XPHomeSP3

Maybe not, but, if you're so inclined, I would suggest you reply with something along the lines of, "Well, could you kindly explain why Microsoft would make an update available for a system that is out of support yet has publically available information with clear instructions for obtaining it for said system here: https://support.microsoft.com/en-ca/help/4507704/dst-changes-in-windows-for-brazil-and-morocco " Keep shaking the apple tree. Something will hopefully fall out of it soon.

Well done and thank you, FranceBB! While eagerly awaiting a positive response from Micorosft regarding your inquiry, I'll be making sure the produce section is well stocked and it's newly installed POSReady 2009 register is ready for the KB4507704 update to be applied.

I went the route of trying to rename the ATMFD.DLL file via a command prompt as per Microsoft's instructions. I chose this option because it has the added benefit reliably blocking all remote and local attacks using the vulnerabilities in question. However, XP tells me that the commands are not recognized when trying to implement the change. Here are the commands I used: cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll Am I doing something wrong or does this method not work on XP due to trying to assign ownership of the file?

Well, here's the thing with this theory: If you go to the Microsoft page for How to Configure Daylight Saving Time for Microsoft Windows Operating Systems and scroll down to July 2019 update section and expand it, you will see they have the following information: Note: This update was revised on August 13, 2019, to apply to Windows Embedded POSReady 2009 It would seem to me it was indeed meant for public release but someone at Microsoft somehow overlooked the fact it was supposed to be added to the update catalog. (Of course, I could be completely wrong though.) I have also tried to post a comment about this fact at the Time Zone Updates for Brazil are Available blog posting at the Microsoft Daylight Saving Time & Time Zone Blog but it refuses to let me do so for some reason. (Maybe Microsoft knows we're on their trail.) Perhaps while I'm minding the register at one of my supermarkets in Casablanca someone here could kindly try and post a comment on my behalf (or your behalf) and see if we can get an answer from someone.

Of course we will. The truth is out there remember. If someone would please suggest me the best email address to use and/or the best number to call to contact Microsoft about KB4507704, I'll do my best to get an answer.

Believe me when I say I'm am not trying to start an argument here, but I don't view KB4507704 as a Microsoft Premier Support for Partners update for Windows XP since it clearly says in its support article that it's obtainable from three otherwise normally used methods: Method 1: Windows Update Method 2: Windows Server Update Service Method 3: Microsoft Update Catalog If it were a Microsoft Premier Support for Partners update for Windows XP, wouldn't it have been kept under wraps along with all the other updates that have (presumably) been released over the past 12 months? My point is, I would very much like it if someone here would kindly contact Microsoft and literally call them on the what their own documentation for KB4507704 says. Like you, I would also be quite happy if someone would indeed leak the premier XP updates.

A sincere thank you for taking the time to do this for the benefit of everyone here, win32. Nice work!

I promise you those four files had a size of 0 bytes when I posted that and that was the first time they ever appeared like that. I just checked the KB4507704 catalog page right now and all the files are listed with their corresponding sizes.

Yes, it's available here along with all the other platforms mentioned in the KB4507704 support article, except for POSReady 2009. Interestingly, I noticed that 4 of the files in the update catalog have file sizes of 0 bytes: Windows 8 Embedded for x86-based systems Windows 8.1 for x64-based systems Windows Server 2008 for x64-based systems Windows Server 2012 R2 for x64-based systems On second thought, perhaps you should repack it to use in XP, if your offer still stands.

I must say, given both your affinity for XP and the number of postings you have contributed to this thread since its inception, Dave-H, I would have thought you would have been one of the archivists for sure.

Yes, me too. I'm very intrigued by this product and am interested to see what it can do. I have a fully updated non-POSReady 2009 XP system, so I may install 0patch on it just to see what it picks up. Since the micropatches 0patch issued for XP and Server 2003 have since been patched by Microsoft, I'm guessing the only micropatches I'll have applied are for the following things: Protection from critical 0days in other Windows products, for example these 0days in Equation Editor, 0day in Microsoft Word, Protection from critical 0days in 3rd-party software products such as Adobe Reader, 7-Zip, Foxit Reader, WinRAR,... see https://0patch.com/patches.html and https://blog.0patch.com for more examples. Protection for 3rd-party products that are out of support but you must use them for legacy reasons, e.g., old Java runtime versions. Now, does anyone want to take the plunge and try it out with POSReady 2009?

While I sincerely appreciate your kind offer, I really don't need the update for anything. I just want it because it is something that I (and others here, if they wish) could apply to my/their system to make one component more up to date. It aggravates me to no end that Microsoft has publically available documentation for this update, with explicit instructions on how to obtain it, but it does not seem to be available anywhere. I really believe that someone must have it archived somewhere. Perhaps I haven't knocked on the right door yet to ask.

Yes, I too got the same response although Mitja Kolsek from Acros Security did also tell me, "We have so far only issued two micropatches for XP (BlueKeep, EsteemAudit) - both of which were critical remotely exploitable 0days when we patched them (i.e., without an official patch by Microsoft), but Microsoft subsequently decided to provide official updates for both even though XP and 2003 were long out of support. We have no experience with Windows Embedded but would be willing to test 0patch on it if there was sufficient interest for that. Under current priorities, we're only issuing XP micropatches when a critical 0day comes out that affects them, but if it made financial sense for us, we'd be willing to backport more patches to these old systems." As someone who is always trying to make XP/POSReady as secure as possible after it's April 9, 2019 EOS date, I'd certainly be willing to utilize 0patch to help accomplish this. Perhaps others who feel the same way could let 0patch know by contacting them at support@0patch.com

Of course I will, eh? The question now becomes where at Microsoft is the request/clarification for KB4507704 best posed? I would prefer to try contacting them by email as I don't want to spend a great deal of time on hold only to be told...

