When is "insecure" good enough?

Nope. Maybe a good poll question

 

Hmm. Agreed on the wording and its implication, but I honestly don't see how that could possibly be the case. I mean if you have a dropper that runs that "specially crafted application" in someone's account, that would work, by definition. There's no way for the system to distinguish between a hostile application launched by the user sitting in front of it, and one launched by the dropper.

Dunno, maybe I'm missing something?

 

I agree the system can't distinguish between the two, but the difference, I believe, is that the local login method of running the exploit is obviously far easier for the attacker to pull off successfully than the dropper method. Maybe what MS is implying in their statements regarding the necessity of the attacker to be logged in, is that they understand kernel exploit attacks are not trivial in nature, thus the claim that the attacker has to be logged in to run it.

 

I'm too lazy to rewrite my posts. I got banned or something for "being an ass" and now it's been overturned (I have no idea, I'm definitely no less of an ass).

short version: I'll get around to hacking XP when I get around to hacking XP. Look for it on my site, not Wilders.

@wat,

https://www.cr0.org/paper/to-jt-party-at-ring0.pdf

I suggest you read that.

I could find much much more research explaining the issue of local kernel vulnerabilities, but that's one of the more clearly written pieces explicitly about it. Pay attention to the windows section.

 

Wow, there were some crazy unpatched vulnerabilities in Linux from 2009-2010.

Anyway. I'm understanding maybe a third of the content in that PDF, but I'm getting the impression here that most monolithic kernels are made of paper mache?

Also

That's... pretty pathetic.

Sigh. From the looks of it, the truism about the only secure computer being unplugged is basically on the money.

 

IMO, Linux devs have always strived for more kernel features, not security.

Like what Mr. Torvalds once said about security-oriented people/devs (openbsd) -> are *** monkeys sums it up well I think.

I'm not an expert but my feeling is that Microsoft has definitely caught up with unix-like systems especially with W7 and up. Unix (and later Linux) was developed when the concept of malware more or less was nonexistent. W7+8 otoh were developed with hardened security as one of Microsoft's highest priorities since the malware landscape we're seeing today is far far more acute and devastating than it was in the seventies.

And honestly I trust Microsoft's download servers more than unsigned and unverified Linux packages from a mirror server in Russia. Only quite recently did the prominent and popular ArchLinux start signing their packages and that gives a hint, I think, why security in Linux world will hit it hard sooner or later (which it did in a smaller scale with the embarrassing openssl patch). There are very few security oriented Linux distros and more often than not the user must get their hands dirty by patching the kernel with this and that, install Hips like software and so on. That alone tells me that Linux is not secure out-of-the-box.

Today I downloaded Google Chrome on my Sabayon Linux box and while the SHA1 sum, supposedly, was good, I couldn't help wondering if the obscure Italian mirror that the package originated from was trustable.

It's probably not fair to judge a system's security by going on what my gut tells me but I'd like to maintain that Microsoft has been unfairly criticized for too long.

 

If you got banned for "being an ass", how can it possibly be that a fairly decent amount of others here haven't? Hell, how have I not?

Anyway, people are going to think they're secure when they're not, and people are going to be paranoid and throw everything but the kitchen sink to secure their systems when they don't need to. I doubt you'd change any minds here even if you did tear XP apart and prove it with pics, logs and what have you. Those who know XP being still in use is a danger aren't going to change their minds, those who don't or don't care aren't going to either very likely.

Honestly what MS should do with XP is the same thing they do with known pirated/unlicensed copies. The day MS tells XP to go fly a kite, they should start darkening the screens, throwing pop-ups on the screen, the works. Annoy the ever-loving crap out of users until they give in or suffer the annoyances. I don't honestly see it giving MS too bad of a black eye in public. They've been warning users for years now, they've made enough public announcements, done the "countdowns" for IE 6 and all that. Even corporations have had plenty of time now. I say nuke em all with annoyances.

I'm sure some will say MS will just lose customers to Linux (lol) or something. No, they won't. For corporate, after years and years of everything being built around Windows, training, programs..they won't likely scrap all that and start anew with something entirely different. Home users, eh, they might dip their toes in the waters of Linux or suffer the annoyances out of spite. But more likely the next time they walk into a big box store or shop online for a new system, they'll get what comes with it and either put 7 on it or stay with 8. That's if they go PC, if they buy mobile, XP won't even be an option.

Maybe I'm a dictator in the making, but I think enough is enough.

 

@HM,

thanks for the link, but I've skimmed over many others similar to it in an effort to understand how these things work, but most of it's way over my head.

