Windows XP is dead, long live Windows XP

New thread, same old repeating subject. The end of XP support won't be doomsday any more than it was for any other version of Windows.

 

Agreed.
In less than a year, the end of mainstream support for Windows 7 will evoke much the same frenzy.

 

@noone_particular

I know. I'm bored too. It's an old topic but rehashed so many times because everytime an OS gets EOL, the users of older OS think they are secure regardless of all the explanation given. You can provide all the evidence to the contrary and they still call it scaremongering. They "default-deny" all the logic and go back to the same rhetoric "it doesn't matter".

If it doesn't matter, why the hell talk about it? It matters but people choose to stick to their beloved OS, come up with self-assuring excuses and live in denial.

@wtsinnc

Win7 Mainstream until 2015. Win7 Extended Support until 2020.

So, no. Win7 users still have 6 years left for security updates.

 

Pointing out the insecurities or design shortcomings of an older OS doesn't make the supported OS secure. They all have their own unique strengths and weaknesses. Patch Guard, DEP, ASLR, SRP, and the rest of their alphabet soup mitigations all have vulnerabilities of their own, some of which didn't exist on the earlier operating systems. It's one thing to point out that future vulnerabilities won't be patched. When the end of official support starts being equated with doomsday, hacker heaven, and every other exaggeration they can come up with, it becomes little better than noise pollution, especially when the primary motive is to get users to purchase the newest version and hardware that can run it.

 

The point of the "porn and wares" comment is not that they are the main vectors of malware but that security is as much a product of behavior and awareness as technology.

Porn works as a malware vector because it is psychologically distracting--addictive behavior. It makes someone under its influence more likely to say yes to a prompt to see more of it even if it allows the installation of a piece of malware. Wares are dangerous because they are software modified by third parties for less than altruistic motives and someone skillful enough to modify the code in a compiled binary that enforces a software license is skillful enough to inject malicious code into that binary. There are many more ways than porn or wares to be infected by malware but they are tried and true and effective means.

There are many technological approaches to security but none of them can completely compensate for a lack of awareness or poor judgment on the part of a user. Xp has more than enough resources to remain secure in the hands of a skillful user. The doomsday avalanche is just hype. What is more likely to happen is a slow trickle that will be not huge statistically and strike the lowest hanging fruit--the easiest systems to target that have security issues way beyond using a system with unpatched vulnerabilities.

 

Since when did anyone comparing a supported OS vs an unsupported one claim it makes the former secure? The point is the former has better architecture and unlike the latter, there is a chance to fix the code. Either you see the difference or you don't.

As for doomsday, what do you expect them to say? Calling it doomsday and putting up explanation, charts, detailed comparison and yet people don't get it. Sugarcoating it with "don"t worry, you will be fine" is irresponsible and would even make things worse.

Why doomed? A weak kernel with no updates, no ASLR, etc etc. If you even have the slightest clue of what problems defenders face without these, you would call it the same thing. Microsoft may have a vetted interest but security researchers with no interest in your money are not idiots. We have plenty of such discussions before. Read up on reports instead of repeating how secure you can make an OS like Win98 or XP. You can minimize the risk through hardening your perimeter but that is more luck and obscurity than anything else. Your underlying OS is still insecure with no chance of fighting. Your classical HIPS and all sorts of security software (AV, Sandboxes, LV, etc) you use is still dependent on the kernel. Your browser and whatever it renders (font, images) run on top of the OS. A flaw there is all it takes.

Default-deny policy is effective only for payloads that touch the disk (provided it doesn't unhook your security software, which it can, because it's running on the same desktop and same rights) No protection in memory address space. Nada. Look up "in-memory malware". Look up "DLL hijacking."

What was fine a few years back is not enough for todays threat landscape.
DEP (aka NX) was a default-deny mitigation on XP. Researchers found that it wasn't enough. Pax came up with ASLR and any decent modern OS adopted it. Now, there's HEASLR and SMEP, etc etc. Mitigation techniques that make use of hardware features.
The attackers are moving forward and so should the defenders. Stop living in the past and then underestimate how much changes in OS security have
been made. Perfect? Nope but there has been a lot of progress.

As for "noise pollution"...it is those people who have no slightest clue of what they are talking about and overestimating their abilities. Noise pollution is when people call MS "greedy" when an OS has freaking 10 years of support (and in the case of XP, extended by 2-3 years). Noise pollution is when one that chooses to run an unsupported OS refuses to acknowledge the risk and live in "lala land".

