Are MS Updates for XP really necessary?

[enxz]

As the good Judge Patrice Lessner would put it: "...in *your* opinion!"

To affirm that as a fact, at the very least a double-blind test is required, with representative samples for each group of machines.

You've shown no reliable data, in fact, no data whatsoever.

I've actually mentioned ASLR and /GS already.

ASLR is Address Space Layout Randomization. It randomizes the address space of a process so that an attacker has a more difficult time creating ROP gadgets, which are used for Return Oriented Programming. These gadgets allow attackers to bypass Data Execution Prevention (DEP).

DEP is in Windows XP SP1. ASLR is not on any Windows XP box. ROP has been around for well over a decade now, and creating your gadgets is easy, and an automated task. Without ASLR an attacker gets initial shell and they control the process. With ASLR an attacker requires an information leak, which Windows 8 has made more difficult (removing Shared_User_Data, for example). Windows 8 is the first windows operating system that allows a process to force all mappings to use at least 8 bits of entropy, and allows processes to make use of far more entropy, making bruteforce attacks much less reliable.

/GS is a stack canary that is heuristically attached to functions on compile time. Stack overflows that corrupt the canary will fail if the attacker does not use their one chance to guess the canary value. On XP there was 1 bit of entropy for this value, and I'm not sure if they ever fixed that. Regardless, /GS has been improved and included in the new toolchain for Windows 8.

SEHOP is Secure Exception Handling Overwrite Protection. It is not included in XP (without EMET) and it mitigates a significant number of vulnerabilities that have been exploited (especially in IE) in the past on Windows XP. Vista+ use it.

Multiple areas of the kernel have been moved to userland. One component is part of the graphics stack, which, for performance reasons is partially handled by the kernel. But an attack on the userland components, the areas exposed to attackers, will no longer lead to an instant kernel level attack on the system.

MIAC, Mandatory Integrity Access Control is the basis for high level sandboxing on Windows. It goes far past ACLs to allow processes to restrict their own file access, among other things.

Separation between User and Admin is native to Vista+, whereas on XP it's not nearly as clearly defined, leading to a class of attacks known as shatter attacks.

Here's the PDF I mentioned:

http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

It brings up Guard Pages, local kernel mitigation techniques (more areas of the kernel have been marked as nonexecutable, KASLR has imiproved entropy, SMEP, soon SMAP), and multiple other mitigation techniques.

There is no objective measure of security. People don't even agree on how to define whether a system is secure or not, or if it's even possible. But if you know how attacks work, and how defense works, it should be very obvious that Windows 8 is more secure. If you think anyone in this world is going to post a meaningful benchmark for security, I don't know what to tell you. It will never happen. What you'll get is every person with experience hacking into systems telling you this though.

A double blind test wouldn't really make sense. This isn't a pill. It's attacking an operating system.

The fact is that on Windows 8 you need to expose more vulnerabilities for RCE.

Edited August 1, 2013 by enxz

[dencorso]

There is no objective measure of security. People don't even agree on how to define whether a system is secure or not, or if it's even possible. But if you know how attacks work, and how defense works, it should be very obvious that Windows 8 is more secure. If you think anyone in this world is going to post a meaningful benchmark for security, I don't know what to tell you. It will never happen. What you'll get is every person with experience hacking into systems telling you this though.

A double blind test wouldn't really make sense. This isn't a pill. It's attacking an operating system.

Take 200 pairs of machines, of many models and makes, but each pair consisting of identical hardware. Deploy in one Win 8 and in the other Win XP SP3. Put each machine alone behind a router and have exactly half the routers have the firewall active and half have it full deactivated (but don't tell the actuall users which is which). Disperse the pairs around the world. Run that setup at least six months and each time an infection/invasion happens, tally it, use ATA format and redeploy it's OS again from the master image. Treat all that raw data with good robust statistics and come back with facts. Without that (or something like it), all you have is theory and opinion. Opinion, any one is entitled to hold any, but they are a hard sell. Now, in many instances, when the models are mature, in theory, there's no difference between theory and practice, but in practice that's not necessarily so.

