Jump to content

Are MS Updates for XP really necessary?


Philipitous

Recommended Posts

Sure. "It's only called paranoid when they actually AREN'T after you"... :ph34r: :ph34r:

BUT IF they actually were after you, you would already have been pwned. :w00t:

WHY exactly do you think most exploits are called "zero-day" ? :unsure:

AFAICR all attempts to produce and sell the magazine "exploits monthly" ;) failed miserably :whistle:

By the time you publish (or patch) something you are already dead :ph34r:.

For NO apparent reason, a lolcat:

ninja-cat-2_tackyraccoons.jpg

jaclaz

Link to comment
Share on other sites


but I also believe that all these "Vulnerabilities" (except one) are manageable with basic security

How?

If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, but without patches any skiddy with metasploit will be able to tear your machine apart. You can fend of the most basic attacks with EMET, and you can force an attacker to use local escalation attacks with sandboxing, but neither of those raise the bar significantly on XP.

Link to comment
Share on other sites

If you want to run XP after 2014 accept that you won't be secure. If you run XP you're already not secure, [...]

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. Hardware firewalls at the router and responsible use, maybe coupled to an anti-virus should be enough, most of the time. A good, up-to-date, off-line backup covers all other eventualities. Moreover, all the malware will sure be targetting 7+ machines, preferably those running x64.

Link to comment
Share on other sites

CharlotteTheHarlot posted a real nice reply that mentioned some interesting things:

CharlotteTheHarlot ... Posted 18 December 2012 - 06:57 AM

Purely out of chance, the machine I am on has evolved into the front-facing sacrificial lamb to the evil gods of internet malfeasance.

Windows Update is disabled. I haven't even manually ran the update scan in over two years. It is of course behind a router. The Windows Firewall is running ( the XP inbound-only firewall ) but I'd bet I could even kill that without consequence. I am using Opera 99% of the time (version 11.something ), and Firefox for the odd pages and things that cause hiccups. MSIE is very rarely used. And here is the kicker ... It is an Administrator account. ~shudder~

There is no anti-virus ( except for on-demand scan of folders and drives now and then, not because I am infected, but for the odd client devices I am working with ). This computer visits the darkest, deepest and most dangerous corners of the web too. No bull. No drive-by scripts have ever compromised it. No local files have caused problems and believe me I test a whole lot of crap.

Try as I may, I cannot think of something that a critical Windows Update would need to fix as far as security that would affect anything positively. I would expect things might get broken by allowing Microsoft to just keep patching system files over and over again though. I always wondered how an ever-changing codebase can be considered "stable" but that's just me I guess. Anyway. I have always maintained that a properly configured Router + Opera is the first line of protection. It definitely works for me.

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

If you have a spare computer ( or even a HDD with space for a clone of your OS ) just try it.

I should clarify one thing in there, that bolded part.

This PC ( the one I am talking about in that quote ) is NOT connected to any internal network here. It is truly standalone, and files only get to and from other computers through classic sneakernet. It talks directly to a router that is the gateway to the Internet. In this particular scenario the Windows XP firewall can definitely be disabled ( I simply haven't because it is too much trouble with the balloon warnings and security center nagging ). The hardware firewall in the router when properly configured is more than adequate for security.

However, if you had a typical network of computers talking to each other and they also can access the Internet through a router, then the hardware firewall may be enough but it would be wise to have individual firewalls operational on each PC. This is for protection from a sibling computer on the network that somehow gets infected ( probably through operator error ). Naturally the software firewall needs some management to work in this scenario, you have to watch for exclusions which get inserted into the registry and open up vulnerabilities. It happens quickly from executing local files with malware payloads. But you always have to watch for this kind of thing anyway.

So I just want to be clear that when I suggest others try this they understand I am talking about isolating a standalone computer behind a router. And yes, absolutely no CPU killing antivirus, and no Windows updates except for specific ones for odd things that I go get by hand. It is easily do-able. The bulk of the Windows updates can be considered nothing more than placebos with respect to daily use.