 

As always, the thread spun out into an entirely security discussion. That's secondary.

Now, a few things to point out: No contradiction between emet doing a great a job and aslr on its own being an overrated term. EMET is a good product because it does not distinguish between good or bad software, just good or bad coding policies. It virtually takes no resources save for a preloaded shared lib, and there you go. Any one specific mitigation is not magic. Look at the recent heartbleed thingie, bad variable checking and a self-made implementation of malloc and free. Meh.

Using xp or not is not about security. It's about money and convenience. That's the point.
Can you run a browser? Can you watch online stuff?
Security, okay fine ... move on.

I do not refuse to acknowledge the "risk". I am aware of it. It's just that I don't make it a big deal as some.

Mitigations and os architecture mean nothing - if you look at all the "malware" reports by companies that make MONEY off it, then malware is constantly on the rise, which means that all the advancement in os architecture and whatnot means diddly squat. Either you believe them or not. But that's a contradiction right there. Which only proves it's all about money and nothing else. Either microsoft has it right, or anti-malware companies. Or they are both full of crap.

So which one is it?

Is win 7/8 more secure so to speak? No, according to security companies.
Great, then it means the technology is pointless, and it's all about the user. Bingo.
So the security becomes a non-issue, because it is a CONSTANT, and we can focus on everything else.

Moreover:

0% of all security company blogs mention emet other than a passing line. Why? It doesn't give them money.
0% of all security blogs mention surun or limited account as a way of using Windows. Why? No money in that.
Linux uses the concept of a limited account. Does it work well? Yes. Very much so.

So, if you connect the dots, you get the bayeux tapestry of scaremongering.

Therefore, I acknowledge the risk. It is not what the security companies want me to believe.
I do this with proper knowledge and understanding of what is happening.
No lala landing.

And so, the important thing is:
Can an XP user
Who cannot/does not want to upgrade
For whatever reason
Continue
To use this
Operating system
Past its EOL date
To enjoy their
Donkey
Pr0n
At their
Convenience?

And this is what the whole experiment is all about.

Mrk

 

@mrk

Well, there are so many things wrong in your post.

1. You mentioned it's not about security. Yet, it is about security..otherwise you wouldn't include LUA, SuRun and EMET in your article. If you want to talk about cost and convenience only, then you should have done so.

2. No contradiction? Then you are explaining to me how EMET works? Ermmm....

ASLR doesn't differentiate between good and bad code. That's what AV does. ASLR randomizes position of data in a process address space.

As to how important it is...here's one:

http://blogs.technet.com/b/srd/archive/2014/03/12/when-aslr-makes-the-difference.aspx

What has magic got to do with anything?

3. Malware reports by vendors?

Malware on the rise is true.
OS architecture improve is true.
There's no contradiction.

Did you make any differentiation between malware through social engineering vs exploitation?

Have you not read how the latest Windows is a few times more secure than XP?

Go to Eset's WeLiveSecurity blog. They have a few articles and pdf that explains how Win8 is more
secure than XP.

4. LUA. PrevX has an article on it. User-mode malware can run within LUA.

You have high regards for LUA and claim ASLR is overrated. Joke of the day.

5. Duh. XP EOL doesn't kill the OS. You can do what you want with it. Plenty of things other than watching donkey pron.

You want experiment? Go to RyanVM and WinCert forum.

 

I have been one of the most outspoken supporters of XP over time. And I've had good, constructive exchanges with Hungry in the past that never turned heated. I don't want to pretend to know what others are thinking, but I never, ever recommended that other people follow my example and stick with XP past it's EOL, because I don't believe it's good advice to the average user, and even irresponsible. And that "may" be why you're facing more heat than I did.

I believe your assumptions/figures are a bit unrealistic. Most people have never even heard of SuRun or EMET, let alone are using them. Most of them are using nothing but the Windows built-in inbound firewall and a free AV... and not much else. Have a few shady "toolbars" installed into their browsers that can lead them to questionable/rogue "sponsored" sites. Are not using LUA's. May even disable the updates for their AV's because the prompts irritate them when they're trying to view their porn sites... if not the resident protection altogether because it keeps throwing up prompts. Don't use outbound FW's, HIPS, etc... for the same reasons. And boy are they ever looking at porn too. Between that, updating their Facebook status/walls, and checking email, they know nothing else about computers whatsoever. This, unfortunately, is the "average user" (to my experience). And these people should be encouraged to use an OS that is more secure out of the box and still being supported/patched.