[enxz]

Right, but in that test you're defining security as whether a machine will get attacked, and then stating that there's a correlation between the operating system and whether it will be attacked.

That's a faulty premise. What if I leave a vulnerable XP box directly connected to the internet, running a vulnerable Apache service that would take 5 seconds to exlpoit and it never gets exploited. IS that machine secure? Well, it was never attacked... so is that what security is?

You're also not exposing the system. Again, users don't just get attacked by connecting to the internet. Your test would make more sense if those systems connected to various exploit pages as well as sitting on the internet. But...

By that logic you can just run the oldest operating system with the least market share and you'll be "secure" because no one will care to attack you.

So essentially you're defining security by an attackers will to attack you and not by their ability to attack you. I Think that's a faulty definition of security.

Like I said, there is no objective measure, and people don't even agree on what security means.

But with a technical understanding of how machines are compromised, how attacks work (both from a business standpoint and the actual creation of exploits), and how defenses work, it becomes very clear which systems are secure and which aren't.

[dencorso]

Theoretical knowledge tells you how things ought to be. Statistics tell you how things use to be.

BTW:

[enxz]

Any logical view of operating system security should show that Windows XP is less secure than 8.

[jaclaz]

Any logical view of operating system security should show that Windows XP is less secure than 8.

I liked much better the :

/GS is a stack canary that is heuristically attached to functions on compile time.

as an argument to support an opinion.

What would be interesting (and this is easily doable, it's only a matter of spending some time) is to see how many of MS patches (which BTW are the actual topic) are issued at the same time for the following Operating Systems:

• Windows XP
• Windows Vista
• Windows 7
• Windows 8

my memory is quickly fading, but I seem to remember that usually whenever a vulnerability has been found (and a related patch is issued by MS) the patch is most of the times for ALL of the above OS versions (or more loosely "supported OS versions of the NT family"), I don't remember as "common" that a patch is ONLY for the oldish XP (or ONLY for a given system) and NOT for a later OS.

Ideally one could list each month Security bullettin summary, here is an example of the latest:

http://technet.microsoft.com/en-us/security/bulletin/ms13-jul

and check, bullettin by bullettin, which OS's are affected and for which a patch is issued, example:

https://technet.microsoft.com/en-us/security/bulletin/ms13-053

seems like a "serious" issue and "hitting" any and all OS's in the above list.

I did a quick check and it seems to me like the patches are for ALL the mentined OS's, exception made for this one, that only affects Windows 7 and Server2008 R2 (and NOT XP and NOT 8)

https://technet.microsoft.com/en-us/security/bulletin/ms13-058

By this tentative metrics, XP and Vista and 8 are seemingly on the same level, whilst 7 (and Server2008 R2) are slightly less secure.

jaclaz

[G8YMW]

Charlotte's view is "Why let the problems get that far?"

I look at it like this.

Football (Soccer) match. Who would field a team comprising of only the goalkeeper?

8 might be more secure than XP but XP is tried, tested and above all understood.

I have XP, 7 and 98SE on this machine, I would be still using 98 if my motherboard hadn't gone down about 3 years ago.

BTW I have no intention of putting Win8 on this machine. I just dont like the look of it

[CharlotteTheHarlot]

You're both right, and you're both wrong. Neither of you mention UPnP, which allows a router to open ports when requested LAN-side by an application. It should be disabled by default for tighter security "out of the box," but some manufacturers may not follow this philosophy for the sake of "ease of use."

You're right, I didn't mention it here, but I have been railing about it in some other comments with respect to the next wave of hip gadgets, cheap home consumer security devices. The way they are shaping up with automagic configuration to allow these cameras and mics to work will lead to a big problem with neutered security. uPnP, will rise from the grave again.

But in these discussions I almost always mention a "properly configured router" when I bring this up. The user should immediately do some thorough research about the specific brand and firmware and look for forum discussions by sharp commenters that go through and explain all the settings and stuff. Routers I have seen are usually pretty good with defaults after a reset or flashing, but yes there always is some tweaking to be done.

