Carefully choosing only the MS patches I require

Discussion in 'other security issues & news' started by wat0114, Feb 5, 2013.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Mods, please move this thread to a more appropriate forum, such as "Other anti-malware software"? Sorry about that.

    On a recent nLited installation of Win XP Pro, with SP3 to follow on my dual-boot with Win 7 Ultimate machine, running Windows Update (Custom) resulted in 107 security updates deemed necessary to get it fully patched, most of which were rated "critical". After briefly researching the Security Bulletins for each one of them, I ended up installing only 42 of them, foregoing the other 65.

    Most people might think this approach is irresponsible and unnecessarily throwing caution to the wind, but consider the following reasons - in point form - found in the Security Bulletins why I held back the other 65:

    • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. I found at least 30 patches that address vulnerabilities where this condition is required for a successful attack. Let's face it and I'm sure most will agree, if an attacker gets local access, it's game over anyway. Patches not necessary, imho.
    • Must have RDP (Remote Desktop) enabled
    • Cipher suites not using CBC are unaffected. This I need to research a bit more to be sure.
    • Only successful with a Chinese, Japanese or Korean locale.
    • Client needs to send an SMB request to a specially crafted SMB server.
    • Attacker has to gain access to the network then create a program to send specially crafted LLMNR requests.
    • IPSEC must be enabled
    • Windows Messenger must be enabled
    • Direct Show must be enabled and used. At least a half dozen security patches
    • User must visit a remote file system location or webDAV share and open a document on it.address this.
    • Arguably one of the most important considerations: Running with lower privileges is less at risk than those running with administrative privileges

    Since I don't enable RDP, SMB, IPSEC, Messenger, Direct Show and so forth, I am confident I can ignore all the patches that address these components. Furthermore, I'm using SRP - all files, Jetico Firewall with some Process Attack filtering enabled to augment SRP, running as a limited user, using Firefox with NS filtering to secure the main attack vector - the browser, running EMET 3.0, disabled several services, resulting in a very light, yet powerfully secured system.

    If this setup ever gets exploited (fat chance imo), I will report it here posthaste :D

    I don't advocate this approach for most, but with some knowledge and abilities in home pc security, I don't see why it can't be used. The result is a much more streamlined and more responsive installation of, in this case Windows XP. It is still patched to address vulnerabilities that the user is more likely to stumble upon as opposed to those that are highly unlikely to happen, or in the case where the attacker has local access, not amount of patching would protect anyway.
     
    Last edited: Feb 5, 2013
  2. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Seems like a nice invitation to a debate between 2 schools of thought. It's your machine so anything goes man. I haven't run XP for a long time and I kinda miss it - you and luciddream are tempting me. :D

    Anyway, a bit OT but MrBrian posted a nice tutorial here that shows how to use CIS as an AE (similar to SRP/AppLocker). Compared to SRP, it works on kernel-level...so you might want to try it.

    Using Comodo Internet Security as an anti-executable
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I'm expecting it to some degree :)

    Both Luciddream and noone_particular tempted me to revisit XP :)

    I saw that some time ago. It's intriguing but I am supplementing SRP with some of Jetico's Process attack filtering options. That along with Jetico's above-average packet filtering suits me fine.
     
  4. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Under the conditions you describe for the updates you didn't install, it sounds very reasonable to skip them. You have everything locked down pretty tight anyway, so go for it.

    BTW, I admire your patience to read through the descriptions of 107 updates. I'm much too lazy to do that!
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Well, I only read as much as I needed to see :) It took me a few hours all told, but it was worth it, especially seeing how many vulnerabilities require the attacker to be logged in.
     
  6. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Wow, I even underestimated the lengths you were going to to make this XP boot of yours as streamlined as possible... while maintaining the balance of keeping it well hardened and with a miniscule attack surface.

    And though it's a hit to my ego to admit to it, I believe you have surpassed me, lol. I just install all the critical updates. I really admire the time you took to look into each one to see how it affects you personally. And also am a bit jealous imagining how well this uber trimmed XP setup of yours must hum along with up to date specs/hardware. I'm pushing mine on an old Dell Dimension 3000, and it flies. Yours might just take flight and shoot through your roof if you're not careful.

    Major props to you wat!
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Thank you, Lucid, though you're being too kind. I consider you the Win XP meister :D

    My hardware specs, although powerful in its time (2006), must really pale in comparison to recent hardware specs, especially on higher end machines. I've no scientific measurement on how well it runs, but I'd say ~ 15% snappier than my Win 7 Ultimate setup on this same hardware :)
     
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    No I wasn't just being nice, I mean it dude, I yield to you. I would Knight you with like a floppy disk or something if I could, lol.

    I think your CPU probably gives you a substantial edge over me. If I recall isn't it dual core or something? While I just have a Celeron @ 2.4 ghz. But I'll bet that 15% would turn into like 30+% (for Windows Explorer anyhow) if you applied those display/theme tweaks I mentioned. But I understand you want a certain aesthetic appeal too. That CPU is probably what also allows you to take .NET FW & EMET in stride much better than my box would.