Link to comment
Share on other sites

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. Hardware firewalls at the router and responsible use, maybe coupled to an anti-virus should be enough, most of the time. A good, up-to-date, off-line backup covers all other eventualities. Moreover, all the malware will sure be targetting 7+ machines, preferably those running x64.

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box? Not really.

8/8.1 are considerably more secure, not sure why you would believe XP is more secure.

Hardware firewalls are fine, but they're not really relevant. Your end system, the one taking in untrusted data (regardless of firewalls) is still vulnerable.

Malware targeting 7 will still work on XP. And attackers will certainly still attack XP users if the market share holds where it is, there's still a ton of money to be made, especially when it's such easy pickings.

If I'm an attacker I can go after the majority, 7 users. But that's sorta difficult. I could still attack XP boxes, take over a massive number of systems, and expend far less effort.

Link to comment
Share on other sites

However, I have a never-ending stream of infected computers being brought in for repair and it is always one or both of those ( Router + Opera ) that are missing. They always have Windows Updates on automatic so they are up-to-date, and they have a variety of realtime antivirus programs ( murdering the performance naturally ). Yet still they show up in various states of disarray. Go figure.

In my experience when this happens, there is a THIRD ELEMENT that is missing, that is a sentient being between chair and keyboard. :whistle:

jaclaz

Link to comment
Share on other sites

Nobody is ever secure. But XP SP3 after 2014, just like 2k SP4+ today, should be at least as secure as 8.1 (or whatever the name of the bleeding-edge windows-of-the-moment), if not more. [...]

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box?

Sure I can! Most hackers means not all hackers. One single intruder gets into your machine and you're pwned. You cannot be positive no one'll ever be able to get into your machine, no matter what. Hence, in disagreeing with me you've just agreed with my point. Nobody is ever secure. No matter what.

Link to comment
Share on other sites

Sure I can! Most hackers means not all hackers. One single intruder gets into your machine and you're pwned. You cannot be positive no one'll ever be able to get into your machine, no matter what. Hence, in disagreeing with me you've just agreed with my point. Nobody is ever secure. No matter what.

Like I had said, it depends on how you define security. There is no '100%' secure, if you're dealing with the NSA directly targeting you you can make things hard for them, but they will get in if they really want to. That doesn't mean a system is unsecure, it just means that 100% security does not exist. I would say you have to define security by threats, and when the threat is any skiddy with metasploit, the box is not secure.

But we're talking about a massive difference of skill required. To hack an XP box requires little work, any RCE vulnerability in any browser, and a local kernel vulnerability. On Windows 8 you need RCE, an information leak, a kernel vulnerability, and another information leak. Not only do you need more vulnerabilities total, exploitation of them is more difficult.

Edited by enxz
Link to comment
Share on other sites

not really, there was an article last week (?)
how ms 1st gives to these agencies list of vulnerabilities (privately), backdoor ones

BEFORE they release hotfixes

and these fixes can come... who knows when

Link to comment
Share on other sites

That's very common, even Linux does that. If there's a critical vulnerability you make sure that companies/ governments can patch it ASAP. The issue is that, sometimes, the patch can be reversed and exploit code can be developed before they release the patch to the mainstream.

It's dangerous but not outright malicious. These also aren't backdoors as they're not intentional vulnerabilities, they're discovered vulnerabilities.

But if you consider backdoors to be a threat you should consider all Windows systems invalid, don't think that the NSA and Microsoft have only been working together recently. They've had a relationship for years.

Link to comment
Share on other sites

That really depends how you define security. In my case I know that most hackers are incapable of getting into my system, whether they want to or not. Can you say that about an unpatched XP box? Not really.

Yes, I can say it and do say it. Patched or unpatched the most significant variables here are where the computer sits in the network, who sits in front of it, and what they do when they sit there. Staying away from MSIE also helps significantly as does disabling remote access. Everything else factors in much later and lower in priority. You will have to get a little more specific and identify the exact "patch" for XP that trumps any of these factors.

8/8.1 are considerably more secure, not sure why you would believe XP is more secure.

