How to secure Windows XP after it Xpired?

Well, the Cryptolocker ransomeware and rogue av's make no distinction between average joes and those who are otherwise. They target everyone and hope for a few victims out of the bunch for their success. Having said that, you and others with similar technical abilities will likely have no problems running XP securely long after its support is dropped. Just my opinion.

 

For the typical unskilled user, the risk will go up. For users who can assemble security packages that don't rely on constant updating, nothing will change for some time. The firewall, HIPS, sandbox version, virtual system, web filtering proxy, etc, that works on XP now will continue to function exactly the same as it always has. These doomsday predictions come and go every time an OS reaches the end of its supported life. I've been thru it for 98SE, Win 2000, and XP-SP2. If there's a doomsday for running outdated operating systems, I'm at least 4 doomsdays behind, still waiting for something to happen.

Regarding malware writers reverse engineering patches and using them against older systems, those patches can also be reverse engineered by whitehats and released as unofficial upgrades for earlier systems. For Win 2000, there's a complete unofficial SP5. For 98SE, there's an unofficial SP3 still being maintained. Patches and upgrades for XP will be available, just not (directly) from Microsoft.

Eventually XP users will run into planned obsolescense issues, DLLs changed or renamed just to create incompatibility, artificial limitations in installers, new system APIs, etc. Unofficial upgrades for 9X systems (KernelEx) and Win 2000 (KDW/FCWIN2K) were created to address this problem. The tools and techniques they developed have laid the groundwork for upgrading XP when the time comes. If the upgrades created for 98SE are any indication, XPs best years may be ahead, not behind us.

 

Hmm, I wonder what the most trustworthy unofficial updates for XP will be. A note for the future, expecting replies then.

 

I can't directly comment on something that doesn't yet exist, but I can add this. I was one of the testers for KernelEx and some of the other patches/upgrades for 9X systems. Most of these were treated like any other software in development. KernelEx, which is Open Source, went thru a long testing and development process. There were beta versions, test releases, etc. Most of the development was done openly. When XP or 2K patches were modified for 9X systems, there was quite a bit of discussion regarding what was done and how. With other 9X upgrades like the 137GB hard drive limit and the 2GB file size limit, the changes that were made were explained and discussed in detail. The process was quite open. Most of the people involved are quite capable of reverse engineering. If someone tried to slip something malicious through, I suspect it would be caught fairly quick. For all practical purposes, it's no different than any other Open Source project.

 

I hope you post here, so people like me can use these unofficial updates for XP when they do arrive.

 

I know people who still use Windows 2000 and ME and swear that they have no real unsolvable problems. If they are infected and go unaware of this is a possibility. It could also be that they are "Backwater users" and are just plain lucky.

As for online business transactions they are abstainers and are the type to still go to the currency exchange for paying their bills by money orders. Most are paranoid of any online business transactions and do all their buying at brick and mortar stores.

I also know of up-to-date advanced users who refuse to do any money transactions over the web.

 

The Risk of Running Windows XP After Support Ends April 2014

 

More propaganda/FUD from Microsoft... This is getting really old, really fast.

 

All of the above makes perfect sense but did`nt Nostradamus mention in his predictiones that XP would specifically be attacked on the 15th of April 2014 via kernal vulnerabilities but that Win2k and earlier versions of windows would not ?

 

See his second line. I wouldn't worry too much about it, malware issues are always overblown.

 

You should use it offline only.

 

Comparing Win2K to XP is inane. When Win2K support expired it had nothing even close to the userbase of XP, and attacks were completely different.

And if we're talking about magical kernel exploits, how about the one that only effects XP users and breaks out of Adobe's sandbox that's currently in the wild? Attackers know where the path of least resistance is, they will exploit it.

Securing XP in a meaningful way has long been impossible while maintaining workflow. To secure it when there are dozens of 0days is just silly.

Thankfully, attackers don't care about anyone who runs an AE, probably, so you can call that security if you like and hope that they don't take notice. Relying on luck and obscurity seems like a good idea, right?

Conversation on this matter is useless. Everyone already knows the answer, or they should be now. Whether XP can be 'secure' or not is based purely on how you define security - either by whether you're likely to be attacked, or by whether an attacker is capable of attacking you. If you believe the former is important, securing XP, or absolutely any system, is possible. If you believe the latter, XP is terribly insecure.

 

That's the problem with these discussions. You portray these exploits like they are magic, that they're going to go right through your attack surace regardless of your defenses, or that the user is going to open every malicious file an attacker sends their way. This scenario might apply to the typical user running the standard issue packages. It's a completely different scenario with a security conscious user running a good, layered security package. You've got a very strange definition of "luck" and "obscurity". By your definition, anyone who isn't using a typical security suite based on a default-permit policy is relying on obscurity. Using an alternate browser or PDF reader isn't relying on obscurity. People often choose Foxit or PDFXchange over Adobe because Adobe is a bloated mess, not just because it's a common target for malicious code.

I won't argue that a secure kernel is a good thing or pretend that XPs kernel is secure. It's not. Neither is the Win 7 or 8 kernel. Microsoft has never made a secure kernel. If we use your definition of obscurity, ASLR is security by obscurity. It is literally hiding the location of code in memory by randomizing its location. It's no different than changing the location or name of a commonly targeted executable in the file system to prevent its being used maliciously. A secure kernel doesn't equal a secure system. Many attacks don't require the kernel being exploited. Depending on the goal of the attacker, user space exploits or targeting a specific application are often sufficient. By comparison, for any type of attack (kernel or user space) to succeed, the attacker has to penetrate the attack surface. An exploit that uses java or flash will fail if the user has those plugins disabled or if they're set to click-to-play. Malicious javascript won't work if NoScript or Proxomitron filter it out. Anti-executables or classic HIPS might not be able to prevent malicious code from executing in memory, although SSM does have some abilities in this regard. A properly hardened and restricted attack surface can prevent that code from ever reaching the memory. IMO, securing the attack surface is the most important step a user can take to protect their system. Yes, a targeted attack by a skilled individual could still get through, but such an attacker most likely knows how to exploit the latest kernel as well.

 

Quite frankly, i can't be bothered continually posting, as i used to, about how safe i ACTUALLY am on XP/SP2 !

Certain people just refuse to accept our Real Time experiences of using our systems set up the way we have them ? Unless they have Actually used such systems in these ways, AND tested them over the years with All types of Malware/Exploits etc, as some of us have, they need to pipe down

@ noone_particular Well said, as usual

 

It'd be irresponsible for Microsoft not to warn us or play down the risks after their support ends.

 

"...authorities are not necessarily correct about judgments related to their field of expertise. Though reliable authorities are correct in judgments related to their area of expertise more often than laypersons, they can still come to the wrong judgments through error, bias or dishonesty. Thus, the appeal to authority is at best a probabilistic rather than an absolute argument for establishing facts."

 

Warning users is fine. Play down the risks? Not when there's a buck to be made. Microsoft would be hard pressed to exaggerate the risk more without claiming that using XP puts your eternal soul at risk. They've overplayed the security risk to the extreme. When marketing, exaggerating, and outright lying through their teeth become one and the same, their claims lose all credibility and value.

 

To what are you referring specifically?

 

I agree with you on this. But the quote from Technet blog that you posted earlier is a prime example of fear, uncertainty and doubt being spread by MS.

Unfortunately, for MS this is the only way to convince people to switch from XP to 7 or 8, because if they would actually describe the problems that XP has and that make it unsafe after it is no longer supported, that would be an admission of the fact that XP was not correctly/securely designed from the start. And that admission is too hard to make for Microsoft.

 

XP is win2k( i.e. NT5.1 XP and NT5.0 win2k) bar a few bells and whistles.

 

if we sum up the answers , there is no viable way to secure xp.
again I really suggest that the op use linux as per his own signature.

 

Ignoring the risks however is also irresponsible, while around 1% of the XP users do know how to secure XP even if in its SP2 form, 99% of user out there have no clue and no expertise to secure it and will be exposed. So, warning by Microsoft and security experts are certainly not directed to wilders users or the 1% but the mass out there... that will anyway ignore the warnings as they did up to now and become a valuable resource for criminals and their bots

 

I'm referring to Microsoft and their doomsday sock puppets ridiculous doomsday rhetoric. They have just one motive here, getting people to open their wallets.

 

I don't care about users opening files. They don't need to. Truetype vulnerabilities can easily lead to sandbox escapes and all that's necessary is the user opening a webpage, compromised or otherwise.

Yes, they're going to bypass your defenses. This is already covered in depth in other topics, it's a basic and fundamental principal of access control, the kernel owns the system.

What I'm saying is that staying 'secure' for many here is merely staying 'different'. You aren't raising the cost of attack in a significant way, you're just being different enough that you can break generic attacks. And that's if you're lucky.

ASLR is not security through obscurity. I've had this conversation on other forums before. ASLR implements a secret through randomization and it breaks critical information that attackers need for their exploits to be successful.

A secure kernel does not mean a secure system. It's the basis of a secure system.

But blah blah blah so far I've said nothing new and I doubt if I keep reading I'll be compelled to provide new information.

Do as you like, I really don't care who runs what. As much as I enjoy discussion on computer security I'm bored of the same conversation over and over.

Enjoy your XP systems, I sincerely hope that you don't get attacked. What I will say is that, as always, I highly encourage moving to a more secure system - ideally Linux, but windows 7 at the very least.

 

Re: How to secure Windows XP April 2014?

After XP's EOL, there will be NO WAY to secure it. Considering that you can buy Win7 OEM (legit) for about $70/PC, imho that's the way to go. Win7 will run great on those PC's baring any rare driver issues (before buying W7 run the Win7 Upgrade Analyzer on each PC). Don't even think about continuing with XP beyond its 'doomsday'!