Ten years later, Windows XP still dominates the Web

As I said, it means different things to different people and as such, it is fallacy to insist upon applying one's own definition of security to others.

I have heard it said that a fact is merely a point at which we have allowed investigation to cease. I view security in a similar manner... as a moving target.

Quite literally, there is a point at which an average computer user (even one who has a strong inclination towards shutting out the bad guys) must put down the toolbag and walk away, proclaiming his or her readiness and preparation complete... for the moment, or for the hour, the day, the week or the month.

Computer security therefore also exists in the mind as well as on the machine, and is best described as some degree of a sense of well-being. When viewed in this context, it is easy to see how someone with extraordinary security measures in place can still feel incomplete, or how a user with minimalist measures in place can feel unfazed by all the malware hoopla.

At some point, security is going to require a leap of faith. A user is going to have to straddle the chasm between fear and serenity. It can be accomplished by piling up facts regarding how to secure a system, it can be done by acknowledging that everything reasonable has been applied, or it can even be obtained by agreeing to move on. The leap can be a step, or it can be a running long jump. It can be achievable or impossible to grasp. A quick look around the forum tells you there is no ultimate or final definition of security.

 

Agreed, when that happens, that is the biggest waste...

 

i use xp..and maybe until or after 2014..

 

What's happening?? I don't understand! Someone directly addressed the thread topic, no tangents at all...

BTW that was a joke. <insert giggle here>

 

Same here. Nothing to fear but fear itself.

 

I agree with everything you've said. I get that everyone has their own definition. I'm just curious to see them.

 

If that's really the case, why is it whenever someone says they're not using Microsofts "latest and greatest", you go extreme lengths to point out how insecure they are?

Like I said earlier,

I see lots of big security claims regarding Microsofts alphabet soup security. At the same time I see thread after thread showing how they're defeated or bypassed, some of it by design. Example, Circumventing SRP and AppLocker by design, with LoadLibraryEx. I won't bet on this being an isolated incident. Or this one, Thread-injection attacks from browser exploits are increasing. What good is it to restrict the user space apps when attacks can inject into system service threads, threads that usually run at much higher privilege, are easy to identify and find, and are running by default even when they contribute nothing to the user? One part get strengthened while the other is exposed. How is system services becoming part of the attack surface qualify as more secure? How can MS claimed to have learned a lesson from blaster about open ports, then ship the most recent OS with more ports opened by default that any of its predecessors, some of which are nearly impossible to close? Don't tell me the code behind them isn't vulnerable. All code is vulnerable. You don't make an OS more secure by giving it a huge attack surface and equipping it with security features with built in bypasses. Sorry, but I can't accept your position that 7 is any more secure than the earlier systems.

 

Because the idea makes no sense to me. If you know how to have a discussion with less than two sides let me know and I'll give it a try.

They always were and always have been. They're talking about explorer and other services that are running on 7. Just like on XP.

You're pointing to new security methods and saying "They aren't perfect therefor XP, which doesn't provide them at all is just as secure."

What is your explanation for XP being heavily attacked via the OS compared to 3rd party apps but 7 being heavily attacked via 3rd party apps and not the OS?

 

Just as it makes no sense to me to present a huge attack surface that the user can't reduce without a lot of work and requires a separate product like a router to defend. Creating a market for routers?

System services that hold ports open were a bad idea then and still are. Ports should be open when they're needed, not left open in case someone needs them. An OS marketed to home users should have no ports open as they're not necessary

There's a big difference between imperfect and designed to be bypassed. MS apparently doesn't think a designed bypass such as load libraryEx deserves more than a hotfix. If they did, it would be patched via an update by now. That tells me that they want applocker to be bypassable.

Reasons?
being a target for 10+ years.
Being the most common target.
3rd party apps can be used for attacks on many platforms. Why hit one when you can hit them all? These are increasing in general, not just for 7.
The short time 7 has been on the market. Every OS has enjoyed this quiet time in their early years. This will change very soon.

 

If it were by design (as opposed to a design flaw) I doubt it would have gotten a hotfix. Considering that Applocker isn't really used, is meant for businesses, and is only provided in professional or ultimate or enterprise editions it is not too surprising.

I suppose we'll have to see in the future if 7 really does start getting hacked to pieces like XP was.

Computers haven't been this widespread ever and we don't really have a precedent to go by.

 

You're kidding I hope. If they'd said it was designed to be bypassed and failed to provide any fix, the backlash and bad PR would have ruined that market for them. IMO, providing a fix just to those who learn about the problem and ask for it says all that needs to be said.