So again ... yes, by all means disable uPnP in the router and the service in Windows. Mine obviously is.

EDIT: slimmed down the quote

Edited August 2, 2013 by CharlotteTheHarlot

[CharlotteTheHarlot]

One really good example of this is the recent hack of Ubuntuforums.org. That's a "good" website, but for 6 days it was controlled by an attacker. In that time he could have easily put up an exploit page, and no "common sense" would have saved anyone - I'm a security professional and I visit that website, so do many others.

From what I read, both that site and the one at PC Gamer never mentioned any driveby attacks, just compromised stored data and credentials. I'll try to read more about it when I get a chance but it sounds like you are putting it forward as evidence for your security opinions. I don't recall browsers, or Windows itself for that matter being part of the story. Are you asserting that some people browsed to the site and got hosed? Were they attacked successfully without any affirmative user acceptance clicking? If this actually happened, what Browsers, OS, AntiVirus and Router were the victims using? These are significant details I have not heard. You wanna bet that they were much closer to the earlier mentioned scenario #1 than scenario #2?

Well first of all your router must be screwed up, becuase you should definitely be able to torrent without opening ports on the router.

Packets are definitely not just tossed. You're reading this webpage right now, aren't you? That means that, somehow, someone is sending you data to your computer. That's all an attacker needs. They can MITM your connection, hack the website, send you a link, etc. Once you get to an area where they control the content (like opening an email from them) they can attack you. That's all it takes.

I can assure you that my router is anything but screwed up. In fact, "screwed up" is the absolute last description that comes to mind when discussing a hardware firewall that requires manual intervention to open ports 688x in order to use a torrent! That opt-in necessity of forwarding those ports is the whole point here. The alternative which you are describing is a "smarter" router ( I would call it dumber ) that does it automatically. We are clearly approaching the concept of "normal" from two different places.

Packets are definitely tossed. Do you think they are stored somewhere instead?

And of course not all packets are tossed. ~sigh~ You must know what ports are open, so I just can't understand this strange statement: "You're reading this webpage right now, aren't you?".

Like I said, Windows 8 is better off. Although your 8 services are exposed more directly, getting into the XP box is not going to be hindered much. Of course, I wouldn't recommend either - you should be behind NAT, becuase you don't want to be exposed. But NAT isn't going to make up for an operating system full of holes. MSE isn't relevant, AV is stupid and anyone can bypass it completely.

In terms of performance there's a lot more to it than services running. On modern hardware 7/8 will run faster than XP depending on the task. But the reason I'm avoiding discussing performance is because it changes depending on the hardware - an old system will run XP faster than 7, a new one will run 7 faster than XP. That's just how it is.

Yep, I can see we're definitely coming at this from two entirely different places.

There is often a huge error made, in fact most of the time, when people "compare" their new OS with a fresh new empty registry and profile against their previous OS dripping with Windows rot and come to the stunning conclusion that the new one runs faster. Unfortunately they are always misled. We have even seen the ludicrous bootup comparisons comparing a shutdown 7 versus a hybrid 8. Control for variables and it's an entirely different story.

The only way that Windows XP, or for that matter any version of Windows is ever faster than it's predecessor is when the latter is new, tweaked and optimized by user configuration and the earlier one is left rotted with all the bells and whistles running, especially disk indexing and other CPU hogging tasks. Microsoft has never ever slimmed down an OS's realtime components going forwards ( pushing services into delay load does not count! ).

Anyway, this is way off topic for this thread but I have to believe that between this comment about performance and some of the router comments that you are not particularly concerned with details, scientifically controlled experiments, and accurate comparisons.

The point is, as it has been, that given the same network setup, given the same user, given all things being the same, it is much easier to get into an XP box than 8.x. And it is trivial when the user doesn't patch.

I'm sorry but that is pure evidence-free, wishful thinking. And there's that magic patch again. What is it that Windows update does to Windows XP that makes it secure instead of "trivial" to get in to? I think I know why you are not specifying that, it's because the likely answer is probably some of the MSIE buffer overflow and HTML flaws, and ActiveX registry shims. Sheeple food.

