Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Philipitous

Are MS Updates for XP really necessary?

93 posts in this topic

I've seen comments about MS updates disabling mature systems and even a suggestion that there's a conspiracy at MS to render old XP systems unusable to encourage upgrades. So the following may help.

I recently made a fresh install of XP Home original SP3 slipstreamed and then set about a custom update on MS's site using the supplied IE6 . I selected all but 3 of the critical updates (I didn't want Malicious SRT, IE8, and browser choice) and 3 non-critical (root certs, KB2492386, KB2808679). In due course, I restarted and went into MS updates once more to grab 2 that didn't take first time. All this updating took less than an hour, not closely attended, and the system is stable. I conclude no conspiracy.

So while MS updates are available, I'll continue to update manually and selectively. If something goes wrong I have my system drive backed up.

But how necessary, really, are these updates on a 12 year old OS that you would think by now had had most of the gliches removed?

One of the the lastest is this: "Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

Published: Tuesday, July 09, 2013".

Problems with the kernel, sounds serious, but digging a little deeper we read: "The most severe vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files..." (my bold)

So if we can prevent remote access of shared content the threat is empty? I hope I'm right, because to me that seems achievable, and should be the basis of security now, and going forward from April 2014.

Edited by Philipitous
0

Share this post


Link to post
Share on other sites

They make XP updates for hundreds of millions users, they can't afford to say "if you have doubts whether this update is important to you or not, give us a call".

Though they did call my sister last week to assist her installing updates (through remote control). :rolleyes: Fortunately she insisted she'd rather first ask me about it. They asked "but does your brother work for Microsoft?". :D

0

Share this post


Link to post
Share on other sites

Who said "remote access"?

The KB talks of "user views".

Typically, someone sends you a "specially crafted" document of some kind embedding a special True Type font that vectors the exploit (or sets up a website for it).

Read:

http://technet.microsoft.com/en-gb/security/bulletin/ms13-053

the part titled:

TrueType Font Parsing Vulnerability - CVE-2013-3129

Mitigating Factors

jaclaz

0

Share this post


Link to post
Share on other sites

Who said "remote access"?

The KB talks of "user views".

Typically, someone sends you a "specially crafted" document of some kind embedding a special True Type font that vectors the exploit (or sets up a website for it).

Read:

http://technet.microsoft.com/en-gb/security/bulletin/ms13-053

the part titled:

TrueType Font Parsing Vulnerability - CVE-2013-3129

Mitigating Factors

jaclaz

Thanks for that. I hadn't read that deep into the document, but doing so was certainly worth it.

In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

There are still pages on the internet written by XP security gurus pre SP3 insisting that automatic updates must be on and real-time virus protection installed. And new pages of doom appearing now telling us after April 2014 it will be open season on XP and our systems will die.

So folk sat there behind their paid-for Norton security, letting MS update their systems, and a few years later they find their computers are riddled with malware. I think my contention is that good security is about more than MS updates - which I'm certainly not against as my OP states.

Yes, okay, maybe I got it wrong about remote access in this case. OTOH, the document says: "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights", which sounds a lot like something to do with remote access to me. I'm an interested amateur, not an expert.

Edited by Philipitous
0

Share this post


Link to post
Share on other sites

Generally speaking, there's no reason not to install them unless the update specifically causes problems in your system (for various reasons like the update being buggy itself or other programs having issues after installing it, etc.), especially if we're talking about a home computer.

0

Share this post


Link to post
Share on other sites

OTOH, when MS stops issuing them, we'll manage without them all right... the most serious issues will end up fixed by unofficial patches for XP, in similar manner to what happens at the 2k and 9x/ME communities. And, with time, some capabilities expanded likewise, too.

0

Share this post


Link to post
Share on other sites

So folk sat there behind their paid-for Norton security, letting MS update their systems, and a few years later they find their computers are riddled with malware.

That is IF the computer manages to boot again after the "combined effect" of MS updates and Norton. :whistle: , there is actually nothing preventing (excluded some proper testing procedures) something like this from happening again:

http://www.msfn.org/board/topic/118290-sp3-registry-corruption-bandaid-solution/

Please consider how the above happened with a (long due) "full" Service Pack (i.e. giving all the time needed for proper checking) and not with the usual MS update, which might be issued quickly.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Sure. "It's only called paranoid when they actually AREN'T after you"... :ph34r: :ph34r:

0

Share this post


Link to post
Share on other sites

Just like with everything when upgrading/updating you might resolve security/bugs issues but you might also encounter other issues.

As a side note, the most targeted systems by hackers/virus/malwares/etc.. are always the most widespread so using an OS too old or too new or just rare but not much used and incompatible with the currently most widespread is often enough security.

Edited by allen2
0

Share this post


Link to post
Share on other sites
In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough.

They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed.

The best solution here is a patch.

Edited by enxz
0

Share this post


Link to post
Share on other sites
In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough.

They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed.

The best solution here is a patch.