Just my 2 cents...

 

Safeguy, I'm beginning to feel we won't ever see the end of it.

1. I did include security for the sake of it, and did a spin on it that is different than the usual clout.
2. The focus is not on specific mitigations - it is how the the tool works. That's what makes it cool. Not the memory management 101.
3. There is a clear contradiction, If malware is on the rise regardless of the os changes, then the changes do not affect malware. Simple.
4. LUA is not about malware. It's about separation of duties. LUA is about not allowing system configuration changes to anyone.
5. What happens at those other forums?

Mrk

 

It definitely never ends. This reminds me too much of the current entertainment industry, remaking the same movies, using the same plots over and over. Sorry, I've seen this movie too many times before. It wasn't any good the first time and it's no better now. I'm still waiting to see one of the earlier doomsday scenarios happen, the ones that were inevitable for the 98, ME, and 2K users. Saw lots of false alarms, a lot of exaggerations, and several blatant lies. It doesn't matter that XP has a much larger user base than the earlier systems. That logic will be reused with every OS that wasn't a total sales failure from here forward. They'll all be more popular than their predecessor eventually, save Vista and possibly Win 8 for the simple fact that there's more computers on more types of hardware. I'm still waiting to see real world code that will magically teleport past my attack surface, disable my defenses, and run who knows what, not some locally executed metasploit that's already on my system. When I see it, then I'll worry about "upgrading" the OS.

 

XP is fine on old hardware.

unfortunately, it is too old for newer machine.
SSDs will only works in IDE mode, not the newer AHCI mode.
it's only limited to 2 CPUs. etc...
if it was up to some folks we would still have black and white TVs. lol

not to mention lots of newer software won't even install under XP.

anyway, in views of Microsoft terminating support for XP people would be much better running Ubuntu, Linux Mint or some other Linux distro if their computer is up to it.
if they need to absolutely run some Windows software then dual booting would be a solution,
using Linux to surf the web and disconnect XP from the net entirely.

 

I don't think it's completely true. I agree if we were talking about games, but most (all?) software other than that category will still support XP, especially the paid ones. XP is too delicious of a cake to be ignored and left behind.

 

I wonder how many XP fans here have considered that XP uses outdated encryption and networking libraries, which probably lead to increased risk of successful MITM attacks... Seriously, you do not need to compromise someone's whole OS to spy on them and steal information. I've seen pure browser attacks, in the wild, that work very effectively under Linux; and on popular websites at that.

 

Yep, from what I've heard and seen, there are many ways to hack a system which have nothing to do with the OS in place...

 

Given some of the recent revelations, I have to wonder if the newer encryption libraries are any more secure or if they may be worse than the earlier versions. Either way, I wouldn't trust Windows libraries with any encryption that I considered important.

 

This possibility is always true since there is no way to completely prove the system is clean. I feel a better way to look at it is if there is no perceivable infection/compromise, eg the system works normally, my financial accounts haven't been compromised, my credit score is intact, my identity hasn't been stolen, etc, then for "all intents and purposes" there's no problem. History has shown that when computers are hacked/exploited there eventually are perceivable effects. The hackers act in some way which inevitably leads to discovery. If hackers or whomever didn't act what would be in it for them and why should I care?

The latest OS is potentially safer by virtue of the fact that all previously known exploits (should) have been addressed. All of the old attack vectors no longer work and only the new ones need to be dealt with - less is better . An older OS is typically vulnerable to both the old and new attacks.

 

right you are m8!

i know my computer is clean just by looking at my bank statement.
if my money's still there, i'm good. lol

 

Windows XP users slow to upgrade despite risks

http://www.welivesecurity.com/2014/06/04/windows-xp-users-slow-to-upgrade-despite-risks/

 

I don't really think it's fair to split up Windows 8 and 8.1 like that. They don't do it for service packs of XP or 7, or different versions of OS X. It makes any version of Win8 look worse in comparison.

 

I agree. Even if we sum them up we get only 12,7%, which is only half of Windows XP share.

 

I definitely, am not slow.

 

Very true, I still keep a WIN2K cake for snacking on occasion.