Usher

Well, installation in a virtual machine is not a fully clean installation… Or am I wrong?

Is this Windows installation tweaked in any way? Did you install MSI 4.5 (WindowsXP-KB942288-v3-x86.exe)?

The files contain only certificates with different timestamps, there is no specific metadata with global timestamp inside. The updater always shows timestamps taken from the server. If you re-upload any old file, it will have a new timestamp.

The last (third) screenshot is new, see the date 8/3/2020 (August 3).

That's not true. There are two unchanged files: roots.sst is the same as it was 2 years ago, dated 2018-04-18; disallowedcert.sst is the same as it was a year ago, dated 2019-08-13. They were just freshly copied to that download server, other servers may still keep old copies.

How do you want to do it? You can't change any WU client file - they must have valid digital signatures.

@max-h I mean function available as a shell extension. Right click the cab file in Windows Explorer, then select its properies from the context menu and you will understand…

Signature checking function provided in Windows XP works only for files less than 512 MiB.

Wrong address. It's here (HTTP, not HTTPS): http://www.update.microsoft.com/microsoftupdate/v6/default.aspx Edit: I can connect to WU, but there's error 0x80244019 when trying to search for updates.

Well, finally I understood what MS did to KB4507704 for Windows XP Embedded. It's an update by downgrade described using corporate newspeak ;-) You should just read list of updates here: https://support.microsoft.com/en-us/help/914387/how-to-configure-daylight-saving-time-for-microsoft-windows-os in reverse order: 1. Go to May 2019 update - it's KB4501226 described here: https://support.microsoft.com/en-us/help/4501226/dst-changes-in-windows-for-morocco-and-palestinian-authority As you should know, there was an update for Windows XP Embedded, but now it's removed. Explanation is in the newer update so… 2. Go up to July 2019 update - it's KB4507704 with note "This update was revised on August 13, 2019, to apply to Windows Embedded POSReady 2009" and explanation about fix for Morocco: "The base time for the "Morocco Standard Time" time zone in Windows did not update correctly to UTC+01:00 as expected in the Windows DST update that was installed on May 21, 2019 (KB 4501226). Instead, the system clock shows an incorrect base time of UTC+02:00. This update resets the base time to UTC+01:00." Now what was revised: Some stupid person mistakenly counted KB4507704 as a fix only for Morocco, related strictly to broken change for Morocco in KB4501226 and ignored other changes (for Brazil and Palestina). So when Ramadan in 2019 was ended, they removed both updates for Windows XP Embedded – the broken one and the fix – and they called it "Update revised for Windows Embedded POSReady 2009". Conclusion: Don't install KB4501226 and fix for KB4507704, prepare fix for KB4557900 (May 2020 update) – again for Morocco… (and other changes).

KB4507704 is still available for Windows 7. I downloaded it yesterday. It's in *.msu file so it should be repacked to use in Windows XP. It looks like there is only update for time zones and their names in all available language packs (plus manifests, certificates, hashes and other bureaucracy).

Do you need update for time zones only or anything else? I can save registry entry for time zones from Windows 7 and share it…

Unfortunately, I can't find KB numbers, only dates and info about Windows Server 2003. I suspect there might be updates for 32-bit version there. On the list you have linked above there are only two strictly related updates: KB4018271 for IE8 x64 and KB948963 for AES. Update for IE is too old to contain properly working TLS 1.1/1.2 implementation (latest fixes were in KB4483187 in December 2018, EDIT: and possibly in cumulative update KB4493435 for IE8 in April 2019), and there is no update for SHA hashes and TLS 1.1/1.2 themselves (they were in KB4019276 for XP 32-bit, released after KB4018271 for IE8 64-bit). Of course, if I find any new info, I will post it here…

AFAIK, you should search for Windows Server 2003 x64 updates.

