE7 and IE8 will continue to be patched on other flavors of Windows. Even IE6, which shipped before Windows XP, will be patched until July 2015, when Windows Server 2003 retires.
Hackers can apply the same code-comparison techniques to the IE patches to create exploits for the browser on XP.
For those keeping score, that's 19 IE vulnerabilities and 15 Windows XP bugs with reverse engineering potential. Put another way, eliminating IE from the XP scenario would have reduced the attack surface by 57% last year.
Microsoft doesn't see it that way.