Meanwhile I'll continue along happily in scenario #2.

P.S. I always forget to mention this ( as I did above ), but if you want better to security, in addition to using a different browser than MSIE it is critically important to change the "default" to something else so that you "patch" a hugely stoopid bug / feature of Windows. The bug? Having Windows pop open MSIE because you hit F1 help and suddenly you get sent online to a non-existent webpage and then shuffled over to Bing or Google or your ISP's DNS resolution page already aiming at potentially dangerous links. MSIE, in my opinion should only be used for one thing - Windows Update, when you really need it. MSIE should only be used on purpose, never by accident.

[enxz]

@The Finder,

my memory is quickly fading, but I seem to remember that usually whenever a vulnerability has been found (and a related patch is issued by MS) the patch is most of the times for ALL of the above OS versions (or more loosely "supported OS versions of the NT family"), I don't remember as "common" that a patch is ONLY for the oldish XP (or ONLY for a given system) and NOT for a later OS.

Yes, a vulnerability in XP code that's used in vista, 7, and 8, would work on all of them potentially. So they all have to be patched. But exploiting that vulnerability is a whole other story on newer operating systems thanks to the mitigation techniques I've mentioned.

So while all of them could have the same number of vulnerabilities (or newer ones could even have more) exploitation of those vulnerabilities can range from significantly more difficult to impossible - stack overflows, for example, are going to be much more difficult to exploit on 8.

@CharlotteTheHarlotte,

From what I read, both that site and the one at PC Gamer never mentioned any driveby attacks, just compromised stored data and credentials. I'll try to read more about it when I get a chance but it sounds like you are putting it forward as evidence for your security opinions. I don't recall browsers, or Windows itself for that matter being part of the story. Are you asserting that some people browsed to the site and got hosed? Were they attacked successfully without any affirmative user acceptance clicking? If this actually happened, what Browsers, OS, AntiVirus and Router were the victims using? These are significant details I have not heard. You wanna bet that they were much closer to the earlier mentioned scenario #1 than scenario #2?

I wasn't clear, I'm not saying that a driveby attack was used. I'm saying that a legitimate website was compromised and an attacker had control of the website for 6 days. In that time the attacker could easily have put up an exploit page, and any person who visited would have been subjected to it - router or not. That is how typical attacks work, they don't care about routers.

And of course not all packets are tossed. ~sigh~ You must know what ports are open, so I just can't understand this strange statement: "You're reading this webpage right now, aren't you?".

I'm sayin this because the router isn't relevant to security anymore. If you're running a browser that's all the attack surface necessary.

In terms of performance stuff, I'm not really interested in discussing it. It's not what I came here to talk about, and it's not important to security.

I'm sorry but that is pure evidence-free, wishful thinking.

Except I've posted multiple times now about mitigation techniques that make attacks harder.

https://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx?Redirected=true

http://j00ru.vexillium.org/?p=690

You can google for more information on the effectiveness of these techniques.

nd there's that magic patch again. What is it that Windows update does to Windows XP that makes it secure instead of "trivial" to get in to? I think I know why you are not specifying that, it's because the likely answer is probably some of the MSIE buffer overflow and HTML flaws, and ActiveX registry shims. Sheeple food.

It's very simple.

I'm an attacker. I want into a system. I see two XP boxes. One of them has an unpatched service running, the other has a patched service running.

I can attack the patched service, but it requires a 0day attack. Or, I can just modify the latest Metasploit for the unpatched service and cut my work by 90%.

That's why patching is important.

Of course, if I see a Windows 8 box on there, I know I need a 0day, and I need an information leak, and I potentially need a local kernel exploit that itself will potentially require an information leak.

It's just math. Vuln + Vuln + Vuln + Vuln > Vuln

In the case of Windows update, there are exposed services, media players, linkers, etc. The entire operating system is attack surface, especially the kernel. If you have a local kernel vulnerability and you don't patch it it becomes a matter of googling to get into your system.