Since you named "8/8.1" and used the phrase "considerably more secure", can you explain how its security is increased over say 7 or 7(sp1) ? It will have to be mega-gigantically more secure to even make a dent in the flourishing infection rate on those Windows 7 systems. Note that the inclusion of MSE out of the box does not count as a security boost because it still needs to get the latest signature update anyway as soon as 8/8.1 is installed. The only thing it saves is the initial download of the engine and this is a tiny download every tech keeps on a stick anyway.

Hardware firewalls are fine, but they're not really relevant. Your end system, the one taking in untrusted data (regardless of firewalls) is still vulnerable.

Wait, "not really relevant" ? Sorry, but this is incorrect. Hardware firewalls are everything when talking about home PC's on broadband. And history backs this conclusion as the proliferation of NAT routers ( thanks mostly to so many people getting laptops ) served to lock down many homes from port scanning attacks that were popular in the dawn of the broadband era before Windows shipped with any software firewall. Throwing away most incoming packets is the first line of defense because they never even arrive at the computer in the first place. It is why my software firewall logs are always empty.

Malware targeting 7 will still work on XP. And attackers will certainly still attack XP users if the market share holds where it is, there's still a ton of money to be made, especially when it's such easy pickings.

If you rephrase that to say "... attackers will certainly still attack Windows users using MSIE without a hardware firewall ..." then I'm right with you. Well, except for the money part. The money collection scams are almost always socially engineered to rope in n00bs that believe the silly dialog in their browser telling them that their system needs to be sped up or is now locked down by the FBI. These are the same silly n00bs that are likely to not have a router in the first place, or if they do will have it misconfigured from some quick-setup utility or have ports open so their son in the basement can use torrents all night long. Don't worry, these people will seamlessly morph into MetroTards later and if Windows 8 survives and supplants Windows 7 it will become just as infected because it is designed for uber-n00bs.

It almost sounds to me like what you're saying here is that 8/8.1 is like magic for home user protection ( "considerably more secure" ), but even Microsoft would never ever go that far. The hardware firewall in a NAT router is the main ingredient, it needs to be standing between your PC and the physical ISP connection ( the Cable/FIOS/DSL modem ). Common sense and the other things I mentioned like not using MSIE, remote access come next.

So let's just cut to the chase here. What would be safer: using Windows 8.x in a restricted account with its software firewall and CPU hogging antivirus and updated security magic connected directly to the ISP modem ( like so many n00bs are doing ), or bare naked Windows XP as administrator with no antivirus behind a router ( patched or unpatched, software firewall or not )?

The answer to that question is not what is being fed to the Sheeple.

Link to comment
Share on other sites

You will have to get a little more specific and identify the exact "patch" for XP that trumps any of these factors.

I could get specific, I suppose. But specific CVE's aren't important. Any remote kernel exploit will quite obviously bypass everything other than hardware based security. Any local kernel exploit combined with RCE in a program such as a browser will bypass your NAT/ network Firewalls, and provide full system control regardless of sandboxing.

Since you named "8/8.1" and used the phrase "considerably more secure", can you explain how its security is increased over say 7 or 7(sp1) ? It will have to be mega-gigantically more secure to even make a dent in the flourishing infection rate on those Windows 7 systems. Note that the inclusion of MSE out of the box does not count as a security boost because it still needs to get the latest signature update anyway as soon as 8/8.1 is installed. The only thing it saves is the initial download of the engine and this is a tiny download every tech keeps on a stick anyway.

I can name quite a number of things, though it may get somewhat technical, and I don't know what level you'd understand. MSE makes no difference to me, since bypassing AV isn't difficult, and it also isn't a technology that makes 8 any harder to hack than XP.

One major difference over XP is a proper implementation of ASLR. XP lacks all ASLR, making remote code execution trivial. Windows 8 ASLR is the first proper implementation on Windows, with multiple information leaks removed, and the ability to have all memory maps randomized. There is significantly more entropy as well.

