Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Are MS Updates for XP really necessary?

- - - - -

  • Please log in to reply
92 replies to this topic

#1
Philipitous

Philipitous
  • Member
  • 3 posts
  • Joined 20-July 13
  • OS:XP Home
  • Country: Country Flag

I've seen comments about MS updates disabling mature systems and even a suggestion that there's a conspiracy at MS to render old XP systems unusable to encourage upgrades. So the following may help.

 

I recently made a fresh install of XP Home original SP3 slipstreamed and then set about a custom update on MS's site using the supplied IE6 . I selected all but 3 of the critical updates (I didn't want Malicious SRT, IE8, and browser choice) and 3 non-critical (root certs, KB2492386, KB2808679). In due course, I restarted and went into MS updates once more to grab 2 that didn't take first time. All this updating took less than an hour, not closely attended, and the system is stable. I conclude no conspiracy.

 

So while MS updates are available, I'll continue to update manually and selectively. If something goes wrong I have my system drive backed up.

 

But how necessary, really, are these updates on a 12 year old OS that you would think by now had had most of the gliches removed?

 

One of the the lastest is this: "Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

Published: Tuesday, July 09, 2013".

 

Problems with the kernel, sounds serious, but digging a little deeper we read: "The most severe vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files..." (my bold)

 

So if we can prevent remote access of shared content the threat is empty? I hope I'm right, because to me that seems achievable, and should be the basis of security now, and going forward from April 2014.


Edited by Philipitous, 24 July 2013 - 04:28 AM.



How to remove advertisement from MSFN

#2
Ponch

Ponch

    MSFN Junkie

  • Patrons
  • 3,304 posts
  • Joined 23-November 05
  • OS:none specified
  • Country: Country Flag

They make XP updates for hundreds of millions users, they can't afford to say "if you have doubts whether this update is important to you or not, give us a call".

Though they did call my sister last week to assist her installing updates (through remote control). :rolleyes:  Fortunately she insisted she'd rather first ask me about it. They asked "but does your brother work for Microsoft?". :D



#3
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,647 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Who said "remote access"?

The KB talks of "user views".

Typically, someone sends you a "specially crafted" document of some kind embedding a special True Type font that vectors the exploit (or sets up a website for it).

Read:

http://technet.micro...lletin/ms13-053

the part titled:

TrueType Font Parsing Vulnerability - CVE-2013-3129

Mitigating Factors

 

jaclaz



#4
Philipitous

Philipitous
  • Member
  • 3 posts
  • Joined 20-July 13
  • OS:XP Home
  • Country: Country Flag

Who said "remote access"?

The KB talks of "user views".

Typically, someone sends you a "specially crafted" document of some kind embedding a special True Type font that vectors the exploit (or sets up a website for it).

Read:

http://technet.micro...lletin/ms13-053

the part titled:

TrueType Font Parsing Vulnerability - CVE-2013-3129

Mitigating Factors

 

jaclaz

Thanks for that. I hadn't read that deep into the document, but doing so was certainly worth it.

 

In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

 

There are still pages on the internet written by XP security gurus pre SP3 insisting that automatic updates must be on and real-time virus protection installed.  And new pages of doom appearing now  telling us after April 2014 it will be open season on XP and our systems will die.

 

So folk sat there behind their paid-for Norton security, letting MS update their systems, and a few years later they find their computers are riddled with malware. I think my contention is that good security is about more than MS updates - which I'm certainly not against as my OP states.

 

Yes, okay, maybe I got it wrong about remote access in this case. OTOH, the document says: "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights", which sounds a lot like something to do with remote access to me. I'm an interested amateur, not an expert.


Edited by Philipitous, 24 July 2013 - 08:32 AM.


#5
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,525 posts
  • Joined 27-November 10
  • OS:none specified
  • Country: Country Flag
Generally speaking, there's no reason not to install them unless the update specifically causes problems in your system (for various reasons like the update being buggy itself or other programs having issues after installing it, etc.), especially if we're talking about a home computer.

post-47483-1123010975.png


#6
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,013 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

OTOH, when MS stops issuing them, we'll manage without them all right... the most serious issues will end up fixed by unofficial patches for XP, in similar manner to what happens at the 2k and 9x/ME communities. And, with time, some capabilities expanded likewise, too.