Mmm ... There's a lot of Vulnerability Information in connection with this potential exploit and I've looked again at all the "Mitigating Factors" and "Workarounds" which can be studied here: http://technet.microsoft.com/en-gb/security/bulletin/ms13-053.

I agree the best solution is a patch, but I also believe that all these "Vulnerabilities" (except one) are manageable with basic security - which if correct is the good news for those intending to use XP beyond April 2014, but certainly not a reason not to continue installing MS updates while available.

I'm surprised at the lack of interest in this topic. Where are those who contributed here - http://www.msfn.org/board/topic/162134-how-can-we-keep-xp-alive/

There is one recently-discovered vulnerability, that can't be mitigated, stemming from 20 year old code! and quite an interesting article here: http://www.computerworld.com/s/article/9239477/Google_engineer_bashes_Microsoft_s_handling_of_security_researchers_discloses_Windows_zero_day

However, it looks tangential to the exploit under discussion as the article says "... the bug cannot be exploited remotely -- by sneaking attack code onto a compromised website, for example ... "

Edited by Philipitous
0

Share this post


Link to post
Share on other sites

There's little else to be said, since that other thread just mentioned.

But I'd like to stress one thing I said there, in any case:

windows-8-market-share-small.jpg

It's really quite difficult to ignore a ~38% minority... just because we're about 1/3 of all users. Simple like that! :)

0

Share this post


Link to post
Share on other sites

Philipitous ... am in agreement with 5eraph when he says "Reading along with interest like me, I'd imagine." ... been reading as others are doing. Last December (2012) I started a topic in the XP forum ... "Installing New Windows XP Updates" and got some interesting replies. My thread is now back in history on Page 6 these days.

CharlotteTheHarlot posted a real nice reply that mentioned some interesting things:

CharlotteTheHarlot ... Posted 18 December 2012 - 06:57 AM

Purely out of chance, the machine I am on has evolved into the front-facing sacrificial lamb to the evil gods of internet malfeasance.

Windows Update is disabled. I haven't even manually ran the update scan in over two years. It is of course behind a router. The Windows Firewall is running ( the XP inbound-only firewall ) but I'd bet I could even kill that without consequence. I am using Opera 99% of the time (version 11.something ), and Firefox for the odd pages and things that cause hiccups. MSIE is very rarely used. And here is the kicker ... It is an Administrator account. ~shudder~

There is no anti-virus ( except for on-demand scan of folders and drives now and then, not because I am infected, but for the odd client devices I am working with ). This computer visits the darkest, deepest and most dangerous corners of the web too. No bull. No drive-by scripts have ever compromised it. No local files have caused problems and believe me I test a whole lot of crap.

Try as I may, I cannot think of something that a critical Windows Update would need to fix as far as security that would affect anything positively. I would expect things might get broken by allowing Microsoft to just keep patching system files over and over again though. I always wondered how an ever-changing codebase can be considered "stable" but that's just me I guess. Anyway. I have always maintained that a properly configured Router + Opera is the first line of protection. It definitely works for me.

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

If you have a spare computer ( or even a HDD with space for a clone of your OS ) just try it.

.........

my thread from Dec ... Installing New Windows XP Updates

http://www.msfn.org/board/topic/160578-installing-new-windows-xp-updates/

...

0

Share this post


Link to post
Share on other sites

the only 4 "updates" I'd like to see are

1. disable verclsid (yes I know this can be bypassed manually)

2. disallow malware to easy install on/as System account

3. deattach ie, thus allow it to be removed (leaving mshtml as it is ofcorse)

4. make small generic SATA drivers pack

4.1 same for USB 3

0

Share this post


Link to post
Share on other sites

Sure. "It's only called paranoid when they actually AREN'T after you"... :ph34r: :ph34r:

BUT IF they actually were after you, you would already have been pwned. :w00t:

WHY exactly do you think most exploits are called "zero-day" ? :unsure:

AFAICR all attempts to produce and sell the magazine "exploits monthly" ;) failed miserably :whistle:

By the time you publish (or patch) something you are already dead :ph34r:.

For NO apparent reason, a lolcat:

ninja-cat-2_tackyraccoons.jpg

jaclaz

0

Share this post


Link to post
Share on other sites

but I also believe that all these "Vulnerabilities" (except one) are manageable with basic security

How?

If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, but without patches any skiddy with metasploit will be able to tear your machine apart. You can fend of the most basic attacks with EMET, and you can force an attacker to use local escalation attacks with sandboxing, but neither of those raise the bar significantly on XP.

0

Share this post


Link to post
Share on other sites

If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, [...]

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. Hardware firewalls at the router and responsible use, maybe coupled to an anti-virus should be enough, most of the time. A good, up-to-date, off-line backup covers all other eventualities. Moreover, all the malware will sure be targetting 7+ machines, preferably those running x64.

0

Share this post


Link to post
Share on other sites

CharlotteTheHarlot posted a real nice reply that mentioned some interesting things:

CharlotteTheHarlot ... Posted 18 December 2012 - 06:57 AM

Purely out of chance, the machine I am on has evolved into the front-facing sacrificial lamb to the evil gods of internet malfeasance.

