Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Are MS Updates for XP really necessary?

- - - - -

  • Please log in to reply
92 replies to this topic

#26
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

That's very common, even Linux does that. If there's a critical vulnerability you make sure that companies/ governments can patch it ASAP. The issue is that, sometimes, the patch can be reversed and exploit code can be developed before they release the patch to the mainstream.

 

It's dangerous but not outright malicious. These also aren't backdoors as they're not intentional vulnerabilities, they're discovered vulnerabilities.

 

But if you consider backdoors to be a threat you should consider all Windows systems invalid, don't think that the NSA and Microsoft have only been working together recently. They've had a relationship for years.




How to remove advertisement from MSFN

#27
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box? Not really.

 
Yes, I can say it and do say it. Patched or unpatched the most significant variables here are where the computer sits in the network, who sits in front of it, and what they do when they sit there. Staying away from MSIE also helps significantly as does disabling remote access. Everything else factors in much later and lower in priority. You will have to get a little more specific and identify the exact "patch" for XP that trumps any of these factors.
 

8/8.1 are considerably more secure, not sure why you would believe XP is more secure.

 
Since you named "8/8.1" and used the phrase "considerably more secure", can you explain how its security is increased over say 7 or 7(sp1) ? It will have to be mega-gigantically more secure to even make a dent in the flourishing infection rate on those Windows 7 systems. Note that the inclusion of MSE out of the box does not count as a security boost because it still needs to get the latest signature update anyway as soon as 8/8.1 is installed. The only thing it saves is the initial download of the engine and this is a tiny download every tech keeps on a stick anyway.
 

Hardware firewalls are fine, but they're not really relevant. Your end system, the one taking in untrusted data (regardless of firewalls) is still vulnerable.


Wait, "not really relevant" ? Sorry, but this is incorrect. Hardware firewalls are everything when talking about home PC's on broadband. And history backs this conclusion as the proliferation of NAT routers ( thanks mostly to so many people getting laptops ) served to lock down many homes from port scanning attacks that were popular in the dawn of the broadband era before Windows shipped with any software firewall. Throwing away most incoming packets is the first line of defense because they never even arrive at the computer in the first place. It is why my software firewall logs are always empty.
 

Malware targeting 7 will still work on XP. And attackers will certainly still attack XP users if the market share holds where it is, there's still a ton of money to be made, especially when it's such easy pickings.


If you rephrase that to say "... attackers will certainly still attack Windows users using MSIE without a hardware firewall ..." then I'm right with you. Well, except for the money part. The money collection scams are almost always socially engineered to rope in n00bs that believe the silly dialog in their browser telling them that their system needs to be sped up or is now locked down by the FBI. These are the same silly n00bs that are likely to not have a router in the first place, or if they do will have it misconfigured from some quick-setup utility or have ports open so their son in the basement can use torrents all night long. Don't worry, these people will seamlessly morph into MetroTards later and if Windows 8 survives and supplants Windows 7 it will become just as infected because it is designed for uber-n00bs.

It almost sounds to me like what you're saying here is that 8/8.1 is like magic for home user protection ( "considerably more secure" ), but even Microsoft would never ever go that far. The hardware firewall in a NAT router is the main ingredient, it needs to be standing between your PC and the physical ISP connection ( the Cable/FIOS/DSL modem ). Common sense and the other things I mentioned like not using MSIE, remote access come next.

So let's just cut to the chase here. What would be safer: using Windows 8.x in a restricted account with its software firewall and CPU hogging antivirus and updated security magic connected directly to the ISP modem ( like so many n00bs are doing ), or bare naked Windows XP as administrator with no antivirus behind a router ( patched or unpatched, software firewall or not )?

The answer to that question is not what is being fed to the Sheeple.

... Let him who hath understanding reckon the Number Of The Beast ...


#28
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

 

You will have to get a little more specific and identify the exact "patch" for XP that trumps any of these factors.

I could get specific, I suppose. But specific CVE's aren't important. Any remote kernel exploit will quite obviously bypass everything other than hardware based security. Any local kernel exploit combined with RCE in a program such as a browser will bypass your NAT/ network Firewalls, and provide full system control regardless of sandboxing.

 

 

Since you named "8/8.1" and used the phrase "considerably more secure", can you explain how its security is increased over say 7 or 7(sp1) ? It will have to be mega-gigantically more secure to even make a dent in the flourishing infection rate on those Windows 7 systems. Note that the inclusion of MSE out of the box does not count as a security boost because it still needs to get the latest signature update anyway as soon as 8/8.1 is installed. The only thing it saves is the initial download of the engine and this is a tiny download every tech keeps on a stick anyway.

I can name quite a number of things, though it may get somewhat technical, and I don't know what level you'd understand. MSE makes no difference to me, since bypassing AV isn't difficult, and it also isn't a technology that makes 8 any harder to hack than XP.

 

One major difference over XP is a proper implementation of ASLR. XP lacks all ASLR, making remote code execution trivial. Windows 8 ASLR is the first proper implementation on Windows, with multiple information leaks removed, and the ability to have all memory maps randomized. There is significantly more entropy as well.

 

Vista+ are immune to shatter attacks. On XP the difference between Admin and restricted user is not enforced properly, making escalation attacks incredibly easy. Microsoft released a patch to solve this, and it does somewhat, but it's not as well implemented.

