Vulnerabilities / Threats // Vulnerability Management
5/28/2014
12:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft: Ignore Unofficial XP Update Workaround

A small change to the Windows XP Registry allows users to receive security updates for another five years. Yet the tweak could create other security and functionality issues for XP holdouts.

An unofficial workaround for installing updates to the 13-year-old Windows XP operating system was released this week, but Microsoft and some security experts are telling users to forget the workaround, forget XP, and upgrade to a new OS.

After planning to cut off support for XP many times over many years, Microsoft finally officially ended all support for XP on April 8 (though it further enabled XP addicts by releasing another security patch three weeks later). On Monday, Wayne Williams of BetaNews wrote about a workaround that could allow XP users to continue getting updates for five years.

The hack is simply a "tweak" to the XP Registry that tricks Windows Update into thinking that XP is actually Windows Embedded POSReady 2009 (WEPOS), which Microsoft will support until 2019. WEPOS is build specifically for point-of-sale computers, but it is similar enough to XP that some of the security updates for WEPOS will also work for XP... kind of.

ZDNet tested and confirmed the hack, as Larry Seltzer wrote Monday. Microsoft later responded to Seltzer's article:

We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.

In addition to potential functionality problems, the hack might cause users to believe they're getting security updates that they're not really getting.

"Users that apply the hack will see patches that are not going to be released for the XP mainstream version, such as an important security update for IE8," says Jerome Segura, senior security researcher for Malwarebytes. "While it may be tempting to use this hack, users should bear in mind that Microsoft did not intend for those upcoming updates to be applied on regular XP. In other words, you are entering into an unfamiliar territory at your own risk."

In most cases, a 13-year software refresh cycle would seem adequate, if not lengthy, to enterprise IT staff. Yet depending on whom you ask, Windows XP still accounts for anywhere from 16% to 26% of desktop OS usage -- second only to Windows 7 -- including both home and business usage.

The people likeliest to use this hack are a relatively small population of XP devotees who feel comfortable making alterations to the OS registry and will continue to use XP on their home computers (for all of eternity, if they can). Yet Segura says home users who are not particularly tech savvy could also make the change to the registry rather easily by downloading an executable that will do it for them.

The bigger concern, though, would be if this workaround were implemented by IT staff at companies still running XP on their corporate PCs. Segura says this is unlikely. "Typically IT departments are very careful or sometimes reluctant to deploy even official patches." Some pros are wary of OS updates, because of the risks of productivity or compatibility problems. "I highly doubt they would apply this hack. It would be very irresponsible, because they should know better."

Steve Hultquist, CIO and vice president of customer success at RedSeal Networks, says, "Looking backwards at technology that feels comfortable" is the fundamental issue. "Windows XP was released to manufacturing in August, 2001, when a T1 (1.5 Mbit/s) was considered 'high speed,' and technology has accelerated rapidly in the past 15 years. Similarly, it's simpler to focus on the historically understood aspects of security such as firewalls, but the complexity of the Internet and enterprise networks mean that you must have systems to analyze your overall, end-to-end network to know what you have and know the potential for attack."

His advice: "Don't compromise. Use the current tools to stay safe and get the job done effectively."

Hultquist and Segura agree with Microsoft that the wise move is to skip the hack and upgrade instead.

"Without trusted authentication, there is always a way for anything or anyone to masquerade as another on the Internet, and this hack simply does that," says Hultquist. "While it is interesting on its surface, Microsoft's warning is accurate: Systems that use this hack will receive updates not intended for Windows XP and may actually damage the system."

Segura says that the hack "is interesting, and certainly people will try it out for fun." However, "it should not be considered a viable option for businesses or consumers. Instead, you should plan on migrating to a newer, and supported, platform."

That said, Segura admits that he still runs XP himself, but he runs it inside a virtual machine. He will use the Windows Update hack himself, for research purposes, to see if it will be stable.

He also says that there are plenty of legitimate reasons for people to continue using XP. It is a smaller OS than its younger siblings, so a new OS could significantly hamper productivity unless you get new hardware, as well. Places where there is heavy use of secondhand computers are even less likely to invest in an upgrade. Also, many applications (productivity software, games, device drivers) that are compatible with XP may not be compatible with newer operating systems.

Microsoft could take action to stop this hack from working. There are other ways to tell if a machine is running a point-of-sale system or just pretending to run one. So Microsoft could update Update to do so.

"If Microsoft goes that route, there's going to be a strong negative reaction," says Segura. If Microsoft is ever going to persuade XP devotees to upgrade willingly, they'll need help. Only when application developers and companies like Google and Amazon stop providing their services to XP users will there be a significant change.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
whs87
50%
50%
whs87,
User Rank: Apprentice
6/1/2014 | 1:46:29 PM
Other means
I assume most software vendors who have to keep supporting their code for XP do so for some legitimate reasons, like their software is part of a bigger system or maybe they spend their programming resources already on something else.  Why redesigning a perfectly working system just to switch the OS?

In many such cases it might be sufficient to tamper-proof the software.  One tool for tamper proofing real Win32 machine code has just reached alpha state, see my startup company White Hawk Software, or my blog entry on this subject.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2014 | 7:31:29 PM
Staying on XP
For XP die hards there are some things that might help from an enterprise perspective.

1) If you have an IPS, there lies the ability to "soft patch" machines. Vulnerabilities specific to XP picked up by anomaly and mitigated. If initially the malware subverts your IPS hopefully you have an IDS complement to detect post intrusion before any major detriment.

2) Incorporate CSP on a client last server scale. By doing so you essentially harden the systems similar to patching.