What I do get is the claim they can infect if one stumbles upon an infected site.

Okay, so all I'm really looking for is an example in step-by-step form with nice easy to understand pictures and language of how this latter type exploit of the kernel can occur. All these .pdf pages I see offer nothing but point form pages of very difficult to understand, for a layman like myself, technical details rife with obscure pictures of code. They don't ever explain how it could work in a typical real life situation where someone stumbles upon the infected site, then the exploit triggers and how it goes through the process of from start to finish of infecting the victim's machine, and more importantly how it bypasses security measures such as NoScript, SRP, AE, Sandbox, EMET etc...

 

Your never going to get 100% protection on a system regardless of the how you configure it, what applications you install/run, etc. But doing nothing to secure your system is equivalent to throwing in the towel. But short of disconnecting from the internet completely and removing/sealing all drives/ports on your machine. I think consumers should be smart about their browsing practices and I think they should be paranoid for any activity that involves connecting to the internet. Why? You can drastically reduce your odds of being a target by storing and accessing personal/private content from a non-networked machine only. But the consumer has less control when it comes to internet based activities like signing into websites. They can only do so much to secure their account data, to screen websites, harden their system against infection, etc. But at the end of the day, it doesn't mean squat if the server your connecting to doesn't adequately protect your information. Probably the only segment of the consumer market that doesn't care about online security are people that surf the internet but never sign into websites. So what if we can't get it right 100%. I hate to imagine how history would turn out if we had a "just give up" perspective.

 

That would be a great thing!

It would force me to go linux whole-hog! And also everyone I know who wants me to support them.

Really, I can't think of a better scenario happening. Heck, I bet the gaming industry would start supporting linux like crazy if that happens.

I say bring it on!

Sul.

 

That would only work for people who use WU, and/or visit/use MS www's. Even then, faking the OS/BSR ID would bypass that Of course most people wouldn't know how to do that !

They "could" be sued by companies for interupting/loss of their work, due to the messages etc

 

Even if the company implements changes intended to cripple services or restrict their uses, people are resourceful enough to find away to get around it. The rest of the "sheepeople" will simply use what those third parties figured out as long as its packaged in a point and click setup. There are also a percentage of users like myself in the middle that will follow a more technical guide if the benefits are worthwhile, but I'm not yet at a level where I can navigate around such restrictions by myself quite yet. I'm not saying this to endorse people pirating software, but I do support using third party bootloaders and other workarounds when a company places these kinds of games with paid customers.

 

There isn't much to "get around" when Windows Update stops working period. And that's what needs to happen, along with my other suggestions. No special bootloaders or workarounds are going to fly in the situation I proposed. The pirated copies can't get stolen licenses, the temporary 30 day grace period resets won't work, none of it. In the situation I proposed, from what I can see you're well and truly screwed. MS wouldn't be "playing games" either. They've literally spent the last few years telling people this was coming. There hasn't and won't be any pulling the rug out from under customers. In any other industry and most other companies, when time runs out, it runs out whether you beg, plead borrow or steal. MS has been more than generous with its support of XP.


@CloneRanger: Enough people have Windows Update set to default that such measures could be snuck right on in there, lol. Faking the OS and all that jazz, yeah, not going to happen with the 99%. That's Wilders territory, lol. As far as suing goes, yeah it might work in some cases. But, again, MS has done all it can to support the slow as molasses corporate world. That would count for something in court. A good portion of these "necessary" programs corporate worry about are "home brewed" and not official MS software. In cases like that, sorry, but MS isn't responsible for your company-specific software being so old or crappy that it absolutely relies on XP or IE 6. That's the corporate big boys problem, not Redmonds.

@Sully: I don't think it would make a bit of difference to the gaming industry. XP isn't even in their memory anymore, let alone cared about. As for users, well, hey, better an updated and supported Linux distro than a dead OS

 

Interesting. Do you believe in printers that automatically stop working at X prints, cars that stop working at Y miles, phones that stop working at Z minutes regardless of how much life is left in them, regardless of whether the owner considers them still useful, and regardless of whether or not they actually cause harm to someone (else)? Do you really think it would be wise to promote, or even just refrain-from-opposing, scenarios where manufacturers disable, or otherwise render non-useful, their products whenever they want to?

If you are concerned about the consequences of people running insecure software, then address that *broader* issue. Promote disconnections for ISP customers who become part of a botnet, hefty fines on companies that experience a data breach, doubled awards in successful lawsuits where harm stemmed from technical negligence, etc.