Vista+ are immune to shatter attacks. On XP the difference between Admin and restricted user is not enforced properly, making escalation attacks incredibly easy. Microsoft released a patch to solve this, and it does somewhat, but it's not as well implemented.

Privileges in general are improved, as system services run with lower rights on Vista+, and areas of the kernel have been moved to userland, where an exploit won't be so critical.

/GS is used further in 8+ for system services.

I could go on.

These changes are considerable.

Wait, "not really relevant" ? Sorry, but this is incorrect. Hardware firewalls are everything when talking about home PC's on broadband. And history backs this conclusion as the proliferation of NAT routers ( thanks mostly to so many people getting laptops ) served to lock down many homes from port scanning attacks that were popular in the dawn of the broadband era before Windows shipped with any software firewall. Throwing away most incoming packets is the first line of defense because they never even arrive at the computer in the first place. It is why my software firewall logs are always empty.

No one attacks a users laptop anymore in any way that a network Firewall will matter much. Worms like conficker are remnants of the past, anyone on a modern system is far more likely to be attacked through a service that already is taking in input.

If you rephrase that to say "... attackers will certainly still attack Windows users using MSIE without a hardware firewall ..." then I'm right with you. Well, except for the money part. The money collection scams are almost always socially engineered to rope in n00bs that believe the silly dialog in their browser telling them that their system needs to be sped up or is now locked down by the FBI. These are the same silly n00bs that are likely to not have a router in the first place, or if they do will have it misconfigured from some quick-setup utility or have ports open so their son in the basement can use torrents all night long. Don't worry, these people will seamlessly morph into MetroTards later and if Windows 8 survives and supplants Windows 7 it will become just as infected because it is designed for uber-n00bs.

MSIE has little to do with it, as other browsers will be just as useless on XP, especially without patches. Do you think Chrome's sandbox will save you? It won't. NoScript? Nope. We've already seen in this topic an attack that would bypass both of those things, attacking font rendering in the kernel via truetype.

In terms of money, you're missing the point. All attacks, virtually, are about money. If I hack you it's not to trick you into giving me money, it's to hook you up to my botnet so I can sell your system off to someoen for a couple hundred thousand dollars a year. And I'll likely sell off whatever accounts I access as well just for a couple hundred dollars extra.

It almost sounds to me like what you're saying here is that 8/8.1 is like magic for home user protection ( "considerably more secure" ), but even Microsoft would never ever go that far. The hardware firewall in a NAT router is the main ingredient, it needs to be standing between your PC and the physical ISP connection ( the Cable/FIOS/DSL modem ). Common sense and the other things I mentioned like not using MSIE, remote access come next.

Microsoft has stated that they consider 8 to be the most secure Windows operating system. They are correct. Again, NAT isn't important or relevant to modern attacks for desktop users.

8/8.1 are not magic. You can get far more secure using Linux, and MS has more work to do. But attacking 8/8.1 is considerably more difficult than attacking XP.

So let's just cut to the chase here. What would be safer: using Windows 8.x in a restricted account with its software firewall and CPU hogging antivirus and updated security magic connected directly to the ISP modem ( like so many n00bs are doing ), or bare naked Windows XP as administrator with no antivirus behind a router ( patched or unpatched, software firewall or not )?

Windows 8 would be far far far more secure in this case. But I'm not sure why you can't just... you know... have Windows 8 behind a router.

I guarantee that if anyone here is running an unpatched XP system it would take very little time to get into their systems, given that they're willing to click just one link. One known RCE in their browser, one known local kernel vulnerability - access to a single syscall, if even.

Edited by enxz
Link to comment
Share on other sites

I did a study on updates a few years back and found that the more updates the Slower the system ran , also I do Windows reinstalls on average about 3 times a week so I don't really see the need for updates, and I keep them disabled, My vote is with CharlotteTheHarlot..

Link to comment
Share on other sites

I would like to see that study. My guess is that a large number of updates led to a lot of disk space bein gused by update packages, and removing them and subsequently defragging would solve it.

But, of course, performance is not the question here. Security is.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...