    The RAM probably doesn't make a difference since I noticed none when I upgraded from 1 to 2 gigs. But it is still cool that you have it pushing the max, isn't it 3.25 GB?... I've heard conflicting accounts of this. I've heard 3, 3.25, 3.5 and 4. So what is the max it will read? I'd like to put this to rest.

    I thought before about building a box with like an i7 CPU and 4 gigs of RAM to see how fast I could get XP flying with my trimmings. But I just don't like any of the newer versions of Windows enough to justify the expenditure. If the day comes that some vulnerability opens in XP Pro that's unresolvable, I'll probably become a MAC/Linux user the next day. And then keep this box around just for retro gaming, offline.

    Well enjoy living the dream bud!

    Oh, also if you're a Firefox user you can use the addon "Element Hiding Helper for Adblock Plus" to trim down all your favorite websites. I've done it to every site in my favorites... trimmed down to only what is needed for essential navigation & functionality. It makes my pages load twice as fast in many cases. And when it loads it ALL loads, that instant, not a few elements popping up moments later or whatnot. I click on a link, or hover over it in my favorites and click... and it's there by the time I blink an eye. And again, ALL there. That 1 extension alone is so awesome to bareboners like us. And I am even so darn thrifty that I keep it disabled until I need it, since you don't need to reboot Firefox when you reenable/disable it.
     
    Last edited: Feb 5, 2013
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ luciddream

    Hi, re "Element Hiding Helper for Adblock Plus" You mean this ?

    ab.png

    As i don't see the EHH option ?

    NoScript also has this

    ns.png

    @ wat0114

    I'm on XP/SP2 & NO Updates at all, with 2Gigs of RAM & no Paging File. Most of the time i have around 1.5Gigs free !
     
  10. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Same here, I've got a Core2Duo 6550 with 4GB memory from 2007 and a Radeon HD2900 graphic card. XP/Server 2003 run noticably faster than Win7. The fastest crate I have is even older, an old AMD Opteron with 2GB and an even older Radeon card. XP screams on that system.

    If you're interested in getting radical, take a look at this if you haven't already seen it. It's trimming down XP to the extreme.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, your approach is quite sound. I haven't gone through every update in that manner but I do select out the ones that patch the components I have installed and use. Reducing the attack surface is easily one of the best things you can do for XP from both a security and performance perspective. Judging by what you said you've disabled, I'm sure you've already felt a real performance improvement. Have you considered using XPlite to strip out the components you don't use instead of just disabling them? An attack surface component or service that doesn't exist on your system can't ever be exploited or re-enabled. I don't remember which ones it was, but some updates will change your service settings and can enable some you might have disabled. Just something to check when you do update.
    Very true. On mine, I don't rely that much on SRP. Most of my attack surface apps are launched with DropMyRights with SSM restricting the apps ability to interact with the rest of the systems executables and applications. For a couple of internet apps, DropMyRights is the only app that's allowed to launch them. Different mechanisms but very similar results.

    If you maintain that approach and stay within your own security policy, you can probably run XP for as long as you want.
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I fully agree with your approach. I use a variation of it myself to protect my WIndows XP, and it also involves picking and installing only some of the MS updates :)
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    @lucid: LOL! how about at least a higher end HD floppy :D Seriously, I think i'll just stick with NS and AdBlock+ to keep the plugin count at a low enough level.

    @noone: I hadn't known about XPLite before. It is trialware so the cost vs benefits for me might not be worth it. This XP trimming experimrnt is mostly just that - an experiment, although I might find myself using it more than Win 7 :)

    @Clone; Well, maybe you should be the one Knighted :D I had forgotten you were running XP successfully without any updates; very impressive :thumb:

    @Johnny and Nebulus: thanks for the supportive comments :)
     
    Last edited: Feb 6, 2013
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    In a perfect world made of exaustive and comprehensive information your approach is very sensible. Unfortunately there has been many cases in which security patches do patch much more than what they describe in technical articles/KB and this will leave you with a potentially suboptimal setup (security wise) :)
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I only update the really critical ones, like the blaster fix for example. I sometimes build a new source disc and integate service packs. Otherwise, I don't update much of anything. Been like that since 98se I guess.

    One of my good friends, who is very knowledgable, is still on win7 release with no updates. He runs his machine on DMZ with no firewall and no av. I mean, he has nothing. He surfs with chrome incognito all the time. Thats it. We laugh a lot about how long he has been doing this, and has yet to develop an issue.

    There are some who say a computer on the net without protections will only go hours before being compromised. That might be true of servers, and could be true at any point I guess. But judging from what I have seen, most of those types of reports are "doom and gloom".

    I personally think more of it resides in where you go and what you do rather than just being available. Sort of confusing though as any router log will show you dozens of connection requests every day from the outside.

    I'll continue to make my judgement calls based on what I have seen myself rather than be paranoid because experts say it is so.

    So wat, I guess you might be a conservative to some and extremist to others ;)

    Sul.
     
  16. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    330
    But what is the catch? :blink:
     
  17. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I don't think anyone who heavily tweaks thier system/services, runs without AV or doesn't update (etc etc) would expect every system to remain problem free. Nor would they advocate it for other people. I think thier own experiences shape thier outlook. And when you don't have problems year after year, its hard to warrant going to the extreme measures some go to.