We don't have an actual precedent, but we do have clear trends for the last 10+ years. Every mainstream OS they've released was being targeted hard by the middle of its supported life, and each new one was hit harder than its predecessor. 98 got hit hard with adware, spyware and "in your face" malware. XP got hit with rootkits. The bigger and more complex an OS got, the more code they found to exploit and the more places and ways they found to hide the malicious code. If one considers just installed size of the OS, Vista and 7 have almost 100 times as much code as 98 did. Assuming equal quality and skill, that alone means there's the potential for 100 times as many errors or flaws. But like you said, time will tell. It's clear we have opposite views here. You keep using the latest and greatest. I'll stay with this older hardware running an even older OS secured by 3rd party apps. We'll see who stays clean longer. Default-deny has worked flawlessly for me for the last 7+ years. I don't see where that will change.

 

This is treating every design exploit like an intentional backdoor just because instead of a patch there was a hotfix.

The last 10 years? XP has been one of the major OS's for taht entire time. Computers hadn't been nearly as widespread before that.

Security in Windows also hadn't really changed. It was certainly exploited plenty but MS didn't make any serious new moves until Vista/ 7.

100x more code is one thing to take into account. Attack surface has increased. I'd be interested to hear how much of that is in the kernel.

There is no formula for trying to guess how many exploits just won't work with ASLR or DEP or SEHOP. We do know that a large number of exploits are buffer overflow, we do know that a large number of exploits were SEH rewrites. Attackers will just move on to other hackable areas but each time they do it's harder and harder to do so. JIT spraying for example isn't as easy to exploit or to protect against. Same with ROP, which largely relies on the hacker working with set libraries and bypassing ASLR.

There really isn't any precedent to base it on. I think that techniques like ASLR, SEHOP, DEP, anti-ROP, MIAC, SmartScreen, and others will far outweigh those built into XP. I think that anything you do with 3rd party software on XP can be done on 7 without the underlying layer of an insecure OS that hasn't been updated to include basic security mitigation techniques that have been shown as effective.

What you've got works for you. That's fine. This is where different definitions of security come into play - I would say that if you're working on an insecure kernel that has known exploits in the wild your 3rd party security isn't going to make up for it. You have not been infected apparently, which I attribute to luck and lack of hacker interest (like an OSX average user) and you attribute it to third party security. There's no real way to say why something didn't happen so it's a matter of philosophy.

 

Hi Hungry Man,

Responding to another poster, you wrote:

(my bolding)

To follow up a bit more on your request in an earlier post about others' views on security:

One reason I use current exploits as part of my rationale for security measures is that I can test --or extrapolate from other analyses when there isn't access to a working exploit in the wild -- to determine the likelihood that I might be compromised.

Take the the kernel/font parsing vulnerability used by Duqu last year. To review:

Microsoft Security Bulletin MS11-084
November 08, 2011
http://technet.microsoft.com/en-us/security/bulletin/ms11-084

To me, this shows that having the latest version of Windows is no guarantee that some part of the millions of lines of code won't be exploited at some time.

My approach to this:

Digging around, I found that the this exploit has to come in HTML code, meaning that the attack vectors include:

• malicious web pages
  
  
• malicious emails, both the body and attachment
  
  
• Word and Powerpoint documents

web pages, I found this:

Well, a test page was set up and it turns out that Firefox, Chrome (tested by Michael Horowitz of Defensive Computing), and Opera (I tested Opera) do not parse embedded TT fonts using t2embed.dll, so the exploit fails to start. (Also see CloneRanger's tests in November in the "Son of Stuxnet" thread, p. 4)

emails: An email reader displaying HTML code would be vulnerable just by viewing the message. I use a plain text email reader. Clicking on a link in an unsolicited attachment is a social engineering tactic.

documents: this is purely a social engineering tactic. Even so, opening documents in a text editor negates the running of macros/code. I don't have/use PowerPoint.

Looking at the Duqu exploit itself -- should the code somehow run -- I verified from the vendor of my AE product that it would block the DLL loader.

(Also: a Microsoft workaround soon became available, and later a full patch, so this exploit is history except for the really dumb out there!)

I can cite *many* similar examples of vulnerabilities/exploits I've looked at that have surfaced over the years, where I determined the likelihood that I would be compromised.

I feel much safer with my security products in place, and adhering to firm policies and procedures, than depending on the notion that the latest version of an OS somehow automatically makes me more secure. There are just too many variables, and unknown factors out there!

To add to those who have "come out" I'll say that I continue to use WinXP for a number of reasons, nostalgia not being one!

regards,

----
rich

 

IE can also block this in specified zones with "Allow font downloads": Enable/Disable/Prompt

 

Fine, you admit that was a moot point.

For your person? I don't know. I'm talking about computers and related stuff.

The "new" patched code is, in almost all cases, replacing old unpatched code. The extra MBs are mostly related to hotfix uninstallers - can be safely and easily removed with a tool like CCleaner.