 

Privileges in general are improved, as system services run with lower rights on Vista+, and areas of the kernel have been moved to userland, where an exploit won't be so critical.

 

/GS is used further in 8+ for system services.

 

I could go on.

 

These changes are considerable.

 

 

Wait, "not really relevant" ? Sorry, but this is incorrect. Hardware firewalls are everything when talking about home PC's on broadband. And history backs this conclusion as the proliferation of NAT routers ( thanks mostly to so many people getting laptops ) served to lock down many homes from port scanning attacks that were popular in the dawn of the broadband era before Windows shipped with any software firewall. Throwing away most incoming packets is the first line of defense because they never even arrive at the computer in the first place. It is why my software firewall logs are always empty.

No one attacks a users laptop anymore in any way that a network Firewall will matter much. Worms like conficker are remnants of the past, anyone on a modern system is far more likely to be attacked through a service that already is taking in input.

 

 

If you rephrase that to say "... attackers will certainly still attack Windows users using MSIE without a hardware firewall ..." then I'm right with you. Well, except for the money part. The money collection scams are almost always socially engineered to rope in n00bs that believe the silly dialog in their browser telling them that their system needs to be sped up or is now locked down by the FBI. These are the same silly n00bs that are likely to not have a router in the first place, or if they do will have it misconfigured from some quick-setup utility or have ports open so their son in the basement can use torrents all night long. Don't worry, these people will seamlessly morph into MetroTards later and if Windows 8 survives and supplants Windows 7 it will become just as infected because it is designed for uber-n00bs.

MSIE has little to do with it, as other browsers will be just as useless on XP, especially without patches. Do you think Chrome's sandbox will save you? It won't. NoScript? Nope. We've already seen in this topic an attack that would bypass both of those things, attacking font rendering in the kernel via truetype.

 

In terms of money, you're missing the point. All attacks, virtually, are about money. If I hack you it's not to trick you into giving me money, it's to hook you up to my botnet so I can sell your system off to someoen for a couple hundred thousand dollars a year. And I'll likely sell off whatever accounts I access as well just for a couple hundred dollars extra.

 

 

It almost sounds to me like what you're saying here is that 8/8.1 is like magic for home user protection ( "considerably more secure" ), but even Microsoft would never ever go that far. The hardware firewall in a NAT router is the main ingredient, it needs to be standing between your PC and the physical ISP connection ( the Cable/FIOS/DSL modem ). Common sense and the other things I mentioned like not using MSIE, remote access come next.

Microsoft has stated that they consider 8 to be the most secure Windows operating system. They are correct. Again, NAT isn't important or relevant to modern attacks for desktop users.

 

8/8.1 are not magic. You can get far more secure using Linux, and MS has more work to do. But attacking 8/8.1 is considerably more difficult than attacking XP.

 

 

So let's just cut to the chase here. What would be safer: using Windows 8.x in a restricted account with its software firewall and CPU hogging antivirus and updated security magic connected directly to the ISP modem ( like so many n00bs are doing ), or bare naked Windows XP as administrator with no antivirus behind a router ( patched or unpatched, software firewall or not )?

Windows 8 would be far far far more secure in this case. But I'm not sure why you can't just... you know... have Windows 8 behind a router.

 

I guarantee that if anyone here is running an unpatched XP system it would take very little time to get into their systems, given that they're willing to click just one link. One known RCE in their browser, one known local kernel vulnerability - access to a single syscall, if even.


Edited by enxz, 30 July 2013 - 02:15 PM.


#29
DosProbie

DosProbie

    Friend of MSFN

  • MSFN Sponsor
  • 739 posts
  • Joined 16-October 12
  • OS:Windows 8.1 x64
  • Country: Country Flag

Donator

I did a study on updates a few years back and found that the more updates the Slower the system ran , also I do Windows reinstalls on average about 3 times a week so I don't really see the need for updates, and I keep them disabled, My vote is with CharlotteTheHarlot..



#30
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

I would like to see that study. My guess is that a large number of updates led to a lot of disk space bein gused by update packages, and removing them and subsequently defragging would solve it.

 

But, of course, performance is not the question here. Security is.



#31
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,405 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I can name quite a number of things, though it may get somewhat technical, and I don't know what level you'd understand. 

Well, you can try, rest assured that if the things you name will be so mindboggingly complex as to become beyond our understanding capabilities, we will ask you to stop the listing before our little brains will risk to explode.

 

jaclaz



#32
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

...


Everything you are describing is about protecting the average user, the "Sheeple" as they are affectionately known to so many. I'll be the first one to agree that they are hopeless, I see their handiwork everyday.

However, if I do not invite you in from the inside, and you cannot hack your way in from the outside, the computer will not be compromised, period. This includes any version of Windows including Windows XP, unpatched, running as administrator, bare naked with no antivirus.

I think there are two kinds of people in the world nowadays, in large part thanks to Microsoft, Apple and others. There are those with situational awareness, and those without. In the former case the people are not connecting everything they own to the Internet, especially anything important, and obviously not clicking on everything in sight. In the latter case, well, they go online with everything they own and click on it all. And they don't really care. If it means digging into a menu to change a setting they won't even bother. Strong passwords and passphrases, forget it. Many times they don't have any clue that they are even online, and again we can thank Microsoft and others, but especially Microsoft for blurring the distinction between online and offline. It has been their obsession since Windows 98. These are natural born victims. It's positively Darwinian. Microsoft and all their patching cannot save them.