As mentioned above, I have indeed been trying my best but, frustratingly, getting nowhere. The furthest I've been able to get in my quest so far are the suggestions to either, "contact my Microsoft distributor for POSReady to see if they can get the update" or "contact Microsoft support directly." It would be such a simple solution for Microsoft to just add KB4507704 to the update catalog since the info for it is readily available from their support page and it does appear to be something that was just an oversight on their part. On an unrelated note, has anyone tried running 0patch with POSReady 2009 yet?

Just curious if you may have turned up any clues as to how we might be able to get our hands on KB4507704 ? Believe me, I have been trying my best but, frustratingly, getting nowhere. Also, does anyone have any suggestions on a way to contact MS directly to get some clarification on or find out some more information on obtaining this update from them?

*

That's rather interesting as 0patch has already released something for XP. If you look on their micropatches' page ( https://0patch.com/patches.html ), you will find the following info posted regarding an 0patch Pro micropatch they issued for: CVE-2017-0176 Microsoft Windows XP/Server 2003 EsteemAudit Microsoft Windows XP SP3/Server 2003 SP2 RDP privilege escalation This CVE was patched by MS with KB4022747 for both XP and POSReady 2009 in June of 2017, while the details of 0patch's efforts in June of 2017 can be found here: https://blog.0patch.com/2017/06/a-quick-analysis-of-microsofts.html So there you have it, if anyone wants to take the plunge and run 0patch on an XP-hacked POSReady 2009 system, I would love to hear if any other micropatches get applied. For instance, even though it's for Windows 7, I'm wondering if the current Microsoft Type 1 Font Parsing Remote Code Execution issue reported by MS in March would have the 0patch micropatch for it applied to XP/POSReady 2009 as well. Edit: Regarding my question in the last paragraph, after doing some more research, I believe the answer would actually be no as each micropatch issued by 0patch is "applicable to a specific executable module (usually EXE or DLL), based on that module's cryptographic hash"; therefore, since files such as ATMFD.DLL may have the same name in different operating systems, they would not have the same cryptographic hash. I suppose if one was concerned about this specific vulnerability in XP/POSReady 2009, the best way to mitigate it would appear to be to simply rename the ATMFD.DLL file which is found in C:\Windows\System32\ as per 0patch's advice.

Thank you for doing this, Dibya. In terms of patching CVE's post-EOS, does anyone have any experience using 0patch FREE (or Professional) with either XP or POSReady 2009? I'd be interested to hear about your experiences and what, if any, patches were applied to either configuration.

Thanks for the info, FranceBB. It sounds like you have certainly done your homework on this and it, unfortunately, seems as though the end result for us regular end users is a foregone conclusion. The runaround on this question from MS also sounds like an episode of The X-Files. Well, the truth is out there (just like KB4507704 definitely and possibly others), so we just need a Mulder and Scully-like investigation to uncover them for us. We'll focus on KB4507704 first and see where the investigation leads us from there.

In terms of just thinking out loud.. Would it be absolutely necessary for someone with an actual POSReady 2009 system to tell us if this update ever appeared or not? For all intents and purposes, doesn't the POSReady 2009 registry hack allow our Windows XP systems to be "seen" as an actual POSReady 2009 system by MS and wouldn't the update then present itself accordingly? If this were indeed just a documentation glitch, why would the support page have last been modified on November 7, 2019 and the reference and detailed instructions for Windows Embedded POSReady 2009 still be left in? If anything, I would think it would have been taken out if this were the case. Is there a link anywhere to the reference about MS still providing premium updates or a custom support plan for Windows XP? It truly would be awesome if someone could somehow release these to us XP diehards. Please be assured I am in no way trying to start any type of argument or have any type of disagreement about any of this. If anything, I'm extremely glad there is some interest in my accidental discovery by those here and I remain hopeful that through a concerted effort we will eventually be able to track down and successfully install KB4507704. I know I am sincerely looking forward to doing so and, who knows, maybe we will be able to unearth some other XP/Windows Embedded POSReady 2009 post-EOS gems as well.

Quite by accident, I stumbled upon a MS support page regarding KB4507704 which deals with DST changes in Windows for Brazil and Morocco: https://support.microsoft.com/en-us/help/4507704/ This update was released on July 15, 2019 and was last revised on November 7, 2019. It clearly states on the support page this update applies to Windows Embedded POSReady 2009 and it even goes so far as to give detailed instructions on how to obtain it for this platform: Specifically, Windows Embedded POSReady 2009 Method 1: Windows Update This update is provided as an Optional update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update. Method 2: Windows Server Update Service This update is now available for installation through WSUS. Method 3: Microsoft Update Catalog To get the standalone package for this update, go to the Microsoft Update Catalog website. Note: You must be running Microsoft Internet Explorer 6.0 or a later version. Prerequisites To apply this update, you must have Service Pack 1 for Windows 7 and Windows Server 2008 R2 installed, or Service Pack 2 for Windows Vista and Windows Server 2008 installed. There are no prerequisites to install this update on Windows 10, Windows Server 2016, Windows 8.1, Windows Server 2012, or Windows Embedded POSReady 2009 (emphasis mine). While I realize this is not a required update by any means, I have nevertheless not been offered it via Windows Update, I don't use WSUS and it is not listed in the MS update catalog for this platform. Did anyone happen to obtain KB4507704 and archive it? Surely it has to be out there somewhere but, despite my best search efforts, I cannot seem to locate it anywhere. There's something extremely gratifying to me about applying official MS updates on an OS after its EOS support date and if I can do it with this one, I'm absolutely going to. Any insight, assistance and/or guidance would be greatly appreciated.