I suspect that you are asking in the wrong topic. It looks like you have missed updates for certificates (rootsupd, rvkroots) and possibly some other updates described as optional (f.e. timezones). It's really hard to guess with so many updates…

It's not a problem with DSL, I'm afraid, it's about email. In shortest words, if you don't use any proxy or antivirus scanning email messages, use following settings for email: Turn off all SSL versions, turn on all TLS versions in Internet Options (TLS 1.1 and 1.2 are unchecked by default during update) Check (turn on) secure connection for all email accounts in Outlook Express and set proper connection ports: SMTP: secure connection, port 587 POP3: secure connection, port 995 IMAP: secure connection, port 993 Some mail servers may still work with port 465 for secure SMTP connections, but port 587 is a current standard. If any account is unavailable at all in Outlook Express, open webmail for that account in Firefox and check security/encryption properties for that connection. For example, for msfn.org forum you can see the following info in technical details: Encrypted connection (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256-byte keys, TLS 1.2) Acronyms starting with EC are for ECC unsupported by Windows XP, see ECDHE above. Note, that: Encryption details are negotiated starting from the strongest protocols, so OE may work for some account even if Firefox negotiates ECC use in this case. Some email servers (for example Gmail) allow to use weaker protocols for email clients if you change settings in webmail. If you need more info, search for other, more adequate topics.

I'm not sure about TLS 1.3 support with this proxy and I don't remember which crypto libs it uses, so I didn't mention it. Could you provide these details, please?

Starting from January 2018, TLS is a recommended standard for email, see RFC 8314. There were some updates and multiple fixes for encryption, cryptography and other security issues in Windows POSREady 2009 added in 2015-2018. The most important are: Added support for AES-128 and AES-256 encryption (2015+) Added support for SHA-2 (SHA256, SHA384, SHA512) hashes (2017+) Added support for TLS 1.1/1.2 (2017+) However, there is missing support for TLS extensions and TLS 1.3 (standard since August 2018): If the server side uses extension for Server Name Indication (SNI, 2003+), you can ignore warnings that the certificate is issued for another domain. SNI was added to Vista. If the server side uses Elliptic Curve Cryptography (ECC, 2006+) for digital signing in certificate, you can do NOTHING. Windows XP libs cannot verify such a certificate and cannot connect to the server. There are some programs which use either updated OpenSSL libs or Gecko-based engine and can properly work with TLS 1.3 and TLS extensions. For example, Eudora OSE is a fork of Thunderbird so it uses Gecko engine, but it is outdated (2010), so it may not work properly with TLS 1.3 or extensions for TLS 1.2 updated in 2011.

Newer Firefox versions have more advanced JavaScript engine and JS code for that engine won't run in older Gecko based browsers. If you change User-Agent you should always delete the browser cache to reload proper code.

What User-Agent is set in your Serpent browser? For me Firefox 52 in XP works with adblock turned off and User-Agent for Windows 7: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0

Maybe it's caused by some third party antivirus or security suite?

AFAIK it's been already fixed. I didn't notice it, maybe anyone else could confirm fix?

That's true. In general you will get only notifications about MSRT. MSSE, .Net Framework. MS Office and other non-system updates. However, there have been some extra security updates for Windows XP, so you should expect that some extra updates for Windows 7 will be notified by system WU client in the future.

It's another wording, typical for marketing mumbo-jumbo. AFAIR they haven't changed any word (only KB number and date) in comparison with previous updates (probably didn't even think about it). Final rollup should also have final QFE rollup, it's been just longer delay this time. Now you don't have automatic updates only (with exception for MSRT and MSSE). New updates are still available from Microsoft Update Catalog. I have installed 2 main updates issued for 2020-02: monthly rollup KB4537820 and cumulative update for IE11 KB4537767. No complaints, no problems so far.

Preview rollups for Windows 7 were offered almost every month, usually a few day later than regular updates. They contain the same updates as regular rollups, but some files have QFE patches. In Windows XP regular updates and QFE patches were provided in a single installer file.