 

Those are pretty terrible comparisons, Wind. A dead OS that can't receive updates, especially security ones is quite different from your scenarios. Fact is, XP is dead, insecure and, if connected to the net, dangerous to user security, whether it's one person or a million. The problem with your suggestion to address the broader issue is that it's never addressed. So, if these issues aren't addressed, then MS has to shoulder the responsibility and cut these people off. I love your ISP suggestion and, in some cases, that has happened. But good luck getting ISPs to cut off net access to millions of monthly paying customers. As long as bottom lines keep trumping security, there won't be any addressing the broader issue. So, MS needs to play the bad guy now.

 

@Mman79

Sorry but I'd have to disagree with your statement for three reasons:

For starters, disabling the update services for older applications and platforms is not a major concern. Why? The user is already confronted with discontinued support and third parties would disable these services anyways to block the forced changes/annoyances your talking about. This would prove costly for Microsoft because now they are fighting to block sites instead of being able to control the problem across a service they are actively supporting. This is equivalent to trying to force a dress code student on online students working from home. It's one thing if you can catch them on campus in a physical classroom, but try doing mandating this in someone's home. It's just noting going to happen. Its the same reason why developers can not fully combat pirating.

Second, you can not force everyone to go through the cookie cutter. There is always going to be some niche that passes around it. I do believe there are enough to not only support a knock-off or patched version, but maybe even a shared cloud version in the near future. Given Microsofts recent posturing with pushing Windows 8 and always-on/connected consoles. I don't see a lack of support for a Windows XP or Windows 7 knock-off or fix.
If companies are trending towards cloud solutions for everything. Honestly, do you think Microsoft can tackle third party workarounds on a platform they are not supporting? To do so would require them to spend money on something they don't want to spend money on in the first place. Also the current trend with Windows OS development seems only be growing support among people I known to either switch to another OS entirely or to desperately hold onto an older OS like vista or seven. I don't see this trend changing and its likely what is happening with XP will happen with 7 as well.

Third, even for applications and platforms that are actively supported. If the company forces the annoyances over the live update there are third party tools to block and hide such elements. They still come over the update, the but user doesn't have to look at the annoyances: advertisement, pop-up, etc. Similar to inspect element in Firefox. With a bit of scripting you can make the process automatic each time you open the applications or each time it triggers the annoyance. For some this is livable and would be a nightmare for companies to address. I can only think of a handle full of annoyances that this wouldn't work on, but most companies don't employ these and some have other workarounds already. If you known of a such a change that could not bypassed, I'd be interesting in hearing one.

As a general disclaimer, I'm not suggesting someone should do this nor am I confessing to doing this myself. This is purely intended to highlight what I known is already possible and what I expect will happen in response to companies that push these tactics on paid users (particularly).

 

What 3rd parties would actively block such measures by MS? I mean, seriously, why in the name of the lord almighty would some random 3rd party go out of their way to make a workaround for a dead OS? I'm clearly missing some hidden, angry mob out there in the world that is seething because MS wants to kill an 11+ year old OS that they've already gone way out of their way to support.

Windows 7 knock-offs or workarounds, I will 100% side with you in the opinion that somebody out there would do that. XP? It's a waste of even the hacker kids time who, by the way, are almost always the ones developing these "workarounds" and uploading them to some shady ass site..which is the last place anyone with a dead OS should be visiting.

I'm really amazed at how hard people are trying to hold on dearly to this, and the amount of argument they'll put into "No no, XP will never die!". If this discussion replaced XP with Windows 98, not a peep would be heard, lol. All that said, I've ran out of steam and caring for the discussion. We'll see what happens a few months from April of next year, but I don't think it's going to be pretty for those who don't just stop being so stubborn and move on. Either way, enjoy your XP, lol.

 

In my case, I'm "hanging on" only to see if it really can be exploited. It's a kind of game for me to see if it really is as insecure as so many claim it to be, and therefore, according to what the pundits are proclaiming, I should see my setup exploited any time now. I personally guarantee I will post here the day it happens. Just don't hold your breath

 

@Mman79: I was/am just trying to get a feel for your boundaries. There will always be newer versions of products, which of course will be represented as being better in various ways, which may in fact be better in some ways. More often than not the newer products are also worse in some ways. Is Windows 7 more "secure" than XP? Is Windows 8 more "secure" than Windows 7? Truth is, such questions are very difficult to answer. It very much depends on how the user has things configured, what their (additional) layers of protection are, how they use it, what weights the user puts on various types of security, etc. This would hold even if we assume that the earlier version is no longer receiving updates. The potential consequences of which we won't know until we see what if any new non-patched vulnerabilities get disclosed.