#7
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,647 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

So folk sat there behind their paid-for Norton security, letting MS update their systems, and a few years later they find their computers are riddled with malware. 

 

That is IF the computer manages to boot again after the "combined effect" of MS updates and Norton. :whistle: , there is actually nothing preventing (excluded some proper testing procedures) something like this from happening again:

http://www.msfn.org/...ndaid-solution/

Please consider how the above happened with a (long due) "full" Service Pack (i.e. giving all the time needed for proper checking) and not with the usual MS update, which might be issued quickly.

 

jaclaz


Edited by jaclaz, 24 July 2013 - 10:49 AM.


#8
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,013 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Sure. "It's only called paranoid when they actually AREN'T after you"... :ph34r: :ph34r:



#9
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06

Just like with everything when upgrading/updating you might resolve security/bugs issues but you might also encounter other issues.

As a side note, the most targeted systems by hackers/virus/malwares/etc.. are always the most widespread so using an OS too old or too new or just rare but not much used and incompatible with the currently most widespread is often enough security.


Edited by allen2, 24 July 2013 - 02:09 PM.


#10
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag
In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

 

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough.

 

They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed.

 

The best solution here is a patch.


Edited by enxz, 25 July 2013 - 11:26 AM.


#11
Philipitous

Philipitous
  • Member
  • 3 posts
  • Joined 20-July 13
  • OS:XP Home
  • Country: Country Flag

 

In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

 

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough.

 

They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed.

 

The best solution here is a patch.

 

 

Mmm ... There's a lot of Vulnerability Information in connection with this potential exploit and I've looked again at all the "Mitigating Factors" and "Workarounds" which can be studied here: http://technet.micro...lletin/ms13-053.

 

I agree the best solution is a patch, but I also believe that all these "Vulnerabilities" (except one) are manageable with basic security - which if correct is the good news for those intending to use XP beyond April 2014, but certainly not a reason not to continue installing MS updates while available.

 

I'm surprised at the lack of interest in this topic. Where are those who contributed here - http://www.msfn.org/...-keep-xp-alive/

 

There is one recently-discovered vulnerability, that can't be mitigated, stemming from 20 year old code! and quite an interesting article here: http://www.computerw...indows_zero_day

 

However, it looks tangential to the exploit under discussion as the article says "... the bug cannot be exploited remotely -- by sneaking attack code onto a compromised website, for example ... "


Edited by Philipitous, 25 July 2013 - 10:21 PM.


#12
5eraph

5eraph

    Update Packrat

  • MSFN Sponsor
  • 1,164 posts
  • Joined 04-July 05
  • OS:XP Pro x64
  • Country: Country Flag

Donator

I'm surprised at the lack of interest in this topic. Where are those who contributed here - http://www.msfn.org/...-keep-xp-alive/


Reading along with interest like me, I'd imagine. ;)

#13
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,013 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

There's little else to be said, since that other thread just mentioned.

But I'd like to stress one thing I said there, in any case:
 

windows-8-market-share-small.jpg

 

It's really quite difficult to ignore a  ~38% minority... just because we're about 1/3 of all users. Simple like that! :)



#14
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 946 posts
  • Joined 21-May 07
  • OS:XP Pro x86
  • Country: Country Flag

Donator

Philipitous ... am in agreement with 5eraph when he says "Reading along with interest like me, I'd imagine." ... been reading as others are doing. Last December (2012) I started a topic in the XP forum ...   "Installing New Windows XP Updates" and got some interesting replies. My thread is now back in history on Page 6 these days.

 

CharlotteTheHarlot  posted a real nice reply that mentioned some interesting things:

 

CharlotteTheHarlot ... Posted 18 December 2012 - 06:57 AM

 

Purely out of chance, the machine I am on has evolved into the front-facing sacrificial lamb to the evil gods of internet malfeasance.