 

Any remote kernel exploit will quite obviously bypass everything other than hardware based security. Any local kernel exploit combined with RCE in a program such as a browser will bypass your NAT/ network Firewalls, and provide full system control regardless of sandboxing.


That's one way of saying that the sheeple invited the malware into the computer and executed it. And that wouldn't really be "bypassing" a NAT router, it would be normal use of communications by design. It did not break in, it did not bypass anything. All the discussion above about 8/8.1 and its countless patches and ductape to numerous files compared to earlier versions of Windows come into play after the sheeple invited the malware into the computer and executed it. You are describing an OS that is built for the worst case scenario, and I agree, it is. It is reduced to the lowest common denominator, the sheeple that operate in this environment. And that's fine. It keeps many of us in business cleaning up after them, despite all the exploit patching.

 

Since you named "8/8.1" and used the phrase "considerably more secure", can you explain how its security is increased over say 7 or 7(sp1) ? It will have to be mega-gigantically more secure to even make a dent in the flourishing infection rate on those Windows 7 systems. Note that the inclusion of MSE out of the box does not count as a security boost because it still needs to get the latest signature update anyway as soon as 8/8.1 is installed. The only thing it saves is the initial download of the engine and this is a tiny download every tech keeps on a stick anyway.


I can name quite a number of things, though it may get somewhat technical, and I don't know what level you'd understand. MSE makes no difference to me, since bypassing AV isn't difficult, and it also isn't a technology that makes 8 any harder to hack than XP.
 
One major difference over XP is a proper implementation of ASLR. XP lacks all ASLR, making remote code execution trivial. Windows 8 ASLR is the first proper implementation on Windows, with multiple information leaks removed, and the ability to have all memory maps randomized. There is significantly more entropy as well.
 
Vista+ are immune to shatter attacks. On XP the difference between Admin and restricted user is not enforced properly, making escalation attacks incredibly easy. Microsoft released a patch to solve this, and it does somewhat, but it's not as well implemented.
 
Privileges in general are improved, as system services run with lower rights on Vista+, and areas of the kernel have been moved to userland, where an exploit won't be so critical.
 
/GS is used further in 8+ for system services.
 
I could go on.
 
These changes are considerable.


Okay fine, I can accept all that as fact. But nothing you said there was about Windows 8.x versus Windows 7. We're well aware of where Windows XP sits in the evolutionary tree ( ironically it's a benefit to XP in many ways that is not weighed down by a hundred services and tasks, and yes this was correctly said about Win9x compared to XP ). But I asked about 8 versus 7 specifically because unless there is a giganto-humongous increase in real security over Windows 7 ( and I highly doubt it ) then the never ending stream of infected Windows 7 systems will simply evolve into never ending streams of Windows 8.x systems. All the bullet lists of patchwork and ductape from version to version has made no difference in over a decade when those systems are owned and operated by sheeple. Please note that none of what I am saying here is aimed at you in any way, it is aimed at the security treadmill industry whose chief product is bullet lists full of theoretical vulnerabilities.

 

Wait, "not really relevant" ? Sorry, but this is incorrect. Hardware firewalls are everything when talking about home PC's on broadband. And history backs this conclusion as the proliferation of NAT routers ( thanks mostly to so many people getting laptops ) served to lock down many homes from port scanning attacks that were popular in the dawn of the broadband era before Windows shipped with any software firewall. Throwing away most incoming packets is the first line of defense because they never even arrive at the computer in the first place. It is why my software firewall logs are always empty.


No one attacks a users laptop anymore in any way that a network Firewall will matter much. Worms like conficker are remnants of the past, anyone on a modern system is far more likely to be attacked through a service that already is taking in input.


This is where I disagree. You can't even use remote assistance without opening ports on the NAT router. You cannot torrent. P2p comm programs and other utilities will not work. Even Xbox requires a change. Everything is opt-in, and it really can't get much more secure than that, can it? Many common pathways are slammed shut by default, arriving packets tossed and no CPU wasted in the process.

Maybe I was unclear in that phrasing above. When Windows XP came out useful broadband was just arriving for the average home consumer ( speeds above ISDN ) and this meant they now used a modem from the ISP. People just shoved their ethernet wire from their single home PC into it and were off to the races. Thus began the download era, the worm era and also the near instantaneous computer virus infection era when a typical user clicked on those attachments and those "click me" links in email or on pictures of Pamela Anderson ( or was it Anna Kournikova? ). Then when laptops arrived in quantity and demanded either another ethernet jack or a wireless access point now a local router was added. Thankfully these routers mostly came with NAT ( lucky too, this was long before IPv6 was talked about much ) and thus home computers and networks suddenly became relatively secure overnight. Well, until the geek in the home started reconfiguring for torrents and other stuff.

