XP security

Discussion in 'other security issues & news' started by lunarlander, May 16, 2014.

Thread Status:
Not open for further replies.
  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    I was thinking about Windows XP's security. XP needs Internet Explorer to do Windows Updates. Would the first update be a vulnerable process if someone attacks IE at that point? As IE is un-patched at that point.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It doesn't matter now because MS has stopped updating XP !

    Previously you didn't need to only use IE to update. As i & lots of others used to go to Technet @ MS with Firefox for eg, & select which updates we wanted to download, or not, & install offline, if we wanted, as i did.
     
  3. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Yes I know MS has stopped issuing updates for XP. I am thinking for the users who need to re-install XP from scratch.

    There are 138 or so patches coming their way for a XP machine updated offline to SP3. That's an hour of downloading, depending on their download speed. Isn't that an hour of vulnerable-ness ?
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Well if you have a good firewall installed that's closed to all ports except the one/s you explicity open with IE, & do NOT surf Anywhere else before you go online, & then ONLY allow the updates, you will be fine. If you just have a router, you still should be ok.

    Plus i expect that you might have some other security software installed, such as an AV etc ? Even if you havn't yet, there should be no problem. As soon as the updates are downloaded, close IE & disconnect the router/modem etc from the wall socket, & let the comp do it's thing, such as rebooting once or more, if required. When it's all done, reconnect the device & job done :)

    By the way, when i said i used to DL the way i did, that was on an earlier XP/SP2 install. This one has NO updates ;)
     
  5. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Not really. You can make the same argument for Vista, Win7 and Win8 installing patches after a fresh install. I've played around with older versions of Windows before, such as 98, and ran Windows Update. Thing with the older versions like 98 is they don't even have firewalls (Windows didn't start shipping with a firewall till Windows XP Service Pack 2). So with Win98 you'd have to run it behind a router that has a firewall.

    But no, no one is going to attack your system while the Windows Update progress bar chugs as if it's some kind of techno thriller movie. edit Though personally, it makes the stinging pain of the wait more fun for me to think it is like that.
     
    Last edited: May 16, 2014
  6. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    You could use an offline update downloader like WSUS Offline Update: http://download.wsusoffline.net/
    This way you can create an USB or DVD with updates and then reinstall your OS and apply all security updates while being disconnected from the internet.
     
  7. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi CloneRanger,

    Well I do use a third party firewall, Comodo, which should be good enuf. But during the Windows Update download, I walked away, and when I came back, it had a window which tells me a list of updates were not applied. So not thinking, I tried Windows Update again and all updates succeeded the second time. Thinking about that incident, it could be that IE was attacked. I understand a stateful firewall only allows matching ip and port traffic to reply back. However, Windows update is a well known address and an attacker can simply try all high ports and then get thru. A firewall can only do so much.

    Hi Veeshush,

    Windows Vista and onwards uses a Windows update program and not IE. So it is different from XP. The Update program in my experience is pretty fool proof and is an improvement over XP's update process with IE.

    Hi Nebulus,

    Thanks for the link. I am trying that now.
     
  8. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Just having IE open and browsing to the Windows Update site though doesn't really pose a risk. And the default page for IE is msn.com, so an attacker would have to compromise msn.com (something that'd you hear about on mainstream news) to infect your unpatched IE.

    The gist of IE vulnerabilities require that you first visit a malicious site. It doesn't just run and then bad guys ping it with attacks.
     
    Last edited: May 17, 2014
  9. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi Veeshush,

    Yes, most of the browser attacks does require you to load a web page. I feel a bit safer now.
     
Loading...
Thread Status:
Not open for further replies.