If you know what you are doing, patches mean squat. Yes, I know, that flies in the face of all things good and true. Convince me otherwise I guess. I have been slipstreaming in service packs only and maybe a few choise patches for many years now. I used win7 without a single update. Services are turned off. Until I get hit, I won't worry about it. I never did get hit with XP doing it this way. I would not recommend this. Its just the way I've been doing it, and I have yet to have an issue. I think maybe I am not a typical user and don't go to typical sites. More and more lately I begin to wonder, with the way I do things, why I don't ever have issues. Sul.
There's nothing you can do if an attacker has the right number of vulnerabilities. It's really the policy that means squat if you don't stay patched. The cost of developing an exploit is very high with strong policy but if the vulnerability is already known it costs far less. This has been proven time and time again. Look at Chrome. That's some really damn strong policy - the renderer is absolutely at the lowest point for Windows that it can be right now. But it can still be broken - all of those attacks weren't one big vulnerability, they chained together multiple vulnerabilities. And if they could use kernel vulnerabilities it would be even easier. It's the reason why grsecurity patches don't support old unpatched kernels - because even if you make use of arguably the best security software, which utilizes multiple forms of process isolation, restrition, and memory techniques designed by the people who created ASLR... if an attacker has known vulnerabilities they don't have to try. My 2 cents on that.
The really sad part of all this is that no version of Windows has ever been developed to anywhere near its potential. It's happened over and over. By the time the bugs are worked out and the OS is running good, MS releases another, drops support for the first, and the cycle begins again. In the mean time they make changes on the new system (file names, renamed system APIs, etc) often for the sole purpose of making apps and updates incompatible with its predecessor. They add version checking to the installers to prevent the app or update from working on the previous system. They've been doing this since at least the Win 98 days. Quite often the patches they release for the new OS work just fine on the earlier one, after the version checking is removed. The dropping of support for a mature OS and allowing it to die in its own time is one thing. MS isn't satisfied with that. MS makes an effort to kill the previous OS. They choose to put users at risk who don't want to buy new operating systems (and the hardware that's needed to run it) on regular intervals. Some call that business, more accurately called corporatism. I call it coercion and borderline criminal. Say that MS is "serious about security" is its own joke. If this is true, why are the best security features only available to those who pay for the top versions of Windows? Say it like it is. Their "improved security" is only available if you pay and keep paying. They definitely don't need to do that to be profitable. They're already a global monopoly, one that should have been broken up long ago. In addition to all the other reason I won't "upgrade", I'll add this one. I will not pay one cent to a company that views the users security as a pawn to increase sales and profits.
posts on the subject of Win98 moved to its own thread https://www.wilderssecurity.com/showthread.php?t=328816
Are you seriously upset that they're dropping support for an OS that's over a decade old? It's dead. That isn't coercion - it's them accepting that they can't just slap ASLR onto XP. They have an entirely new kernel in the latest operating systems. It's not a matter of just "fixing" XP. And they've made upgrades way cheaper now too. It's 30 dollars to upgrade to Windows 8. If you're not on a computer with a P4/1GB of RAM or greater it means you haven't bought a computer in about 7 years. I can sympathize not having a couple hundred dollars to spare but at that point you need to accept that the technology world isn't going to sit on its hands and wait for you. Because it's a stupid business and Applocker is only worthwhile in a business anyways. Bitlocker should be available for all systems though, which is why it's a stupid decision. But neither of those is as big a deal as adding SEHOP/ASLR. Vista addressed serious concerns. It added a proper MAC system and it added modern memory corruption protections. The MAC system is the biggest difference (arguably) as it solves the incredibly simple way for attackers to escalate privileges on XP - something Microsoft tried to patch but they couldn't fix it without entirely redesigning the system. The memory corruption methods like SEHOP and ASLR were also a really big deal as a huge number of exploits used against IE (80%) were directly stopped with SEHOP support and ASLR only further enforces that. You want to hate Microsoft, which is understandable. It's just getting in your way of seeing what's there - serious improvements.
Personally, I think it is a catch22. On the one hand, an older system does not need upgrading just because the powers that be say so. If it still fulfills its purpose for the user, why should it be upgraded? But the manufacturers are out to make money, so new hardware is no longer made for older machines as there are few sales than new. Same goes for the OS, you cannot support it forever as it does not regain investment. On the other hand, with the rate at which technology increases, a manufacturer is hard pressed to get products out the door while trends are current. To support a 10 yr old product makes little monetary sense at all. So you feel forced to upgrade when there is nothing wrong with your system for you, and the manufacturer cannot afford to molly coddle old technology because there is no ROI on it. A catch 22. Sul.
The "catch22" exists because they've locked the 2 together. New OS requires new hardware because the OS is a single monolithic unit. The OS core doesn't grow that much. It's all the extras that most users don't need that force the issue. If these were available as add-ons, users could upgrade either separately as they need or want, not when MS says pay.
