Windows XP is dead, long live Windows XP

Discussion in 'other software & services' started by Mrkvonic, Apr 16, 2014.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Let's shatter a few more myths. Security, it's like STD. There's really no point in getting infected unless you want to. Hence, ipso facto, this important article about an experiment where a Windows XP system is gonna be kept running after the official End of Life (EOL) date, with latest updates and minimal security in the form of EMET and SuRun, in order to test future software compatibility, usability and system aging. Party hard.

    http://www.dedoimedo.com/computers/long-live-windows-xp.html


    Cheers,
    Mrk
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Java 7 update 55 is compatible with xp.

    Advice for IE8 (occasional use):

    -Block Script (press F12-tab disable....):


    2.jpg

    Trick 1803 (Block Drive by-download):


    1.JPG
     
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    I find the testing using only those two security related applications a bit wanting if the researcher is actually attempting to follow software compatibility with XP going forward from EoL. While it may be interesting to test against the latest version of FF or Opera, chances are that older versions of those browsers will continue to work as intended for a very long time without upgrade as is evidenced by those who held firm to IE 6 for so long before giving up and upgrading. The study also glosses over the risk the EMET solution will loose XP support AKA MSE.

    Any indication that the researcher will evolve in their testing schedule and look at a wider range of current applications both security and non-security related?
     
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Oh dear lord.
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,129
    Location:
    USA
    I'm interested in this too. Many of my customers who are running older XP boxes have asked me if I think they should replace them immediately. They don't know how to evaluate the threat and I don't precisely know either. It seems to me if XP users keep their security software current and use an updated browser ( in other words not Internet Explorer ) they don't need to rush out and buy a new computer, but is that actually true? Now that MS has released "update 1" for Windows 8.1 and made it more usable it might be better for inexperienced XP users to move to it.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I run 4 computers. Two are new desktops with Win 7X64. I also have a Sager 9263 which I upgraded to Win7x64. It's okay, but has some issues as there are no Win 7 drivers for it. My last machine is a Thinkpad X60 tablet. Not going to even attempt an upgrade. It runs Tablet XP. I have no intention to replace hardware that is functioning fine.

    I would note that for the last three years of the xp computers I did no windows updates, but the machines were well protected. What I run on the tablet is... Sandboxie,Eset Nod32, Oneline Armor, NoVirusthanks Exe Radar Pro, and Appguard. I am not at all concerned going forward.

    Pete
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Coldmoon, this is not a research. It's a usage model, very similar to what 90% of people do. Now, with a limited account and emet, that's how I see it. Other security products do not interest me. I don't see value in using them. If someone wants to download baddie.exe, that's their problem. I'm interested in preventing accidental damage, which is where surun comes is, and memory problems, which is where emet comes in.

    This is not: hackers, lo and behold. It's entirely practical.

    It's also about all the scaremongering and how nothing special happens just because a certain date came and went.

    Mrk
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Unless MS starts building kill switches into their operating systems (which wouldn't surprise me a bit) an OS is alive as long as it serves the users needs.
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i very much doubt that 90% of XP users actually use EMET and a limited account.
     
  10. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    This assumes that the "someone" had a say in what was being downloaded and "accidental damage" is rather vague don't you think?
     
  11. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The STD aspect of computer security is that the risk depends on what you do with them. If what you do is not very risky to begin with, the chances of being exposed to an exploit are very low. Avoid porn and wares and you've won more than half the security battle already. This can be further reduced by a few more security measures. Using a limited user account with mitigate most attacks even if an exploit attack does happen.

    Everything I have running Xp will continue do do so. I manually select updates that are installed and that Xp nag notice was denied the privilege of installing itself in my systems.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Ok, so some answers:

    moontan, I will be doing what 90% of people are, and use surun + emet, not saying they are.
    Coldmoon, correct, but my experience shows otherwise.
    Mister, I disagree with porn sites and alike - nothing special about them.

    Mrk
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    lol, same here. I see it has a check box to never show it again, but I wonder if it really goes away forever or if it comes back from time to time? My friend told me about that nag as a con of staying on XP and I responded: "umm... I deselected then hid that one". And he was like: "oh..." Custom installing didn't even occur to him. It's the only "critical" update I haven't applied to XP. But serves as a reminder as to why I'd continued to look over every one of them all these years before installing them. There was that one update for .NET Framework too that added an annoying addon to Firefox, but once I decided to just do away with .NET FW altogether it was no longer an issue.