It's not at all about how a laptop is attacked because there are so many methods. The victim clicks a link or opens an attachment or autoruns a local file with a malware payload that quickly infects the PC with malware that uses port 3389 ( or any other ) which are now blocked. It's what happens after that. At today's CPU speeds malware can quickly change the registry settings for a software firewall to open all those ports or disable it completely ( even on a reduced user account tricking them into "OK" a prompted change, or I suspect simply using SetACL silently because I have a few unexplained cases with customers that swear they never clicked anything in Windows 7 ). Anyway, the point is that none of this ( opening up the firewall ) is possible with hardware security without intentionally entering the configuration interface for the router.

The hardware based security therefore is immune to unintentional alterations, and reduces CPU load at the same time. So I'm trying, but failing to understand why you keep saying that a hardware firewall in a router is somehow inconsequential. It really is anything but that.
 
 

MSIE has little to do with it, as other browsers will be just as useless on XP, especially without patches. Do you think Chrome's sandbox will save you? It won't. NoScript? Nope. We've already seen in this topic an attack that would bypass both of those things, attacking font rendering in the kernel via truetype.
 
In terms of money, you're missing the point. All attacks, virtually, are about money. If I hack you it's not to trick you into giving me money, it's to hook you up to my botnet so I can sell your system off to someoen for a couple hundred thousand dollars a year. And I'll likely sell off whatever accounts I access as well just for a couple hundred dollars extra.


A point of agreement in that Windows XP will likely run out of usable browsers. This is not something Microsoft should ever brag about though because they are the malevolent force behind this by obsoleting a working operating system, and spreading FUD daily about the cut-off date Armageddon and no doubt whispering into the ears of the other browser makers to get them to stop developing for XP because it will somehow save them money or something. They should get crucified again over this issue because even though their strategy is different this time ( obsoleting their own browser and operating system ), the end result is till the same, thwarting development and use of 3rd party browsers on a working perfectly operating system. This goes double for device drivers for new hardware. Microsoft is trying to force people to upgrade to a new operating system. Has anyone ever asked them why? Yes, Opera and Mozilla and Google are also to blame, but they are merely being stoopid while Microsoft is being reckless and yes, evil. No company that really cares about security would stop making their super duper secure browser for their own working operating system, which runs at least one third of all computers on the planet.

Now about MSIE, Internet Explorer has always been the single biggest Achilles heel for Windows users on the Internet. Sure it's getting better ( could it get worse? ) but I have screenshots from last year of the FBI trap on Windows 7 ( non-administrator, MSE running, etc ). Dialogs painted by Internet Explorer can look exactly like the operating system itself because Microsoft jammed MSIE it into the operating system itself. The social traps love to simulate official looking boxes which MSIE happily accommodates and is yet another fabulous reason to use try to third party browser software that does not mimic the Windows native look ( personally I use Opera with a custom skin I made but on Vista/7 you can always just kill the Aero glass look on an ad hoc basis in a shortcut's properties ). This means the potency of the trap bait is reduced because the phony dialog will stand out differently. But this problem is actually getting worse now - MSIE is actually getting more problematic because as Windows itself drifts more towards a web look the difference between what is "official OS business" and what is online garbage and what is a phony dialog all converges into a mess.

Worst of all, MSIE is often quite stoopid. Just unplug your ethernet wire and then click something in MSIE. It still serves up a "cannot display ..." page with that "Diagnose" option to scramble your network settings because the plug is out! That's just plain dumb. And dangerous because it trains the sheeple to accept that very low-quality web page as "official OS business" and later when that same user is confronted with a much more "official looking" but fake dialog they will understandably click it. The operating system looks like a web page so web pages easily look like the operating system. What I am trying to say is that by blurring the difference between online and off, and by not distinguishing the "official" interface from crappy webpages they are hurting the users because they no longer can discern what something is and where they are. IMHO, Microsoft isn't even trying to protect the user. They simply are not thinking these things through properly. And we're not even mentioning ActiveX yet. How can anyone take seriously a browser that allows something like this?

Oh, Botnets. Well I do agree that they are an evolving form of threat and I wasn't even thinking of them because I have seen so few so far. But point taken. Just don't underestimate the social traps like FBI and FixMeUp or PC Antivirus 2011 or whatever else. These I see all the time. And some of these folks have already paid cash ( the AV traps ) by the time I got their PC and then they had to undergo the whole credit card canceling and everything else. I don't believe those numbers though ( "hundred thousand dollars" ) but I'm not saying it's not a threat. Like above, they will have an easy go of it if the sucker hosting the botnet client is connected straight into the ISP modem, I doubt that will be the same for a hardware firewall.

 

Microsoft has stated that they consider 8 to be the most secure Windows operating system. They are correct. Again, NAT isn't important or relevant to modern attacks for desktop users.

 
They are correct with respect to protecting the hapless sheep. That's as far as I'll go though.

 

8/8.1 are not magic. You can get far more secure using Linux, and MS has more work to do. But attacking 8/8.1 is considerably more difficult than attacking XP.

(...)

Windows 8 would be far far far more secure in this case. But I'm not sure why you can't just... you know... have Windows 8 behind a router.


Well you can definitely put it behind a router also, but it sounds like you really don't think it's necessary. Here are two scenarios again ...

(1) Windows 8 system plugged directly into ISP modem ( NO Router ), standard user account, Windows firewall and the full CPU hogging disk thrashing MSE antivirus running. Using MSIE.

