Under-the-radar attacks could be executing even now, said Storms, who contended that the most likely use of unpatched Windows XP vulnerabilities would be against what he called "high-value targets," the kind in the crosshairs of very focused, limited attacks that are aimed at specific corporations and government agencies. All it takes for a successful infiltration of a network is one careless click by one employee tricked by a well-crafted email.
"But the thing is that the available market of high-value [Windows XP] targets is quickly dwindling and has been dwindling for years," said Storms. "I'll put money on the news headline that says a big XP zero day has been released. But let's be smart here: It's not going to be immensely impactful like Code Red, the Morris worm or Conficker."
Some of Storms' examples did significant damage, spread promiscuously or were resistant to eradication. 2008's Conficker, for example, was still infecting millions of Windows PCs years after its debut.
Such massively-disruptive malware has become a thing of the past. Still, some have used the same examples as Storms when wondering aloud what Microsoft might do, after Windows XP was retired, if something similar hit the Internet. Would Microsoft retract its promise, and patch the flaw?
No one knows.
Storms had another good point: Windows XP is steadily diminishing as an attractive target simply because, although it still powers about a fourth of all personal computers, its share is shrinking.
In the last 12 months, XP has dropped 12.5 percentage points, shedding 33% of the user share it held in May 2013, according to analytics firm Net Applications. If Windows XP continues to lose user share at its current tempo, it will be powering less than 10% all personal computers a year from now.
Cross your fingers that nothing happens in the meantime.
Sign up for Computerworld eNewsletters.