Does it matter? An attacker has to know about a vulnerability to use it. Unless there's some reason that security researchers would be more focused on vulnerabilities in new systems than attackers are, or something like that.
This totally ignores the concept of "zero-days", vulnerabilities discovered that are only known by bad actors or known but not patched yet.
This is very common, and these vulnerabilities are sold for a lot of money and the buyers make sure to protect their investment as long as possible. Of course that also means they go exclusively for high-value targets which means end users are most likely fine (see Pegasus as an example). But that's not the same as being actually secure.
Either Windows XP has no vulnerabilities left and we should all immediately start using it or it has lingering vulnerabilities and they simply aren't noticed by more recent projects like Google Project Zero.
> This totally ignores the concept of "zero-days", vulnerabilities discovered that are only known by bad actors or known but not patched yet.
I'm not ignoring them, I'm just assuming that vulnerabilities discovered by bad actors will follow more or less the same distribution as those found by security researchers.
I would assume that security researchers and most attackers go after what the general public has. But I wonder, are there still a bunch of old industrial/medical machines running XP?
Now I have the mental image of some intelligence guy working on a “get into our geopolitical rivals’ grid in case there’s a war and we need to cause a blackout” discovering the author of the post.
Maybe he will meet up with some friends in “assorted fraud” industry at the local after work watering hole and they can nostalgically steal the post author’s bitcoins together. Hacking an XP machine might trigger a midlife crisis though.
I'd be amazed if there aren't still a number of Win2k or older machines in industrial settings. Until a few weeks ago I was using an Imagesetter at work which had a Windows Server 2003 machine running its RIP software. (Apparently it's just about possible to massage the custom PCI card's driver into working on Windows 7 - but it's easier just to use the intended OS.)
Just the other day I found myself capturing a Vista machine into a VM just to preserve some perpetually-licensed software that we can't ever install again because the activation server's gone away
There is a good chance that all or most of the exploits found in modern windows actually work on Windows XP, but the reporters did not test for it as no one uses XP.
Someone looking to hack the last remaining XP machines would just scroll down the list of new exploits and test them out.
