Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Microsoft: Ignore Unofficial XP Update Workaround
Threaded  |  Newest First  |  Oldest First
Robert McDougal
Robert McDougal,
 User Rank: Ninja
5/28/2014 | 4:36:38 PM
Upgrade from XP!
I think it is worth restating that this patch is not a valid security fix.  Applying this fix will only serve to give you a false sense of security.  If at all possible please upgrade to atleast Windows 7.
Bprince
Bprince,
 User Rank: Ninja
5/28/2014 | 7:14:05 PM
Re: Upgrade from XP!
I agree Rob. Just bite the bullet already. :) Microsoft has a tool called the Upgrade Advisor that you can use to see if you can upgrade your current PC to Windows 8.1. You can download it here: http://windows.microsoft.com/en-us/windows/end-support-help

BP
Pablo Valerio
Pablo Valerio,
 User Rank: Strategist
5/29/2014 | 4:54:05 AM
ATMs are at big risk
It was reported that at the end of January 2014 95% of ATMs in the US were still using XP. I don't think the numbers have declined significantly since.

If any sector is really taking chances with XP is the banking industry. The US still has little penetration of EMV security for credit and debit cards and the opportunity to hack the OS in ATMs to read the card information is very real.

I have to confess that I still use XP in one machine, which I downgraded from Vista five years ago. I use that machine only with Google Drive and Chrome browser and I never install any new software. My other computer now is a Chromebook.

My European cards are all EMV secure and I avoid using my American cards on ATMs
anon3493590510
anon3493590510,
 User Rank: Apprentice
5/29/2014 | 9:59:37 PM
Re: ATMs are at big risk
There is this misguided belief that everyone who declines to upgrade to windows 8.1 is doing so because they are lazy, unwilling to change or just stupid.

There is however a significant reason to avoid this upgrade that is considered and responsible.

Windows 8.1 is inherently designed to be both massively intrusive of its users privacy and dramatically more populated with vectors for compromise, despite the wise ones' counsel that it is much more secure.

Every aspect of 8.1 is exposed to the internet and almost every feature and function invokes a remote call to some Microsoft server for reasons entirely unrelated to the functionality being invoked.

It is intrusive by design. Heck, in their pitch to us to use it as our "enterprise platform" they were quite giddy with the reach of the new OS such as the ability to remotely change or delete files on employees home computers. This is an enterprise feature to be much prized in the case of employees being dismissed or investigated. Failing to recognize of course that the management team are all also "employees" who would be subject to the same "modern security."

The OS aggressively pushes users to open more vectors of attack by using every means short of a personal visit to cause the user to create and use a Microsoft cloud account to simply log in to their local desktop rather than private local credentials.

Moreover, the Windows Firewall is all but compulsory since updates and other essential feaures will not work if it is disabled -- even if there is a recognized third-party firewall installed. The trick is that Windows Firewall, of course, is designed with holes all over the place to accommodate Microsot penetration of the system.



And Boo! Have you actually read the Privacy Policy that is compulsory with Windows 8? It should be scary since it gives Microsoft carte blanche over everything on your computer.

Sure, committed users can soldier through the strong arm tactics to use cloud credentials and sure IT staff can find all the necessary procedures and tricks to plug the holes and properly secure the system. And sure MS declares it has no ill intent with all of its self-serving Terms and Privacy policies -- except if they suspect your machine is used in a manner contrary to the "interests of Microsoft."

And yes, there is no current evidence that all these vectors are being exploited.


But why should anyone have to fight to use their own property. Why should anyone, particularly businesses accept that everything they do is subject to Microsoft's terms and Microsoft's interests? And why should any vectors be opened if the associated functionality is not of interest to the potential victim?

It is much easier to secure an unpatchable XP network than it is to cope with all the malice contained in an operating system that is by design an internet/Microsoft cloud platform.

I would have expected a service such as DarkReading to take a more serious and critical look at the dark side of upgrading. And those who are sufficiently interested to use the content to have an equally critical mind.

Rather than the mantra of the day, "upgrade already, upgrade already, ohmmm."
GonzSTL
GonzSTL,
 User Rank: Ninja
5/29/2014 | 11:23:26 AM
XP Update Workaround
Human behavior suggests that people will take the path of least resistance, so a lot of them will employ the trick. The hack itself is trivial - I tried it this weekend on an XP machine and it appeared to work, even patching IE8. But as others have mentioned, it is a false sense of security; for example:
  • This procedure only works for the 32 bit versions on XP
  • There is a possibility that some applications intended for the full version of XP may be adversely affected by the patch (which is really no different from any other patch potential side effect), which may render the OS or the application unstable
  • Applications such as Office for XP will not be patched

It is common, even in these days of well publicized breaches, for people to be complacent regarding IT security. The presence of this trick will just enable that behavior.

 

 
eric1972
eric1972,
 User Rank: Apprentice
5/29/2014 | 11:50:25 AM
Old Computers An Issue
I've got friends and family members who are still using XP. It isn't necessarily because they are familiar with XP, but because they have an old computer. By "old" I mean something over five years in age. Most computers that the public were buying even five years ago were only capable of 2GB of RAM. You can't upgrade from XP to Win7 if you only have 2GB of RAM or less because the recommended amount is 4GB. So the issue is not just about having to buy a new OS, but also having to buy a new computer and get used to that as well. Not everybody has an extra few hundred bucks to throw at a new computer and OS nor the time or patience to change to a different setup. This isn't just the case with older people, but even those of us in our 20s. Most new computers only come with Win8 anyway, which is ridiculous. Some computer companies like HP actually charge you extra to have a new computer installed with Win7 while Win8/Win8.1 is included for free.
RyanSepe
RyanSepe,
 User Rank: Ninja
5/31/2014 | 7:31:29 PM
Staying on XP
For XP die hards there are some things that might help from an enterprise perspective.

1) If you have an IPS, there lies the ability to "soft patch" machines. Vulnerabilities specific to XP picked up by anomaly and mitigated. If initially the malware subverts your IPS hopefully you have an IDS complement to detect post intrusion before any major detriment.

2) Incorporate CSP on a client last server scale. By doing so you essentially harden the systems similar to patching.

3) Pull your systems off the internet if feasible. If you can perform a majority of work internally without external help, then pull the network from the hands of the internet. If you need internet capabilities on a small scale, purchase pcs with a new os like 7/8/linux, you can segment your network into a safe internal with only a subnet touching the internet. This follows a VLAN segmentation type principle. Any questions or thoughts?
whs87
whs87,
 User Rank: Apprentice
6/1/2014 | 1:46:29 PM
Other means
I assume most software vendors who have to keep supporting their code for XP do so for some legitimate reasons, like their software is part of a bigger system or maybe they spend their programming resources already on something else.  Why redesigning a perfectly working system just to switch the OS?

In many such cases it might be sufficient to tamper-proof the software.  One tool for tamper proofing real Win32 machine code has just reached alpha state, see my startup company White Hawk Software, or my blog entry on this subject.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file