Just when you thought August was a slow news month, along came Tim Rains’ blog last week, in which he called the day after April 8, 2014, when extended support for Windows XP terminates, as the “endless zero day.” His comments were picked up by several news outlets, including Mary Jo Foley, EyeOnWindows (formerly Windows 8 Update) and Redmond Channel Partner magazine. So I reached out to Rains to get the story behind the stories.
At a strategic level, Rains’ blog represents a facet of the “rolling thunder” campaign being launched right now by Microsoft Redmond to amplify the April 8, 2014 deadline for the extended support of Windows XP, Office 2003 and nearly anything Server03. Over the next 250+ days, you will witness a wave of thought leadership and op-ed pieces coming from program managers inside Microsoft Redmond. Hang on tight, as this core messaging competes for the hearts and minds of the IT community. My noise meter is turned on and already calculating the signal-to-noise ratio!
The goal of my visit with Rains was to take a different direction than the above industry coverage that pivoted off Rains’ original blog. The idea of security risks after Windows XP support ends is apparent, but as you’ll see in my video, Rains drills down on Data Execution Protection (DEP) that was introduced in Windows XP Service Pack 2 (SP2). Essentially DEP was introduced as yet another “chess move” in the hacker game. That is, as the bad guys discover and exploit vulnerabilities, Microsoft issues patches. The problem is that today, and certainly after April 8, 2014, exploits will increasingly rely on techniques that can be used to bypass DEP and Address Space Layout Randomization (ASLR). And don’t forget that Remote Code Execution (RCE) vulnerabilities are often the most severe.
So that’s my take on my geek moment with Tim Rains.