You may personally feel that it is appropriate for Microsoft to render XP installations unusable and force people to upgrade. I might even agree with some of your logic. However, you are proposing to artificially induce breakage in a product that doesn't belong to you and arguably doesn't belong to Microsoft either. Across the board no less... regardless of the conditionals I previously mentioned and regardless of whether or not the XP instance has actually done any harm! Read the last sentence twice because that is really important. Furthermore, you are proposing that the manufacturer and entity with the worst conflicts of interest be the entity that makes such decisions and carries them out.

I could add paragraphs about how Microsoft's newer solutions are a greater threat to information security and privacy, how its central store model is a threat to software availability, how its driving of people into cloud based solutions will reinforce such threats and add others. All those things must be factored in as well. If you forced people off of XP and they go to Windows 8, would you really be pushing them into a better place overall? That seems debatable.

Please be aware that I'm not trying to argue that people should continue to use XP. I'm just criticizing the idea that it would be good for Microsoft to artificially break it. It will fade away over time, and for that matter I'm sure overall much worse solutions will take its place. No need to rush that though.

Edit: FWIW, I do like the idea of alerting users to approaching end of support dates. Just something informative that makes the user aware and gives them a push towards making a decision about what they want to do.

 

Some kind of non-obtrusive warnings informing about the imminent EOL of XP would be healthy overall.

Such warnings could appear when security updates are successfully installed, for example.

Or, after the last update in 2014, during every initialization (with an option of not being displayed again).

But I don't agree with forcing reduced functionality - especially on clean and original XP installations.

 

Has Microsoft ever done that with an OS? I mean, arranging for the OS to display such a warning to its user(s). I have no recollection of it having done so, but then perhaps I simply never saw it.

 

I get tired of the attitude that you have to upgrade or the sky is going to go black mentality, 5 years from now all the Win 7 thumpers will be saying upgrade to windows 11 then a little time more windows 15 and more windows 25 and more windows 456 and so on

I know eventually you will always have to 'CHANGE" operation systems as the world moves on but you are only as secure as the operator at the keyboard,
this is not meant as a insult but if you have a "operator" who got their system at walmart and the truth is they only know where the on button is "THAT" system will never be secure no matter what OS you are using

Security is in the hands of the Operator

 

I think the real issue the topic brings up is that people don't really get they're insecure. It takes XP being insecure as a 'given' and explains that they're just ahead of a bunch of worse PCs, but people think they're actually more secure on XP.

@guest,

The operator can have an impact on the system, but it's the system policies that define the security, not the user.

Easier just to quote myself:

Security definitely isn't in the hands of, or the responsibility of, the operator.

Do not mistake the fact that no one, including yourself, seems to be able to come up with software that protects the user from social engineering with the idea that it's impossible. It's easy to come to the conclusion that because the problem seems impossible it must be impossible, but it isn't.

It is very possible. Just not with the current security tools out there.

The mentality that security breaches are the users 'fault' is what's led to a stagnation in the security models we see.

I think it would be a wake up call for some members if they just got RCE into one of their programs and saw how much they could do from there: run local exploits, read the file system, write to the file system, etc all from within shell.

 

@ ibit

Re your cold analagy

If we read up on cold etc prevention, especially natural methods & not Big Pharma crap that isn't really interested in cures, only constatly selling you stuff that temporarily relieves symptoms, then you CAN be immune etc !

Now if we get really silly & use a similar analagy & say we could do the same with something/s far worse than a cold, then the analagy won't hold up, as they are way past equal comparisons.

What people need to remember is, for Anything to get in & do something unwanted,

1 - Either we have to allow it, or it's auto allowed due to the way the Comp/Browser etc is/are setup.

2 - Then it has to Run/Inject/Install etc

3 - If good measures are in place to Prevent/Alert All of the above, what/how can Anything infiltrate ?

 

Your big pharma spiel, I don't even feel the need to react to that, I apologize but if you're taking the metaphor to such a weird place, no idea.

Nothing within there really makes me feel any less confident in the cold metaphor.

1) You don't really allow anything. The hacker simply takes it. Unless you mean "turning on the computer" is "allowing" anything.

2) Yes, it does have to run. What's your point? I hope this isn't another confusion of what 'execution' is - AE really is a misnomer, anyone touting "antiexecutable" should really be ashamed for promoting the idea that they're stopping execution.

3) They aren't.

This is a really good example of "go run metasploit". Incidentally I talked to my NCS team and one of them had recently been hacking an XP box for a presentation. If he's left his system up and configured I may record doing something similar, but I encourage you to try it yourself, and see that AE isn't preventing execution of shellcode, and that shellcode is very powerful.