    It will be cool if/when my buddy Pepper bangs out Open EMET to be able to utilize it's pluses without adding the attack surface in the process. As it stands now I don't like the trade-off personally in my isolated case.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Yeah, this is pretty much the way I've experienced things as well, and I don't think my online activities are that much different at all from the average user. Technically and in reality XP is more vulnerable than recent O/S', but it doesn't necessarily mean an XP box is going to get raped and pillaged by web-borne nasties. On our oldest hardware I no longer use XP on it because I've discovered Linux distros that perform much better and they suit my basic needs. Linux also, for me anyway, makes securing the platform that much easier. Boring even.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Unfortunately, it's the other half that can present a huge problem!

    For example,

    Vast majority of malware attacks spawned from legit sites
    Drive-by attacks not just from porn and warez sites, new Google data shows.
    by Dan Goodin - Jun 25, 2013
    http://arstechnica.com/security/2013/06/vast-majority-of-malware-attacks-spawned-from-legit-sites/
    Surprising hack found on multiple sites
    http://blog.avast.com/2012/03/15/hack-found-interview-site/
    March 15th, 2012
    Most Malware Pages are 'Hacked' Legitimate Sites
    http://www.spamfighter.com/News-8907-Most-Malware-Pages-are-Hacked-Legitimate-Sites.htm
    SPAMfighter News - 17-08-2007
    One of the most notorious exploits was the Miami Dolphin's web site breach from 2007:

    Super Bowl-Related Web Sites Hacked
    http://www.pcworld.com/article/128750/article.html
    February 2007
    Note that both of the Microsoft vulnerabilities were patched four months prior, indicating that not everyone updates their OS.

    And certainly, not everyone has the types of security products that many here at Wilders talk about.

    Note that even this security measure doesn't always work:

    http://www.zdnet.com/research-80-of...-had-antivirus-software-installed-7000001679/
    By Dancho Danchev for Zero Day | July 27, 2012
    The computer scene today is so complex that no one solution is adequate as a formula across the board. There are just too many variables: user experience being one of the most important, which is what Mrk emphasizes.


    regards,

    ----
    rich
     
  16. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    853
    Boring yes indeed. The last thing you want with security protocols is excitement.

    From a home user's point of view - I believe the key things are..
    1- Avoid porn and warez
    2- Learn and carefully screen "DownLoad NOW" buttons and banners
    3- Watch the install process of even reputable utilities and programs
    4- Be alert for crap like "BetterBrowser" and "OpenCandy" adware and toolbars
    5- Sandbox unknown attachments and pay attention to filesizes
    6- Be aware of where your email is coming from, watch for phishing and spoofing
    7- Learn how to do an on-demand scan of suspicious files
    8- Be aware of the reputation of the websites you visit

    Once you are well versed in the above activities you'll be 90% of the way toward having a secure system.
     
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    What EMET, LUA and SuRun does on XP after EOL is simply buy the user time by hardening it compared to the rest of XP setups at default settings. You are slightly safer by virtue of being different from the lowest hanging fruits. It is nowhere 'secure' by any reasonable standards in todays context.

    Why? Simple. Neither is it scaremongering
    nor is it hype.

    XP has no ASLR. Period. EMET, as good as it is, does not bring ASLR onto XP.
    http://www.rationallyparanoid.com/articles/microsoft-emet-3.html

    ASLR is an important mitigation technique on any modern OS (Mac OS X and Linux included).
    http://en.m.wikipedia.org/wiki/Address_space_layout_randomization
    http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx

    LUA is good but on XP, it is weak and is no security boundary. It has no User Interface Privilege Isolation(UIPI) and is therefore more susceptible to shatter attack and privilege escalation.
    http://en.m.wikipedia.org/wiki/User_Interface_Privilege_Isolation
    http://en.m.wikipedia.org/wiki/Shatter_attack

    SuRun makes it more convenient to run as LUA by allowing elevations. One has to take note of this though:

    SuRun elevations can allow malware to elevate in a standard account.
    https://www.wilderssecurity.com/thre...ware-to-elevate-in-a-standard-account.293014/

    Combine the above with the fact that XP EOL means kernel flaws will not be fixed. No amount of security software running on the OS can compensate for it.

    Still want to run XP? Make sure you understand the risks.

    If I were to run XP, I will either:
    a) run it offline on a dedicated machine
    b) in a VM on a supported OS as host (be it Win7/8 or Linux)
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    ASLR is overrated, just so you now, but never mind.
    The whole point is to run this box normally. That's the point.
    I'm not gonna start downloading donkey pr0n just because of that.
    Or downloading cracks. Not the point. Regular normal usage.
    With some extra hardening to make it spicy. But even that's unneeded.

    Some of you guys are missing the idea.
    It's to see whether xp can survive and offer usability to people who CHOOSE to continue using it. And for how long.
    On top of that we layer some unorthodox security, to address the overblown concerns.