Windows Update is disabled. I haven't even manually ran the update scan in over two years. It is of course behind a router. The Windows Firewall is running ( the XP inbound-only firewall ) but I'd bet I could even kill that without consequence. I am using Opera 99% of the time (version 11.something ), and Firefox for the odd pages and things that cause hiccups. MSIE is very rarely used. And here is the kicker ... It is an Administrator account. ~shudder~

There is no anti-virus ( except for on-demand scan of folders and drives now and then, not because I am infected, but for the odd client devices I am working with ). This computer visits the darkest, deepest and most dangerous corners of the web too. No bull. No drive-by scripts have ever compromised it. No local files have caused problems and believe me I test a whole lot of crap.

Try as I may, I cannot think of something that a critical Windows Update would need to fix as far as security that would affect anything positively. I would expect things might get broken by allowing Microsoft to just keep patching system files over and over again though. I always wondered how an ever-changing codebase can be considered "stable" but that's just me I guess. Anyway. I have always maintained that a properly configured Router + Opera is the first line of protection. It definitely works for me.

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

If you have a spare computer ( or even a HDD with space for a clone of your OS ) just try it.

I should clarify one thing in there, that bolded part.

This PC ( the one I am talking about in that quote ) is NOT connected to any internal network here. It is truly standalone, and files only get to and from other computers through classic sneakernet. It talks directly to a router that is the gateway to the Internet. In this particular scenario the Windows XP firewall can definitely be disabled ( I simply haven't because it is too much trouble with the balloon warnings and security center nagging ). The hardware firewall in the router when properly configured is more than adequate for security.

However, if you had a typical network of computers talking to each other and they also can access the Internet through a router, then the hardware firewall may be enough but it would be wise to have individual firewalls operational on each PC. This is for protection from a sibling computer on the network that somehow gets infected ( probably through operator error ). Naturally the software firewall needs some management to work in this scenario, you have to watch for exclusions which get inserted into the registry and open up vulnerabilities. It happens quickly from executing local files with malware payloads. But you always have to watch for this kind of thing anyway.

So I just want to be clear that when I suggest others try this they understand I am talking about isolating a standalone computer behind a router. And yes, absolutely no CPU killing antivirus, and no Windows updates except for specific ones for odd things that I go get by hand. It is easily do-able. The bulk of the Windows updates can be considered nothing more than placebos with respect to daily use.

0

Share this post


Link to post
Share on other sites

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. Hardware firewalls at the router and responsible use, maybe coupled to an anti-virus should be enough, most of the time. A good, up-to-date, off-line backup covers all other eventualities. Moreover, all the malware will sure be targetting 7+ machines, preferably those running x64.

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box? Not really.

8/8.1 are considerably more secure, not sure why you would believe XP is more secure.

Hardware firewalls are fine, but they're not really relevant. Your end system, the one taking in untrusted data (regardless of firewalls) is still vulnerable.

Malware targeting 7 will still work on XP. And attackers will certainly still attack XP users if the market share holds where it is, there's still a ton of money to be made, especially when it's such easy pickings.

If I'm an attacker I can go after the majority, 7 users. But that's sorta difficult. I could still attack XP boxes, take over a massive number of systems, and expend far less effort.

0

Share this post


Link to post
Share on other sites

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

In my experience when this happens, there is a THIRD ELEMENT that is missing, that is a sentient being between chair and keyboard. :whistle:

jaclaz

0

Share this post


Link to post
Share on other sites

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. [...]

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box?

Sure I can! Most hackers means not all hackers. One single intruder gets into your machine and you're pwned. You cannot be positive no one'll ever be able to get into your machine, no matter what. Hence, in disagreeing with me you've just agreed with my point. Nobody is ever secure. No matter what.

0

Share this post


Link to post
Share on other sites

At least XP wasn't included in PRISM control, therefore atl east in that segment, it is securer than Vista and above.

0

Share this post


Link to post
Share on other sites

Sure I can! Most hackers means not all hackers. One single intruder gets into your machine and you're pwned. You cannot be positive no one'll ever be able to get into your machine, no matter what. Hence, in disagreeing with me you've just agreed with my point. Nobody is ever secure. No matter what.

Like I had said, it depends on how you define security. There is no '100%' secure, if you're dealing with the NSA directly targeting you you can make things hard for them, but they will get in if they really want to. That doesn't mean a system is unsecure, it just means that 100% security does not exist. I would say you have to define security by threats, and when the threat is any skiddy with metasploit, the box is not secure.

But we're talking about a massive difference of skill required. To hack an XP box requires little work, any RCE vulnerability in any browser, and a local kernel vulnerability. On Windows 8 you need RCE, an information leak, a kernel vulnerability, and another information leak. Not only do you need more vulnerabilities total, exploitation of them is more difficult.

Edited by enxz
0

Share this post


Link to post
Share on other sites

not really, there was an article last week (?)
how ms 1st gives to these agencies list of vulnerabilities (privately), backdoor ones

BEFORE they release hotfixes

and these fixes can come... who knows when

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.