3) Pull your systems off the internet if feasible. If you can perform a majority of work internally without external help, then pull the network from the hands of the internet. If you need internet capabilities on a small scale, purchase pcs with a new os like 7/8/linux, you can segment your network into a safe internal with only a subnet touching the internet. This follows a VLAN segmentation type principle. Any questions or thoughts?
anon3493590510
50%
50%
anon3493590510,
User Rank: Apprentice
5/29/2014 | 9:59:37 PM
Re: ATMs are at big risk
There is this misguided belief that everyone who declines to upgrade to windows 8.1 is doing so because they are lazy, unwilling to change or just stupid.

There is however a significant reason to avoid this upgrade that is considered and responsible.

Windows 8.1 is inherently designed to be both massively intrusive of its users privacy and dramatically more populated with vectors for compromise, despite the wise ones' counsel that it is much more secure.

Every aspect of 8.1 is exposed to the internet and almost every feature and function invokes a remote call to some Microsoft server for reasons entirely unrelated to the functionality being invoked.

It is intrusive by design. Heck, in their pitch to us to use it as our "enterprise platform" they were quite giddy with the reach of the new OS such as the ability to remotely change or delete files on employees home computers. This is an enterprise feature to be much prized in the case of employees being dismissed or investigated. Failing to recognize of course that the management team are all also "employees" who would be subject to the same "modern security."

The OS aggressively pushes users to open more vectors of attack by using every means short of a personal visit to cause the user to create and use a Microsoft cloud account to simply log in to their local desktop rather than private local credentials.

Moreover, the Windows Firewall is all but compulsory since updates and other essential feaures will not work if it is disabled -- even if there is a recognized third-party firewall installed. The trick is that Windows Firewall, of course, is designed with holes all over the place to accommodate Microsot penetration of the system.



And Boo! Have you actually read the Privacy Policy that is compulsory with Windows 8? It should be scary since it gives Microsoft carte blanche over everything on your computer.

Sure, committed users can soldier through the strong arm tactics to use cloud credentials and sure IT staff can find all the necessary procedures and tricks to plug the holes and properly secure the system. And sure MS declares it has no ill intent with all of its self-serving Terms and Privacy policies -- except if they suspect your machine is used in a manner contrary to the "interests of Microsoft."

And yes, there is no current evidence that all these vectors are being exploited.


But why should anyone have to fight to use their own property. Why should anyone, particularly businesses accept that everything they do is subject to Microsoft's terms and Microsoft's interests? And why should any vectors be opened if the associated functionality is not of interest to the potential victim?

It is much easier to secure an unpatchable XP network than it is to cope with all the malice contained in an operating system that is by design an internet/Microsoft cloud platform.

I would have expected a service such as DarkReading to take a more serious and critical look at the dark side of upgrading. And those who are sufficiently interested to use the content to have an equally critical mind.

Rather than the mantra of the day, "upgrade already, upgrade already, ohmmm."
eric1972
50%
50%
eric1972,
User Rank: Apprentice
5/29/2014 | 11:50:25 AM
Old Computers An Issue
I've got friends and family members who are still using XP. It isn't necessarily because they are familiar with XP, but because they have an old computer. By "old" I mean something over five years in age. Most computers that the public were buying even five years ago were only capable of 2GB of RAM. You can't upgrade from XP to Win7 if you only have 2GB of RAM or less because the recommended amount is 4GB. So the issue is not just about having to buy a new OS, but also having to buy a new computer and get used to that as well. Not everybody has an extra few hundred bucks to throw at a new computer and OS nor the time or patience to change to a different setup. This isn't just the case with older people, but even those of us in our 20s. Most new computers only come with Win8 anyway, which is ridiculous. Some computer companies like HP actually charge you extra to have a new computer installed with Win7 while Win8/Win8.1 is included for free.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
5/29/2014 | 11:23:26 AM
XP Update Workaround
Human behavior suggests that people will take the path of least resistance, so a lot of them will employ the trick. The hack itself is trivial - I tried it this weekend on an XP machine and it appeared to work, even patching IE8. But as others have mentioned, it is a false sense of security; for example:
  • This procedure only works for the 32 bit versions on XP
  • There is a possibility that some applications intended for the full version of XP may be adversely affected by the patch (which is really no different from any other patch potential side effect), which may render the OS or the application unstable
  • Applications such as Office for XP will not be patched

It is common, even in these days of well publicized breaches, for people to be complacent regarding IT security. The presence of this trick will just enable that behavior.

 

 
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Apprentice
5/29/2014 | 4:54:05 AM
ATMs are at big risk
It was reported that at the end of January 2014 95% of ATMs in the US were still using XP. I don't think the numbers have declined significantly since.

If any sector is really taking chances with XP is the banking industry. The US still has little penetration of EMV security for credit and debit cards and the opportunity to hack the OS in ATMs to read the card information is very real.

I have to confess that I still use XP in one machine, which I downgraded from Vista five years ago. I use that machine only with Google Drive and Chrome browser and I never install any new software. My other computer now is a Chromebook.

My European cards are all EMV secure and I avoid using my American cards on ATMs
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/28/2014 | 7:14:05 PM
Re: Upgrade from XP!
I agree Rob. Just bite the bullet already. :) Microsoft has a tool called the Upgrade Advisor that you can use to see if you can upgrade your current PC to Windows 8.1. You can download it here: http://windows.microsoft.com/en-us/windows/end-support-help

BP
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/28/2014 | 4:36:38 PM
Upgrade from XP!
I think it is worth restating that this patch is not a valid security fix.  Applying this fix will only serve to give you a false sense of security.  If at all possible please upgrade to atleast Windows 7.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.