    That catch is simple. You don't patch, you take your chances. For me its been a no brainer. If I ever develop a problem, I might change. Until that point, why would I? But nothing inherently "bad" has happened over many many years now, so for me there is no "catch".. yet ;)

    Of course I can only speak for myself...

    Sul.
     
  18. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    No, I'm talking about an actual add-on called just that: "Element Hiding Helper for Adblock Plus" for Firefox. Independent of the regular ABP, but it integrates into it and allows for custom filters/rules. With it you can select elements on a page to block by simply hovering over then selecting them. It doesn't get any easier than that.

    @ wat... Like I said you can keep the addon disabled, and only enable it when you come across more elements on a page you want to hide. You would of course need to run unsandboxed too for that session to have the rules stick. And since you don't need to restart Firefox when you enable/disable the addon it makes it convenient to use in this manner. This site alone, the pages load twice as quick because of some of the custom filters I have in place from EHH4ABP. Do that to all your favorited sites, and it adds up. Believe me, you won't regret it.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada

    Certainly no catch, just an experiment of sorts. It's one I started a few years back and even posted somewhere in these forums when I nLited XP Pro with SP2 I think it was, as I've long suspected so many of the MS critical patches are not necessarily necessary as long as one has the attack vectors addressed by other means, and stated I was confident I could surf for months without infection. I only went a few months then gave it up, not because it got infected - it didn't - just that it was an old dog P4 1.7 GHz that could barely even run that lightweight setup, so I ran Puppy Linux and then another lightweight distro on it for a while, bought this current dual core 4400+ x64 amd machine used off my brother, then eventually took the P4 pc to the recycling depot to put it out to pasture :)

    This machine will serve me for a few years more I reckon, and I'm running Win7 Ultimate on one of the SSD's partitions, it's the active one and used EasyBCD to add this XP system.

    Somehow that doesn't surprise me. Win 7 even in it's default state is quite secure, and then your friend is using an already secure browser in a more secure mode, to address the main attack vector.

    @lucid, thanks for the info. I may give it a go.
     
    Last edited: Feb 6, 2013
  20. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I personally consider the approach described in this thread (and similar ones) to be extremely... ridiculous, in fact.

    Patches from Microsoft don't add bloat, they replace wrong code with fixed code (sometimes the fixed code has more lines of code than the wrong code that is getting removed, but sometimes the fixed code has less lines of code than the wrong code that is getting removed! And other optimizations...).

    The only real "extra" they add (and this "extra" only takes some free disk space, nothing more) may be their own uninstallers but these can be removed easily with something like CCleaner.

    Also, the patches get extensive testing before being released. Microsoft has extremely large testing labs (thousands and thousands of machines and very rigorous and extensive testing methodologies). An example of a part of this structure that safely surpass near every geek's dream.

    Plus, on the rare events that issues with patches are found after the release (not impossible, after all, Windows has billions of users, although on each rare incident, Microsoft own testing gets better and learns from it), Microsoft quickly fix them (fixes to bad patches have big priority).

    Needless to say, I always install all the patches available and I recommend that to everyone that asks or talks about the matter.
     
    Last edited: Feb 7, 2013
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I would be "bizarro Wild Hunter" in an alternate universe :D I am so opposite in my thoughts about M$ and thier updates.

    Maybe it stems from that update that fried an AMD cpu... me and a few thousand other lucky souls. Or maybe it stems from putting an update on to find "less" performance.

    Personally I find it ridiculous that so many still use an AV and firewall for most scenarios. I also find it ridiculous that ethanol costs more money and burns more fossil fuel than it saves. Or, maybe that is retarded, not ridiculous ;)

    Sul.
     
  22. At this point, based on what I know, I can only recommend applying patches. All of them. As frequently as is possible. Antivirus software, HIPS, SRP, even AppLocker, are all useless if someone can run a kernel exploit from within the memory space of a compromised program; and older kernels have plenty of nice exploits available, e.g.

    http://technet.microsoft.com/en-us/security/bulletin/ms11-087

    Yeah, sure you can avoid drive-by browser exploits with SRP and whatnot; but if you want something that you can use safely on a public wifi network, you don't want to fall behind in the update race.

    P.S. I have some hope that things will get better in the next few years though. The GrSecurity people have IIRC been talking about a hypervisor that could apply exploit mitigation tactics like ASLR to OS kernels, reducing the need for updates; if someone could write one that Windows could run on top of...

    P.P.S. With apologies to Hungry Man for my being awfully thick at times. You were right all along, dude. :eek:
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    OK, thanks :thumb:
     
  24. guest

    guest Guest

    Been running XP like this for years
    Faster than win 7 or 8
    Reduced the attack surface to near zero
    very few MS Patches "not needed"
    and even a little bit of my own code for some mods:thumb:
     
  25. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    260
    Location:
    USA
    I used to do that when still on dial-up to reduce the amount of downloading needed. I disabled all unnecessary services and didn't bother patching those.
     
Loading...
Thread Status:
Not open for further replies.