    It's not my primary machine. It's just a test box.
    An experiment ...

    Mrk
     
  19. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    As we have already seen some of the new malware has the ability to hide much more successfully and little or nothing to trace it's origin of exactly what damage it has done. You don't have to be a down loader of porn or pirated software to become victimized.

    Prevention is now more of a guessing game than it was and I see no way that anyone can be absolutely certain their computer security and- by extension- their privacy hasn't been compromised. Many of us here at Wilders could be infected with some stealthy exploit for which there is no currently available detection process.
    We just don't know- we think we know, but in reality, we only suspect our operating system is clean because we see no tell-tale signs of compromise. Those signs are based on what we already know and have experienced. If/when something new comes along that doesn't fit the pattern and methodology our anti-malware and anti-exploit applications are designed to recognize and detect, we become vulnerable.

    Yes, the bad guys will certainly be targeting XP but (they) will target any operating system with a vulnerability. The reality is that the bad guys become aware of a vulnerability before anyone else and exploit it for all it's worth. Microsoft has always promoted it's latest OS as it's most secure ever and people buy it believing they are safer because of that purchase. That is a dangerous leap of faith because no OS can protect against ignorance and stupidity.
    We don't know; Windows 8/8.1 could become the least secure and most exploited operating system in computing history as exploit strategies become increasingly more sophisticated and the average user less so.
     
  20. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    @mrk

    There is a bit of contradiction in what you mentioned.
    You said that ASLR is "overrated" but you praise EMET as the best thing to come out from MS. You do realize that ASLR is one of the most important mitigations there is?

    Then, you mention LUA and SuRun. Group policies on another article of yours. I am all for OS hardening. But on XP on EOL...I would say that deserves the "overrated" tag a lot more than ASLR.

    If people are missing the point, it doesn' t help if an expert almost always dismiss anything related to security as "overrated" or "overblown". It's one thing to look at security in a calm manner but it's a different thing to downplay the risks too much. It may be an experiment for you but for others reading your XP articles, they need to be aware of the risks. I mentioned what design issues there are with the suggestions you made so that people reading it are informed and not led to a false sense of security.

    P.s. Exploitation of a system does not require downloading crap. No need for donkey or monkey pron (weird taste btw). Cracks are optional. :p
     
  21. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    people would be much better running a Linux distro to connect to the internet and keep XP offline entirely in dual boot.
    if you are not married to any Windows software then you could get rid of XP entirely.
     
  22. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    @wtsinnc

    The latest OS is always more secure against exploitation. It is by design thanks to kernel and architecture improvements. It's not just Microsoft. The same goes for Linux for e.g.

    Microsoft promotes their latest as the most secure because it IS within the Windows family and its support term results in a later EOL date. Do they make money? Yes. But money doesn't take away from what is a fact.

    In the future, when Windows 10 or 20 is available, it would be the same story.

    As for user stupidity, no system can cure that. Social engineering is a different story and is independent of platform...be it OS or browser.
     
  23. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    @ Mrkvonic:
    if you want a more reliable test, just give a XP machine with SP3, no EMET or limited account, since the majority don't use that.

    give that machine to a bunch of teenagers and see how long that last. lol
     
  24. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943


    I have absolutely no issue with Microsoft- or any legitimate for-profit company making money. They must if they are to continue to exist.
    -But-
    The theory that the latest is the most secure is relative and dependent on what that security is meant to be and whom it is meant to serve.
    Whether or not Windows 8 is truly more secure that any of it's predecessors will never be known as it's mainstream life span will apparently be rather short.
    It hasn't been adopted by business or governments to any degree until recently, so the susceptibility or lack of susceptibility to malware and other forms of exploits cannot be compared to earlier operating systems.

    While Windows 8 does incorporate newer technology, exploiting it is only a matter of talented and motivated hackers deciding W-8 is worth the time and effort.
    Because Microsoft has worked closely with the NSA for years, how secure your install of '8' is will not be up to you but up to those who know how to get in without your knowledge or consent.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Mrkvonic says ASLR is overrated because he has no concept of how a program actually works, how ASLR works, what security means, or really anything relevant.

    This is why you don't take your security advice from physics majors turned sysadmin. To be very very clear - having a few pieces of paper that you pay for does not make you an expert in security

    The irony of praising EMET and then calling ASLR overrated should not be lost on anyone.

    *If you still feel his opinions or this topic are worth taking notice of I feel bad for you.*

    That said, my post will probably get deleted by a mod or something lol I have no time for these things anymore but lol
     
Loading...
Thread Status:
Not open for further replies.