(2) Windows XP system plugged into NAT router, administrator account, no antivirus, bare nude naked. Anything but MSIE.

The answer depends largely on one's situational awareness and competency. I would think that someone such as yourself that used the phrase "it may get somewhat technical, and I don't know what level you'd understand" would be comfortable in either scenario. But there is a very good reason to select #2 and it addresses something you said in another comment: "But, of course, performance is not the question here. Security is.". Life is full of choices, we are constantly mapping out plus-minus decision matrices in our heads and this is a good case of that. Sure XP has some disadvantages thanks to planned obsolescence from Microsoft. But it has advantages that for many trump all the new potholes built-in to later versions. It is fast. There are less events occurring per millisecond because there is less housekeeping and disk indexing ( none in my case ). Also, of ever increasing importance is the fact that while Windows XP is less secure to all those theoretical exploits, it is quite reasonable to conclude that it is more secure with respect to government intrusion. The Windows 6.x kernel was entirely developed post 9/11 and then scrapped and re-written again - Longhorn to Vista. Windows XP has been service packed three times since 9/11 but so far I see no indication of a major Microsoft sanctioned spyware injection, but I could be wrong. We'll see.

Therefore I'll gladly go with scenario #2. And in fact I have been going with #2 for several years now. Why not? In the never-seen-yet scenario of some malware or infection I would just swap in a backup HDD or just drop the HDD in another computer and scrub it. It's not rocket science. ... Benefits? ... You gain back in the full power of your CPU which in scenario #1 is already taxed by numerous standard operating system tasks in Windows 6.x, but then what is left over is spent servicing the realtime antivirus, not to mention running the software firewall which is going to be busy rejecting all those packets that will never make it past the router in scenario #2 in the first place.
 
Scenario #1 simply repulses me. It does not fit my personality. I do not need hand-holding, or a browser that screens websites or an AV that downloads stuff to scan for threats ( and I forgot to mention scans folders clicked on in Explorer, and scrubs inserted flashdrives for what it thinks are threats wiping out my Nirsoft files, etc ). Nothing about this makes me want to do anything except vomit. There are far, far too many negatives in this scenario. It is simply unacceptable.

BTW, I'm not in this thread evangelizing scenario #2 over #1 for the average person out there. Let me be clear. Both scenarios have perfectly logical applications in the real world. #1 for the average user out there. If it was 5 and 10 years ago these Sheeple would be Apple users. But Microsoft has been busy grooming them, somewhat successfully and now they have their own flock to tend to. I get that. So for them, scenario #1 it is. For the rest of us who have been in this game since Microsoft was a hyphenated word, we'll just have to muddle along, taking our chances.

... Let him who hath understanding reckon the Number Of The Beast ...


#33
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

 

However, if I do not invite you in from the inside, and you cannot hack your way in from the outside, the computer will not be compromised, period. This includes any version of Windows including Windows XP, unpatched, running as administrator, bare naked with no antivirus.

Well first of all a remote kernel exploit, like one in the TCP/IP stack will compromise a system, even if all ports are closed. Vulnerabilities exist in Firewalls (we've seen this on Windows, even) that allow an attacker to exploit a closed port as well.

 

But generally a box that has all closed ports is relatively safe. But as I've said, attacks don't rely on open ports anymore.

 

 

These are natural born victims. It's positively Darwinian. Microsoft and all their patching cannot save them.

I disagree. The majority of attacks against users go through hacked legitimate websites.

 

One really good example of this is the recent hack of Ubuntuforums.org. That's a "good" website, but for 6 days it was controlled by an attacker. In that time he could have easily put up an exploit page, and no "common sense" would have saved anyone - I'm a security professional and I visit that website, so do many others.

 

So I don't think the user being knowledgeable is so critical, because that fails very quickly.

 

 

 

That's one way of saying that the sheeple invited the malware into the computer and executed it.

 

Not really, trickery is not always necessary. Though it's easy. But as I stated above, Ubuntuforums.org was compromised - no one had to be tricked into executing code, or visiting a site, they went to it believing it was legitimate when an attacker controlled the content.

 

This happens often. There's no social engineering involved.

 

 

And that wouldn't really be "bypassing" a NAT router, it would be normal use of communications by design

Of course - the NAT did exactly what it's supposed to do. It's just completely useless in modern attacks.

 

 

All the discussion above about 8/8.1 and its countless patches and ductape to numerous files compared to earlier versions of Windows come into play after the sheeple invited the malware into the computer and executed it.

 


I doubt anyone invites malware onto their systems. They are either tricked into clicking on a link, tricked into downloading an executing a file, or they hit an unlucky webpage that's been compromised.

 

 

. It is reduced to the lowest common denominator, the sheeple that operate in this environment. And that's fine. It keeps many of us in business cleaning up after them, despite all the exploit patching.

No, not really. Users aren't critical to security, but that's not really the point I want to make, since it'll just lead to a whoel other discussion.

 

 

But nothing you said there was about Windows 8.x versus Windows 7

Yes, actually. Appcontainer (MAC) and ASLR are both unique to 8.x. 7 implements ASLR (as did Vista) but 8 is the first implementation that's done properly.

 

/GS improvements on Windows services are unique to 8 services AFAIK.