 

Windows Update is disabled. I haven't even manually ran the update scan in over two years. It is of course behind a router. The Windows Firewall is running ( the XP inbound-only firewall ) but I'd bet I could even kill that without consequence. I am using Opera 99% of the time (version 11.something ), and Firefox for the odd pages and things that cause hiccups. MSIE is very rarely used. And here is the kicker ... It is an Administrator account. ~shudder~

 

There is no anti-virus ( except for on-demand scan of folders and drives now and then, not because I am infected, but for the odd client devices I am working with ). This computer visits the darkest, deepest and most dangerous corners of the web too. No bull. No drive-by scripts have ever compromised it. No local files have caused problems and believe me I test a whole lot of crap.

 

Try as I may, I cannot think of something that a critical Windows Update would need to fix as far as security that would affect anything positively. I would expect things might get broken by allowing Microsoft to just keep patching system files over and over again though. I always wondered how an ever-changing codebase can be considered "stable" but that's just me I guess. Anyway. I have always maintained that a properly configured Router + Opera is the first line of protection. It definitely works for me.

 

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

 

If you have a spare computer ( or even a HDD with space for a clone of your OS ) just try it.

 

.........

 

my thread from Dec ... Installing New Windows XP Updates

 

http://www.msfn.org/...ows-xp-updates/

...

 



#15
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 971 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

the only 4 "updates" I'd like to see are

 

1. disable verclsid (yes I know this can be bypassed manually)

2. disallow malware to easy install on/as System account

3. deattach ie, thus allow it to be removed (leaving mshtml as it is ofcorse)

4. make small generic SATA drivers pack

4.1 same for USB 3


If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#16
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,647 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Sure. "It's only called paranoid when they actually AREN'T after you"... :ph34r: :ph34r:

BUT IF they actually were after you, you would already have been pwned.  :w00t:

 

WHY exactly do you think most exploits are called "zero-day" ? :unsure:

 

AFAICR all attempts to produce and sell the magazine "exploits monthly" ;)  failed miserably  :whistle:

By the time you publish (or patch) something you are already dead :ph34r:.

 

For NO apparent reason, a lolcat:

 

Spoiler

jaclaz



#17
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

 

but I also believe that all these "Vulnerabilities" (except one) are manageable with basic security

How?

 

If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, but without patches any skiddy with metasploit will be able to tear your machine apart. You can fend of the most basic attacks with EMET, and you can force an attacker to use local escalation attacks with sandboxing, but neither of those raise the bar significantly on XP.



#18
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,013 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, [...]


Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. Hardware firewalls at the router and responsible use, maybe coupled to an anti-virus should be enough, most of the time. A good, up-to-date, off-line backup covers all other eventualities. Moreover, all the malware will sure be targetting 7+ machines, preferably those running x64.

#19
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

CharlotteTheHarlot  posted a real nice reply that mentioned some interesting things:
 

CharlotteTheHarlot ... Posted 18 December 2012 - 06:57 AM
 
Purely out of chance, the machine I am on has evolved into the front-facing sacrificial lamb to the evil gods of internet malfeasance.
 
Windows Update is disabled. I haven't even manually ran the update scan in over two years. It is of course behind a router. The Windows Firewall is running ( the XP inbound-only firewall ) but I'd bet I could even kill that without consequence. I am using Opera 99% of the time (version 11.something ), and Firefox for the odd pages and things that cause hiccups. MSIE is very rarely used. And here is the kicker ... It is an Administrator account. ~shudder~
 
There is no anti-virus ( except for on-demand scan of folders and drives now and then, not because I am infected, but for the odd client devices I am working with ). This computer visits the darkest, deepest and most dangerous corners of the web too. No bull. No drive-by scripts have ever compromised it. No local files have caused problems and believe me I test a whole lot of crap.
 
Try as I may, I cannot think of something that a critical Windows Update would need to fix as far as security that would affect anything positively. I would expect things might get broken by allowing Microsoft to just keep patching system files over and over again though. I always wondered how an ever-changing codebase can be considered "stable" but that's just me I guess. Anyway. I have always maintained that a properly configured Router + Opera is the first line of protection. It definitely works for me.
 
However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.
 
If you have a spare computer ( or even a HDD with space for a clone of your OS ) just try it.


I should clarify one thing in there, that bolded part.

