Jump to content

Are MS Updates for XP really necessary?


Philipitous

Recommended Posts

I've seen comments about MS updates disabling mature systems and even a suggestion that there's a conspiracy at MS to render old XP systems unusable to encourage upgrades. So the following may help.

I recently made a fresh install of XP Home original SP3 slipstreamed and then set about a custom update on MS's site using the supplied IE6 . I selected all but 3 of the critical updates (I didn't want Malicious SRT, IE8, and browser choice) and 3 non-critical (root certs, KB2492386, KB2808679). In due course, I restarted and went into MS updates once more to grab 2 that didn't take first time. All this updating took less than an hour, not closely attended, and the system is stable. I conclude no conspiracy.

So while MS updates are available, I'll continue to update manually and selectively. If something goes wrong I have my system drive backed up.

But how necessary, really, are these updates on a 12 year old OS that you would think by now had had most of the gliches removed?

One of the the lastest is this: "Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

Published: Tuesday, July 09, 2013".

Problems with the kernel, sounds serious, but digging a little deeper we read: "The most severe vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files..." (my bold)

So if we can prevent remote access of shared content the threat is empty? I hope I'm right, because to me that seems achievable, and should be the basis of security now, and going forward from April 2014.

Edited by Philipitous
Link to comment
Share on other sites


They make XP updates for hundreds of millions users, they can't afford to say "if you have doubts whether this update is important to you or not, give us a call".

Though they did call my sister last week to assist her installing updates (through remote control). :rolleyes: Fortunately she insisted she'd rather first ask me about it. They asked "but does your brother work for Microsoft?". :D

Link to comment
Share on other sites

Who said "remote access"?

The KB talks of "user views".

Typically, someone sends you a "specially crafted" document of some kind embedding a special True Type font that vectors the exploit (or sets up a website for it).

Read:

http://technet.microsoft.com/en-gb/security/bulletin/ms13-053

the part titled:

TrueType Font Parsing Vulnerability - CVE-2013-3129

Mitigating Factors

jaclaz

Link to comment
Share on other sites

Who said "remote access"?

The KB talks of "user views".

Typically, someone sends you a "specially crafted" document of some kind embedding a special True Type font that vectors the exploit (or sets up a website for it).

Read:

http://technet.microsoft.com/en-gb/security/bulletin/ms13-053

the part titled:

TrueType Font Parsing Vulnerability - CVE-2013-3129

Mitigating Factors

jaclaz

Thanks for that. I hadn't read that deep into the document, but doing so was certainly worth it.

In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

There are still pages on the internet written by XP security gurus pre SP3 insisting that automatic updates must be on and real-time virus protection installed. And new pages of doom appearing now telling us after April 2014 it will be open season on XP and our systems will die.

So folk sat there behind their paid-for Norton security, letting MS update their systems, and a few years later they find their computers are riddled with malware. I think my contention is that good security is about more than MS updates - which I'm certainly not against as my OP states.

Yes, okay, maybe I got it wrong about remote access in this case. OTOH, the document says: "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights", which sounds a lot like something to do with remote access to me. I'm an interested amateur, not an expert.

Edited by Philipitous
Link to comment
Share on other sites

Generally speaking, there's no reason not to install them unless the update specifically causes problems in your system (for various reasons like the update being buggy itself or other programs having issues after installing it, etc.), especially if we're talking about a home computer.

Link to comment
Share on other sites

OTOH, when MS stops issuing them, we'll manage without them all right... the most serious issues will end up fixed by unofficial patches for XP, in similar manner to what happens at the 2k and 9x/ME communities. And, with time, some capabilities expanded likewise, too.

Link to comment
Share on other sites

So folk sat there behind their paid-for Norton security, letting MS update their systems, and a few years later they find their computers are riddled with malware.

That is IF the computer manages to boot again after the "combined effect" of MS updates and Norton. :whistle: , there is actually nothing preventing (excluded some proper testing procedures) something like this from happening again:

http://www.msfn.org/board/topic/118290-sp3-registry-corruption-bandaid-solution/

Please consider how the above happened with a (long due) "full" Service Pack (i.e. giving all the time needed for proper checking) and not with the usual MS update, which might be issued quickly.

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Just like with everything when upgrading/updating you might resolve security/bugs issues but you might also encounter other issues.

As a side note, the most targeted systems by hackers/virus/malwares/etc.. are always the most widespread so using an OS too old or too new or just rare but not much used and incompatible with the currently most widespread is often enough security.