 

There are actually a large number of significant improvements to 8.x over 7. I can link you to a PDF that lists them in much greater detail if you'd like.

 

 

This is where I disagree. You can't even use remote assistance without opening ports on the NAT router. You cannot torrent. P2p comm programs and other utilities will not work. Even Xbox requires a change. Everything is opt-in, and it really can't get much more secure than that, can it? Many common pathways are slammed shut by default, arriving packets tossed and no CPU wasted in the process.

Well first of all your router must be screwed up, becuase you should definitely be able to torrent without opening ports on the router.

 

Packets are definitely not just tossed. You're reading this webpage right now, aren't you? That means that, somehow, someone is sending you data to your computer. That's all an attacker needs. They can MITM your connection, hack the website, send you a link, etc. Once you get to an area where they control the content (like opening an email from them) they can attack you. That's all it takes.

 

 

The hardware based security therefore is immune to unintentional alterations, and reduces CPU load at the same time. So I'm trying, but failing to understand why you keep saying that a hardware firewall in a router is somehow inconsequential. It really is anything but that.

 

Your malware doesn't need to mess around at all with your router ports. I'm not sure why you think that a router has to do something special when your web browser doesn't. Do you open ports on your router for your browser? No? Then why would malware need to? It's nto doing anything special.

 

 

 

(1) Windows 8 system plugged directly into ISP modem ( NO Router ), standard user account, Windows firewall and the full CPU hogging disk thrashing MSE antivirus running. Using MSIE.

(2) Windows XP system plugged into NAT router, administrator account, no antivirus, bare nude naked. Anything but MSIE.

Like I said, Windows 8 is better off. Although your 8 services are exposed more directly, getting into the XP box is not going to be hindered much. Of course, I wouldn't recommend either - you should be behind NAT, becuase you don't want to be exposed. But NAT isn't going to make up for an operating system full of holes. MSE isn't relevant, AV is stupid and anyone can bypass it completely.

 

In terms of performance there's a lot more to it than services running. On modern hardware 7/8 will run faster than XP depending on the task. But the reason I'm avoiding discussing performance is because it changes depending on the hardware - an old system will run XP faster than 7, a new one will run 7 faster than XP. That's just how it is.

 

The point is, as it has been, that given the same network setup, given the same user, given all things being the same, it is much easier to get into an XP box than 8.x. And it is trivial when the user doesn't patch.



#34
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag

In terms of performance there's a lot more to it than services running. On modern hardware 7/8 will run faster than XP depending on the task. But the reason I'm avoiding discussing performance is because it changes depending on the hardware - an old system will run XP faster than 7, a new one will run 7 faster than XP. That's just how it is.


Could you give some examples (specific applications, benchmarks)? I'm no expert but I did some benchmarking myself and the results show that Windows 2000 is faster than Windows 8. Not a big difference but still...
 

Out of curiosity I ran a few benchmarks to compare performance of Windows 8 (32-bit) & Windows 2000:

CrystalMark 2004R3
Windows 2000
IhYDw.png
Windows 8
Jvqws.png

CineBench 11.5 (CPU)
Windows 2000 - 2.86
Windows 8 - 2.84

7-Zip (compression)
Windows 8 - 03:11
Windows 2000 - 03:15

Configuration:

Spoiler


Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#35
5eraph

5eraph

    Update Packrat

  • MSFN Sponsor
  • 1,153 posts
  • Joined 04-July 05
  • OS:XP Pro x64
  • Country: Country Flag

Donator

You can't even use remote assistance without opening ports on the NAT router.


Well first of all your router must be screwed up, becuase you should definitely be able to torrent without opening ports on the router.


You're both right, and you're both wrong. Neither of you mention UPnP, which allows a router to open ports when requested LAN-side by an application. It should be disabled by default for tighter security "out of the box," but some manufacturers may not follow this philosophy for the sake of "ease of use."

#36
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

Tomasz,

 

I have no benchmarks on me. Benchmarks aren't always reliable either, as in terms of pure FLOPS CPU cycles will matter most, and an older OS will have more to spare. But for more complex applications, like a browser, CPU scheduling, memory management, superfetch, etc will be very important. So on a single core system with 512MB-1GB of RAM XP may be faster. But on a dual core/ quad core system with 4GB+ of RAM, 8 should be considerably faster, as it will make use of those resources much better. 

 

One really simple example of where a benchmark won't see any performance improvement is Superfetch. HDD's are very slow, RAM is very fast. Your operating system (after XP) realizes this, and caches a lot of your file system into RAM. But it only has a little RAM, and a ton of file system, so it has to decide what goes into it. A benchmark, which you only run a single time, and which is specifically looking for HDD performance, will show really slow performance for disk access. But a normal program will end up benefiting significantly from Superfetch.

 

@5eraph,

 

uPnP is not necessary for browsing, nor torrenting. If you want to host a server, then ti is, because servers take in unsolicited information, but any program that creates an outbound connection will allow for inbound.

 

The IPTables rules would look something like:

 

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -m  state --state NEW,INVALID -j REJECT

 

That's why your browser can work. It creates the connection (RELATED, ESTABLISHED) which then allows for inbound access. New connections are not allowed for inbound access.