Patches really improve performance, compatibility, stability and security in a number of scenarios and it's just silly to assume that your system couldn't be any better, without, at least, some real testing.

Who knows? Not me, but that doesn't mean the possibility is nonexistent.

Pretty much every hacker out there knows how to compromise a vanilla XP SP2. Working exploits are publicly available.

 

Do you understand that you're debating risk, not security? Securing a computer is about layering techniques. I don't think anyone can debate that. (If you think you can I'd love to hear it). Nearly everyone in this thread has listed various security techniques that are perfectly valid. If anyone is arguing that updating the OS is not a security issue, then they DO NOT understand what updates do. I am currently searching for some documentation on this so we can all truly understand what EXACTLY not updating the OS does to your security in spite of all those other layers. I'm a "facts" kind of girl. And security consists of a series of FACTS. There is no point in debating facts.

Risk is about determining which layers you need for your particular system. So choosing not to update the OS is definitely a risk decision. It's up to each individual to choose what their risks are, how to defend against those risks, and then deploy those defenses. Risk consists of opinion. You can debate risk until you're blue in the face.

So... if you update your OS, that doesn't make you secure. It makes you MORE secure. You need to add layers to harden your system. No one reasonable can argue with this: the more layers I have, the more secure I am. PERIOD. However, I may be defending against a tiny threat so my approach may be overkill. But that is an issue of RISK and you can argue all day about that.

 

I know you don't !

Me too.

I already stated my comp is stable & No BSOD's etc etc. Real testing ! Jeez i'm one of the people on here, & elsewhere, that has done Hundreds & Hundreds of Real Time tests. NO problems here. Calling me silly is both Wrong & Rude

Exactly !

Nor on your comp. But i'm the one who's Actually done ALL those Malware & POC tests, unlike you & others. So i'm in a Much better position to KNOW how secure my comp is.

Once again your missing the point ! How will that stuff get in my comp in the first place if i don't let it in. Even if it did, SD would eliminate Everything.

I'd like to see you & others like Hungry Man do some Real Malware/Exploit etc testing on your comps, & see how yours react etc. You & HM talk the talk, but won't do anything to prove what you keep preaching, unlike myself & a few others. We walk the walk so actually Know how secure we are, not just assume it

Talk is cheap, & actions speak louder than words. Let's see LOTS of Real tests from you both with Many screenies etc, just like i & others have done over the years, on XP & 98SE.

@ BrandiCandi

Hi, your right to say it's a Risk. But in reality with & the multiple Tests etc i've done, any potential/assumed etc risk's have been & are 100% negated by the way i've set up my comp. I & a few others are living PROOF that it can be done Without ANY updates to the OS. I think it's quite an achievement to be in such a position, & for All these years on 2 OS's, when ALL the doom merchants say otherwise.

The other side of the coin is not having ANY security software or AV etc, nor maybe even a FW, & attempting to secure the OS via policies & OS hardening etc. Some members on here do just that, & i acknowledge their prowess in doing so. But i feel that sooner or later due to All the bugs/vulnerabilities etc in even the latest OS's, exploits have & will surface that are "capable" of penetrating their comps. Whereas on mine with the Apps in place i have, that Can't happen.

 

We do not disagree. The human element, especially in the form of leaving it to users to make choices/decision, is indeed the biggest issue with security...it has always been AND will always be unless the user is well-informed and experienced enough to make wise decisions. What I meant in my original statement was that the human element plays a part in bolstering up security if the user (or I'd rather use the word "admin") has the ability to make wise decisions based on his/her acceptance of risks (different people accept risks differently) and ability to react positively in the event whereby something goes wrong.

That is pretty much what I do on my own systems and the ones I help to set up. Our ideology is rather similar, albeit we achieve them with different tools.

Nope...HM, you're missing the point. You keep on bringing these new security methods into the thread saying how much of a difference it makes in terms of security, which I agree it does (I adopt these techniques too and I use EMET, remember? ).

Unfortunately, perhaps due to your confidence and belief in these security methods, the tone in your posts sort of implies as if everyone else who doesn't have or make use of them is simply insecure. This is something that I disagree with...

I believe noone_particular is pointing out that in his opinion, the lack of these new security methods does not make him any less secure given the default-deny approach he's taken. Whether or not you agree with him is a different thing altogether.

They're effective but up to what point? Let me just quote Marcus Ranum on this:

Quoted from:
Are the skills of a hacker necessary to build good security?

I would disagree - 3rd-party security can make up for it, given the right tools and the right policy. You might as well re-consider and view the possibility that your current OS kernel is 'insecure kernel' and has currently 'unknown' exploits...only time will make that 'known'.

Agreed. I'm actually disappointed to see such fallacy happening here.