Edited by allen2
Link to comment
Share on other sites

In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough.

They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed.

The best solution here is a patch.

Edited by enxz
Link to comment
Share on other sites

In this case, the "workarounds" that will prevent an attack are that the webclient service is disabled and/or that TCP ports 139 and 445 are firewalled. On my system that service has been disabled for years without a problem, and those ports are not just stealthed they are closed. So I guess I was safe after all.

You could disable the "webclient" service, but that would mean never using your browser (or anything else that allows for text). As all an attacker has to do is get you to visit a webpage where they control the text, so an XSS, or other attack on a website you visit is enough.

They then control your systems core component, the kernel. That means they control your Firewall too (this only requires administrative access) so they can open, close, bind ports however they want. A firewall will do nothing here. In fact any security at or above ring 0 will be completely bypassed.

The best solution here is a patch.

Mmm ... There's a lot of Vulnerability Information in connection with this potential exploit and I've looked again at all the "Mitigating Factors" and "Workarounds" which can be studied here: http://technet.microsoft.com/en-gb/security/bulletin/ms13-053.

I agree the best solution is a patch, but I also believe that all these "Vulnerabilities" (except one) are manageable with basic security - which if correct is the good news for those intending to use XP beyond April 2014, but certainly not a reason not to continue installing MS updates while available.

I'm surprised at the lack of interest in this topic. Where are those who contributed here - http://www.msfn.org/board/topic/162134-how-can-we-keep-xp-alive/

There is one recently-discovered vulnerability, that can't be mitigated, stemming from 20 year old code! and quite an interesting article here: http://www.computerworld.com/s/article/9239477/Google_engineer_bashes_Microsoft_s_handling_of_security_researchers_discloses_Windows_zero_day

However, it looks tangential to the exploit under discussion as the article says "... the bug cannot be exploited remotely -- by sneaking attack code onto a compromised website, for example ... "

Edited by Philipitous
Link to comment
Share on other sites

There's little else to be said, since that other thread just mentioned.

But I'd like to stress one thing I said there, in any case:

windows-8-market-share-small.jpg

It's really quite difficult to ignore a ~38% minority... just because we're about 1/3 of all users. Simple like that! :)

Link to comment
Share on other sites

Philipitous ... am in agreement with 5eraph when he says "Reading along with interest like me, I'd imagine." ... been reading as others are doing. Last December (2012) I started a topic in the XP forum ... "Installing New Windows XP Updates" and got some interesting replies. My thread is now back in history on Page 6 these days.

CharlotteTheHarlot posted a real nice reply that mentioned some interesting things:

CharlotteTheHarlot ... Posted 18 December 2012 - 06:57 AM

Purely out of chance, the machine I am on has evolved into the front-facing sacrificial lamb to the evil gods of internet malfeasance.

Windows Update is disabled. I haven't even manually ran the update scan in over two years. It is of course behind a router. The Windows Firewall is running ( the XP inbound-only firewall ) but I'd bet I could even kill that without consequence. I am using Opera 99% of the time (version 11.something ), and Firefox for the odd pages and things that cause hiccups. MSIE is very rarely used. And here is the kicker ... It is an Administrator account. ~shudder~

There is no anti-virus ( except for on-demand scan of folders and drives now and then, not because I am infected, but for the odd client devices I am working with ). This computer visits the darkest, deepest and most dangerous corners of the web too. No bull. No drive-by scripts have ever compromised it. No local files have caused problems and believe me I test a whole lot of crap.

Try as I may, I cannot think of something that a critical Windows Update would need to fix as far as security that would affect anything positively. I would expect things might get broken by allowing Microsoft to just keep patching system files over and over again though. I always wondered how an ever-changing codebase can be considered "stable" but that's just me I guess. Anyway. I have always maintained that a properly configured Router + Opera is the first line of protection. It definitely works for me.

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

If you have a spare computer ( or even a HDD with space for a clone of your OS ) just try it.

.........

my thread from Dec ... Installing New Windows XP Updates

http://www.msfn.org/board/topic/160578-installing-new-windows-xp-updates/

...

Link to comment
Share on other sites

the only 4 "updates" I'd like to see are

1. disable verclsid (yes I know this can be bypassed manually)

2. disallow malware to easy install on/as System account

3. deattach ie, thus allow it to be removed (leaving mshtml as it is ofcorse)

4. make small generic SATA drivers pack

4.1 same for USB 3

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...