 

So your system is not completely blocked form the internet, otherwise your router would kill internet completely. This means that, if you're running behind NAT, an attacker can still access your system. It's harder, to the extent that they can't just send packets straight at services, but it's really not difficult.


Edited by enxz, 31 July 2013 - 09:49 PM.


#37
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06

The proper way to use a router/firewall as a protection against most kind of malware isn't a nat but blocking most traffic in both side and only allow browsing/internet access through a proxy (more secure with a whitelist of safe website and a realtime malware/antivirus scanner).



#38
tomasz86

tomasz86

    www.windows2000.tk

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,520 posts
  • Joined 27-November 10
  • OS:XP Pro x86
  • Country: Country Flag

Tomasz,

I have no benchmarks on me. Benchmarks aren't always reliable either, as in terms of pure FLOPS CPU cycles will matter most, and an older OS will have more to spare. But for more complex applications, like a browser, CPU scheduling, memory management, superfetch, etc will be very important. So on a single core system with 512MB-1GB of RAM XP may be faster. But on a dual core/ quad core system with 4GB+ of RAM, 8 should be considerably faster, as it will make use of those resources much better.

Still, I think at least some "hard" data would be required to prove your point. I don't really see any significant difference when running same applications under Windows 2000, XP and 7/8 on the same hardware configuration which was listed above. Benchmarks also don't show any large difference, and when there's a difference it's always favourable for the NT 5.x line (I think Windows 2003 Server actually scores highest but I've got no numbers to show at the moment).

Multiple cores and gigabytes of RAM are really nothing new to Windows. Even Windows 2000 is technically capable of handling up to 32 CPUs (cores) and 32 GB of RAM.

Edited by tomasz86, 01 August 2013 - 03:06 AM.

Posted Image
Unofficial Service Pack 5.2 for MS Windows 2000 <- use this topic if you need help with UURollup, Update Rollup 2 and other unofficial packages

#39
uid0

uid0

    Advanced Member

  • Member
  • PipPipPip
  • 357 posts
  • Joined 12-June 06

uPnP is not necessary for browsing, nor torrenting. If you want to host a server, then ti is, because servers take in unsolicited information, but any program that creates an outbound connection will allow for inbound.

 

The IPTables rules would look something like:

 

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

 

 

It depends on how clever your nat router is - some will know to open related ports, but with consumer grade kit you usually have to open ports for torrents and xbox etc, if not using uPnP.

Please do link to the win8 pdf - I'd like to know what /GS is.

Cheers



#40
5eraph

5eraph

    Update Packrat

  • MSFN Sponsor
  • 1,153 posts
  • Joined 04-July 05
  • OS:XP Pro x64
  • Country: Country Flag

Donator

uPnP is not necessary for browsing, nor torrenting. If you want to host a server, then ti is, because servers take in unsolicited information, but any program that creates an outbound connection will allow for inbound.


I never disputed that. But I would recommend you look into how bittorrent works. Two peers on separate NAT routers cannot connect to each other unless at least one of them opens a port on his or her respective router. This is where UPnP comes in handy if the bittorrent client supports it.

#41
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

@Thomasz,

 

CPU scheduling has changed a lot, because while old Windows versions could absolutely handle multiple cores and threads, we didn't have mainstream hardware that did it.

 

Try a browser benchmark. But I'm not really hear to convince anyone of performance improvements, only that XP is not a secure operating system.

 

@uid0,

 

/GS is a stack canary feature that heuristically determines which functions should have one (to avoid the 3% performance hit for function returns).

 

I'll find you the PDF a bit later, for some reason it's not coming up in a quick search.

 

@5eraph

 

I never disputed that. But I would recommend you look into how bittorrent works. Two peers on separate NAT routers cannot connect to each other unless at least one of them opens a port on his or her respective router. This is where UPnP comes in handy if the bittorrent client supports it.

Maybe so. But it doesn't matter at all, since, as I've said, no attacker is going to be going directly at a service - attacks these days work by hijacking some website users visit and putting up an exploit page. Exploit pages are already on your system, they don't care about the firewall/NAT.



#42
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,405 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Try a browser benchmark. But I'm not really hear to convince anyone of performance improvements, only that XP is not a secure operating system.

 

I thought you were after attempting to convince everyone that XP is less secure than Windows 8 and Windows 8.1. :unsure:

 

jaclaz



#43
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

It's not mutually exclusive. XP is both an insecure operating system and less secure than Windows 8.



#44
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,869 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

XP is both an insecure operating system and less secure than Windows 8.

 

As the good Judge Patrice Lessner would put it: "...in *your* opinion!"

To affirm that as a fact, at the very least a double-blind test is required, with representative samples for each group of machines.

You've shown no reliable data, in fact, no data whatsoever.



#45
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,405 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

You've shown no reliable data, in fact, no data whatsoever.


Well, but that is not fully-fully true, no actual data was provided, but they have been witheld - in perfect good faith - to prevent damages:
http://www.msfn.org/...sary/?p=1046080
 
jaclaz

#46
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

 

 

As the good Judge Patrice Lessner would put it: "...in *your* opinion!"
To affirm that as a fact, at the very least a double-blind test is required, with representative samples for each group of machines.
You've shown no reliable data, in fact, no data whatsoever.

 

I've actually mentioned ASLR and /GS already.