This PC ( the one I am talking about in that quote ) is NOT connected to any internal network here. It is truly standalone, and files only get to and from other computers through classic sneakernet. It talks directly to a router that is the gateway to the Internet. In this particular scenario the Windows XP firewall can definitely be disabled ( I simply haven't because it is too much trouble with the balloon warnings and security center nagging ). The hardware firewall in the router when properly configured is more than adequate for security.

However, if you had a typical network of computers talking to each other and they also can access the Internet through a router, then the hardware firewall may be enough but it would be wise to have individual firewalls operational on each PC. This is for protection from a sibling computer on the network that somehow gets infected ( probably through operator error ). Naturally the software firewall needs some management to work in this scenario, you have to watch for exclusions which get inserted into the registry and open up vulnerabilities. It happens quickly from executing local files with malware payloads. But you always have to watch for this kind of thing anyway.

So I just want to be clear that when I suggest others try this they understand I am talking about isolating a standalone computer behind a router. And yes, absolutely no CPU killing antivirus, and no Windows updates except for specific ones for odd things that I go get by hand. It is easily do-able. The bulk of the Windows updates can be considered nothing more than placebos with respect to daily use.

... Let him who hath understanding reckon the Number Of The Beast ...


#20
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

 

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. Hardware firewalls at the router and responsible use, maybe coupled to an anti-virus should be enough, most of the time. A good, up-to-date, off-line backup covers all other eventualities. Moreover, all the malware will sure be targetting 7+ machines, preferably those running x64.

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box? Not really.

 

8/8.1 are considerably more secure, not sure why you would believe XP is more secure.

 

Hardware firewalls are fine, but they're not really relevant. Your end system, the one taking in untrusted data (regardless of firewalls) is still vulnerable.

 

 

Malware targeting 7 will still work on XP. And attackers will certainly still attack XP users if the market share holds where it is, there's still a ton of money to be made, especially when it's such easy pickings.

 

If I'm an attacker I can go after the majority, 7 users. But that's sorta difficult. I could still attack XP boxes, take over a massive number of systems, and expend far less effort.



#21
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,647 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

In my experience when this happens, there is a THIRD ELEMENT that is missing, that is a sentient being between chair and keyboard. :whistle:

 

jaclaz



#22
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,013 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. [...]


That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box?

Sure I can! Most hackers means not all hackers. One single intruder gets into your machine and you're pwned. You cannot be positive no one'll ever be able to get into your machine, no matter what. Hence, in disagreeing with me you've just agreed with my point. Nobody is ever secure. No matter what.

#23
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 971 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

At least XP wasn't included in PRISM control, therefore atl east in that segment, it is securer than Vista and above.


If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066

#24
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

 

Sure I can! Most hackers means not all hackers. One single intruder gets into your machine and you're pwned. You cannot be positive no one'll ever be able to get into your machine, no matter what. Hence, in disagreeing with me you've just agreed with my point. Nobody is ever secure. No matter what.

Like I had said, it depends on how you define security. There is no '100%' secure, if you're dealing with the NSA directly targeting you you can make things hard for them, but they will get in if they really want to. That doesn't mean a system is unsecure, it just means that 100% security does not exist. I would say you have to define security by threats, and when the threat is any skiddy with metasploit, the box is not secure.

 

 

But we're talking about a massive difference of skill required. To hack an XP box requires little work, any RCE vulnerability in any browser, and a local kernel vulnerability. On Windows 8 you need RCE, an information leak, a kernel vulnerability, and another information leak. Not only do you need more vulnerabilities total, exploitation of them is more difficult.


Edited by enxz, 29 July 2013 - 02:14 PM.


#25
vinifera

vinifera

    <°)))><

  • Member
  • PipPipPipPipPip
  • 971 posts
  • Joined 27-August 09
  • OS:Windows 7 x86
  • Country: Country Flag

not really, there was an article last week (?)
how ms 1st gives to these agencies list of vulnerabilities (privately), backdoor ones

BEFORE they release hotfixes

 

and these fixes can come... who knows when


If you want true Windows user experience
try Longhorn builds: 3718, 4029, 4066




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users