These lines pretty much sums up what I tried to say earlier on. In fact, look below my post and see my signature

Anyway, for those of you who do not understand the "default-deny" talk and/or insist that patching your systems is the only way to go for security, then perhaps you might want to take a look here:

The Six Dumbest Ideas in Computer Security
What Sun Tzu Would Say

Again, if you disagree, that is your right Just do not push it down upon the throats of others who do.

P.S. FIY...I do believe in updates/patching as a good practice but not to rely on it as my primary defense.

 

I'm not sure I've communicated my point thoroughly. I'm not saying your setup is a risk. I'm saying that your setup is your chosen form of risk management. You have weighed all the risks and decided that the risks resulting from a non-updated operating system are either unimportant to you, they have been mitigated by other security measures, and/or the potential problems associated with updates outweigh the potential security gained. The same goes for others' setups without a firewall or AV. Those users have weighed the risks of installing a firewall/AV and decided that the risks outweigh the benefits.

That's different than saying that updating the OS is not an important security measure. Which it is, indisputably. So is a firewall. So is AV. When you debate if they're important to implement, you are debating opinions of risk management (which is valuable). When you debate if they're valid security measures, you are debating facts (which is fruitless).

So yes, Hungry Man has compensated for a non-updated OS to his own satisfaction. Others have compensated for no firewall or no AV. But updating the OS/firewalls/AVs are still valid security measures for someone to implement, and I don't think anyone here is suggesting otherwise, right?

 

One of the more pertinent comments in this thread!

Risk assessment/management is something I was taught, but wasn't talked about much around here when I first came to Wilders. People wanted to talk more about products.

But a few years ago BlueZannetti posted a thread on security that considered risk management:

https://www.wilderssecurity.com/showthread.php?t=252253

A few quotes:

----
rich

 

Yes that Minus what i removed

I wasn't debating if AV/FW etc are valid security measures, i mentioned that "some" people have chosen to secure their comps in other ways via policies etc etc. My methods though are different to Policies etc, as i mentioned earlier. And i do have AV/FW/HIPS etc & browser security & update them.

Hungry Man has NOT compensated for a non-updated OS to his own satisfaction He does update, it's me & a few others who do Not

For most people you're right, & i don't try to force my way on others.

A lot of members who used to post on here back as far as 2004 onwards, & some of us that are still here, discovered by experimenting that we didn't need to keep updating the OS to remain safe & secure. Some newer members naturally havn't read ALL those threads & posts & followed the scene as we have. So i'm not surprised they are shocked etc to see posts like mine & others discounting OS updates.

People are free to do whatever they feel is right for them, & if as my case they have Constantly Proved over Many years that their methods are Always successful, what's the problem with that !

Yes it's partly a security forum, & i'm ALL for being secure, which i am. Why some people, not you, either don't get it, or believe me & some others = ? If i was getting infected etc all the time it would be different & i'd change things, but i don't EVER get infected no matter which nasty malicious www i choose to visit to test my system, or Extremely bad Malware i download

So if others choose to be as secure as me they can do via my methods, if not they can choose the other routes. At the end of the day what REALLY matters is Knowing you are as secure as you can be by whatever method you choose. I KNOW i am, because i've tested my systems Multiple times in Multiple ways, unlike others who Just talk & Only think they are secure

@ Rmus

Thanks for the BlueZannetti quote, which backs up some of what i've just said

 

That.



My work here is done. (nah, you can't get rid of me THAT easily )

Oh yeah... apologies to Hungry Man & Clone Ranger for mixing up who updates and who doesn't.

 

Risk assessment is in the later chapters of all of those big CompTIA Sec+ books

Who ever gets that far?

 

Microsoft does not have and never has had a secure kernel. It may be a bit more secure than its predecessors, but don't kid yourself into thinking it is secure. You might attribute my lack of infections to luck. I attribute it to spending 2 years throwing every exploit, malicious page, and bit of malware I could find at it. I have over 130MB of that code locked away. I still test everything that looks like it remotely has a chance of bypassing my defenses. As for saying why it didn't happen, that's not hard. There's several reasons.
1, The malicious payloads couldn't execute.
2, The malicious payloads weren't compatible with my OS.
3, The attack surface was isolated so a compromised apps did not result in a compromised system.
4, The targeted system component/service was not found in its expected place or didn't exist at all.
5, Core system files and the registry are replaced on each reboot with clean copies.
Need more?
Regarding updating, I probably should clarify a bit. I have not installed an official MS update in ages. That said, I do update my apps and my system updates are "unofficial" upgrades that add features and fix problems that MS refused to. They've made it a faster, more stable, and more capable system than MS ever did.

 

The thing about testing a setup is that you're full aware of the payload being malicious. I understand you don't take interest in social engineering but how secure would you be if you actually trusted that payload?

I would assume isolation helps take care of that?