 

ASLR is Address Space Layout Randomization. It randomizes the address space of a process so that an attacker has a more difficult time creating ROP gadgets, which are used for Return Oriented Programming. These gadgets allow attackers to bypass Data Execution Prevention (DEP).

 

DEP is in Windows XP SP1. ASLR is not on any Windows XP box. ROP has been around for well over a decade now, and creating your gadgets is easy, and an automated task. Without ASLR an attacker gets initial shell and they control the process. With ASLR an attacker requires an information leak, which Windows 8 has made more difficult (removing Shared_User_Data, for example). Windows 8 is the first windows operating system that allows a process to force all mappings to use at least 8 bits of entropy, and allows processes to make use of far more entropy, making bruteforce attacks much less reliable.

 

/GS is a stack canary that is heuristically attached to functions on compile time. Stack overflows that corrupt the canary will fail if the attacker does not use their one chance to guess the canary value. On XP there was 1 bit of entropy for this value, and I'm not sure if they ever fixed that. Regardless, /GS has been improved and included in the new toolchain for Windows 8.

 

SEHOP is Secure Exception Handling Overwrite Protection. It is not included in XP (without EMET) and it mitigates a significant number of vulnerabilities that have been exploited (especially in IE) in the past on Windows XP. Vista+ use it.

 

Multiple areas of the kernel have been moved to userland. One component is part of the graphics stack, which, for performance reasons is partially handled by the kernel. But an attack on the userland components, the areas exposed to attackers, will no longer lead to an instant kernel level attack on the system.

 

MIAC, Mandatory Integrity Access Control is the basis for high level sandboxing on Windows. It goes far past ACLs to allow processes to restrict their own file access, among other things.

 

Separation between User and Admin is native to Vista+, whereas on XP it's not nearly as clearly defined, leading to a class of attacks known as shatter attacks.

 

Here's the PDF I mentioned: 

http://media.blackha...tion_Slides.pdf

 

It brings up Guard Pages, local kernel mitigation techniques (more areas of the kernel have been marked as nonexecutable, KASLR has imiproved entropy, SMEP, soon SMAP), and multiple other mitigation techniques.

 

There is no objective measure of security. People don't even agree on how to define whether a system is secure or not, or if it's even possible. But if you know how attacks work, and how defense works, it should be very obvious that Windows 8 is more secure. If you think anyone in this world is going to post a meaningful benchmark for security, I don't know what to tell you. It will never happen. What you'll get is every person with experience hacking into systems telling you this though.

 

A double blind test wouldn't really make sense. This isn't a pill. It's attacking an operating system.

 

The fact is that on Windows 8 you need to expose more vulnerabilities for RCE.


Edited by enxz, 01 August 2013 - 02:52 PM.


#47
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,869 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

There is no objective measure of security. People don't even agree on how to define whether a system is secure or not, or if it's even possible. But if you know how attacks work, and how defense works, it should be very obvious that Windows 8 is more secure. If you think anyone in this world is going to post a meaningful benchmark for security, I don't know what to tell you. It will never happen. What you'll get is every person with experience hacking into systems telling you this though.
 
A double blind test wouldn't really make sense. This isn't a pill. It's attacking an operating system.


Take 200 pairs of machines, of many models and makes, but each pair consisting of identical hardware. Deploy in one Win 8 and in the other Win XP SP3. Put each machine alone behind a router and have exactly half the routers have the firewall active and half have it full deactivated (but don't tell the actuall users which is which). Disperse the pairs around the world. Run that setup at least six months and each time an infection/invasion happens, tally it, use ATA format and redeploy it's OS again from the master image. Treat all that raw data with good robust statistics and come back with facts. Without that (or something like it), all you have is theory and opinion. Opinion, any one is entitled to hold any, but they are a hard sell. Now, in many instances, when the models are mature, in theory, there's no difference between theory and practice, but in practice that's not necessarily so.

#48
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

Right, but in that test you're defining security as whether a machine will get attacked, and then stating that there's a correlation between the operating system and whether it will be attacked.

 

That's a faulty premise. What if I leave a vulnerable XP box directly connected to the internet, running a vulnerable Apache service that would take 5 seconds to exlpoit and it never gets exploited. IS that machine secure? Well, it was never attacked... so is that what security is?

 

You're also not exposing the system. Again, users don't just get attacked by connecting to the internet. Your test would make more sense if those systems connected to various exploit pages as well as sitting on the internet. But...

 

By that logic you can just run the oldest operating system with the least market share and you'll be "secure" because no one will care to attack you.

 

So essentially you're defining security by an attackers will to attack you and not by their ability to attack you. I Think that's a faulty definition of security.

 

Like I said, there is no objective measure, and people don't even agree on what security means.

 

But with a technical understanding of how machines are compromised, how attacks work (both from a business standpoint and the actual creation of exploits), and how defenses work, it becomes very clear which systems are secure and which aren't.



#49
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Supervisor
  • 5,869 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Theoretical knowledge tells you how things ought to be. Statistics tell you how things use to be.

 

BTW:

 



#50
enxz

enxz

    Newbie

  • Member
  • 41 posts
  • Joined 25-July 13
  • OS:Windows 8 x64
  • Country: Country Flag

Any logical view of operating system security should show that Windows XP is less secure than 8.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN