Ten years later, Windows XP still dominates the Web

There's something on SRP...

-http://www.mechbgon.com/srp/

plus a thread on it and LUA...

-http://www.wilderssecurity.com/showthread.php?t=200772&highlight=srp

There are also some HIPS programs that can help if one's comfortable using them.

 

I haven't read all of the posts, since I imagine that they will just echo what's been written in the past about an older Windows OS.

However, this comment caught my eye:

I would like to check this out: can you point me to a URL with an in-the-wild exploit so I can test?

thanks,

----
rich

 

Give 'em time

 

I was going by statistics, which have shown much greater rootkit infections on XP as well as infections on XP being caused by OS exploits instead of 3rd party exploits as is the case on Vista/ 7.

If you'd like to test out exploits why not try metasploit? I believe they have a free version.

 

I don't normally pay too much attention to statistics - I can not know from a distance the circumstances/scenarios/details of how the infections occurred.

I prefer to see how exploits in the wild are served up. It's much more meaningful for me.

But thanks anyway,

----
rich

 

http:// www. exploit-db.com/platform/?p=windows&page=175
For testing purposes obviously.

 

I would think that to be true and we have the cross platform Malware to worry about.

 

I have only seen that problem in VMWare. I have never had an issue in Virtual PC or VirtualBox. Updating VMWare Tools almost always breaks activation. For older versions of Windows Virtual PC works fine and there likely won't be any more update for that anyway.

I don't think any desktop OS is excluded from VM use as long as you have a valid license. I think the issues were with running a non Pro/Ultimate OS as a host and trying to run another copy with the same license.

 

[AnotherTangent] Software restriction policies- I've been trying to wrap my head around these in both Linux & Windows. So Windows software restriction policies allows you to determine exactly what each program will be allowed to do. For instance I could confine my browser so that any malware I encounter can't access system files. It would prevent escalation of privileges. Is that the general gist? [/AnotherTangent]

 

lol I wish SRP were that useful.

 

Thanks Jack!

 

It's not? So it doesn't work like AppGuard or AppArmor? What, is SRP easy to escalate out of?

 

No it's not like AppArmor. Apparmor restricts file access by program. SRP just stops programs from running unless you OK them to run.

Application whitelisting is bypassable. Exploits can work within programs via ROP or they can hop to other programs. Not a lot of people run whitelisting so I doubt many exploits take this into account.

 

Anything already installed under the SRP-approved directories, when SRP is enabled, is allowed to run.

What is ROP? Also, how would an exploit "hop" to another program, especially if said exploit is not SRP-approved?

 

Right.

Return Oriented Programming. Exploits don't need to start their own processes or downlnoad payloads, there's nice juicy code for them to work with right in the exploited program

By never hitting the disk.

https://www.wilderssecurity.com/showthread.php?t=315130

 

OK, what I'm looking for is MAC for windows. But I think that's pretty far off the topic of XP's future. So I started another thread.

 

Right, the blog about never hitting the disk. Of course like so many of these blogs, they don't really explain how they would work in an actual, non-controlled-environment scenario. Essentially, what needs to happen from start to finish for these exploits to be successful.

 

ROP is well documented. Moving from one thread to another through IPC (as the name states, inter-process calls) is just a function of operating systems.

 

That's just a metasploit-type site where anyone can download/run malware demos.

As I indicated earlier, I'm interested in seeing how an exploit is served up in the wild. Then, I can evaluate my own defenses.

Take MS08-067 as an example: exploiting the Windows Server Service via a specially crafted Remote Procedure Call (RPC) request.

The infamous Conficker worm had a fun time with this vulnerabilty starting in November 2008, and added millions to its botnet club in the ensuing months.

An investigation revealed that the first variant, Conficker.A, intruded via an unsecured port 445.

• Security-aware people already had ports secured from within the OS itself, or with a 3rd party product.

The next variant, Conficker.B intruded via exploiting the Autorun feature in Windows, to load a DLL.

• Security-aware people already had this type of attack easily prevented, either from within the OS itself, or with a 3rd party product.

_________________________________________________________________________________________________​

By the way: In the "Let's bash older versions of the OS as being more vulnerable" department, note that MS08-067 exploited all versions of Windows, including the latest at that time, Windows Vista and Windows Server 2008.

Microsoft Security Bulletin MS08-067
Published: Thursday, October 23, 2008
Critical Vulnerability in Server Service Could Allow Remote Code Execution
http://technet.microsoft.com/en-us/security/bulletin/ms08-067

_________________________________________________________________________________________________​

By the way #2: In the "The current version of an OS is more secure because of updates/patches" department, note the date of the patch for MS08-067 -- one month before the onslaught of Conficker.

Patches mean nothing if not installed:

Windows users indifferent to Microsoft patch alarm, says researcher
December 4, 2008
http://www.computerworld.com/action...wArticleBasic&taxonomyId=89&articleId=9122599

'Huge increase' in worm attacks plagues unpatched Windows PCs
Microsoft scolds users who never applied October's emergency update
January 12, 2009
http://www.computerworld.com/s/arti...s_plagues_unpatched_Windows_PCs?source=NLT_PM

_________________________________________________________________________________________________​

My experience has been that security-aware people do patch, and also have protection in place that negates any 0-day payload.

None of this is to advocate keeping an old version of an OS. Rather, just to put things into perspective:

• Having the latest version of an OS doesn't necessarily mean that a user cannot be infected.
  
  
• Having an older version of an OS doesn't necessarily mean that a user will be infected.

----
rich

 

Originally Posted by Rmus

Spot on, my thoughts Exactly

 

• Having the latest version of an OS doesn't necessarily mean that a user cannot be infected.
  
  
• Having an older version of an OS doesn't necessarily mean that a user will be infected.

Best post in this thread and 100% TRUTH

 

Of course it doesn't. It just means that you're more of a target and an easier one. Thankfully, as users, we don't have to worry much about direct attacks. Changing up the system is enough to completely wreck an automated attack, even if the defenses are poor and easily circumvented the automated attacks don't take it into account so it flat out fails.

So if you're willing to call that security, by all means.

 

What's clear to me when reading a thread like this one is that some people just will not or can not change their minds regardless of how information is presented to them.

Or, to put it another way...

Faced with the choice between changing one's mind and proving that there is no need to do so, almost everyone gets busy on the proof. - John Kenneth Galbraith

 

Classic HIPS, even older ones like SSM were able to control interprocess activity on a per process level. Just because Windows doesn't provide the means to do this doesn't mean it can't be done. The 3rd party tools have always been ahead on things like this. Microsoft just copies the ideas, weakens them down, then adds them to their next OS.

ROFL!! Changing away from "the norm" is one of the most successful tactics ever devised, both defensively and offensively. Few defenses work better than making your opponent miss their intended target. It's been at the core of successful military strategy almost forever. I suggest that you read The Art of War before you make such a blanket statement.

Exactly right. Any OS can be made extremely tough with the right policy enforced by the right tools.

 

You've misunderstood. Changing things up is a fine way to go about it but it assumes ignorance on the side of your attacker. This only works for automated attacks that don't take your protection into account. Any other scenario leads to easy workarounds and an owned computer.

Perhaps you should read the part of his posts that mentions patching lol (edit: Altohugh I think it's cloneranger who doesn't patch? I can't remember >_>)

But no, not any OS can be made "extremely tough." Just extremely uncommon.