MSIE is nothing. It's not important - it's a couple million lines of code and you've got hundreds more within the operating system. You can run Google Chrome and it will make little difference, because it's just one kernel exploit to get out of the sandbox. You can look at the latest MWR Labs attack on Chrome to see evidence of this (and that the attack had to be modified for 8 to become reliable).

Anyway, this is way off topic for this thread but I have to believe that between this comment about performance and some of the router comments that you are not particularly concerned with details, scientifically controlled experiments, and accurate comparisons.

What I'm concerned with is principals of security, operating system security, network security, how attacks work, and how we defend against them. It's what I do at school as a computer science and security major, it's what I've been hired to do by defense contractors, it's what I do at competitions where we hack into systems for points, and defend from actual hackers to win. I'm not going to try arguing from authority on the internet, no one has to take me at my word, but if you think that a systems security is defined by menial details of a router I think your perception is way off.

Edited August 2, 2013 by enxz

[dencorso]

/GS is the default for MSVC++ since MSVS .NET 2003... That means it's already used from right before XP SP2 times...

[enxz]

Read the previous PDF on /GS improvements as well as http://j00ru.vexillium.org/?p=690

Pre-8 /GS used 1bit of entropy. Pre VS 2012 /GS was used on fewer functions. The new toolchain applied on 8 improves the heuristic application of it, protecting more function returns.

/GS and ASLR improvements are just two examples. I use them because they're the easiest to point to. There are many others, many of which are detailed in the links provided.

Edited August 2, 2013 by enxz

[jaclaz]

I don't get it.

If some code can initiate an exploit through a stack overflow, then the code may need to be patched and the OS is vulnerable (and the patch has a very high priority , or "Critical").

If some code can initiate an exploit through a stack overflow BUT *something else* in the OS SURELY prevents stack overflows, then there is NO need to patch anything as the OS is NOT vulnerable, or at least the patch becomes very low priority or "Not Critical".

The former is "less secure" than the latter.

But while the patch is issued with the same priority level, at least here it means that it is needed on both systems and at the same time and with the same intensity in the minds of those that produce the patch.

You are saying that because of the big changes in the way the OS works, a same vulnerability has less chances to be exploited in practice.

The concept of "probability" of making use of a known vulnerability , which Charlotte The Harlot introduced through the use of "intelligent" and "safe" settings of the setup of the machine is very similar.

A well made setup (and intelligent use of the PC ) lowers the probabilities that an existing vulnerability can be used by a malicious attacker.

So, we are into "weighting" the efficiency of the "automatic internal mitigation factors" introduced in the OS against the efficiency of "manual external mitigation factors" suggested by Charlotte, right?

If this is the case, then the only (anyway approximated) meaningful data we can get is statistical and can only be obtained by a test similar to the one dencorso hypothised:

http://www.msfn.org/board/topic/163539-are-ms-updates-for-xp-really-necessary/page-2#entry1046197

jaclaz

[enxz]

If some code can initiate an exploit through a stack overflow, then the code may need to be patched and the OS is vulnerable (and the patch has a very high priority , or "Critical").

If some code can initiate an exploit through a stack overflow BUT *something else* in the OS SURELY prevents stack overflows, then there is NO need to patch anything as the OS is NOT vulnerable, or at least the patch becomes very low priority or "Not Critical".

Imagine it like a castle. You have wall after wall. An attacker needs to break through each wall. Windows 8 has a lot of walls, and breaking through them is harder. Windows XP doesn't have many walls and the ones it does have a lot of cracks in them.

CVSS CVE scores aren't based on whether it's a stack or heap overflow, or the mitigation techniques available. They're based on potential impact. So even if an attack is mitigated partially or near entirely by a mitigation technique, an overflow in a critical component is still considered critical.

Mitigation techniques also don't always prevent an exploit 100%, so a patch is always necessary, especially because an attacker can chain together vulnerabilities. For example, I could get a heap overflow, but DEP would prevent execution of code. I then use ROP, but ASLR prevents the ROP. I then use an information leak to get ROP. Those are separate vulnerabilities being used.

You are saying that because of the big changes in the way the OS works, a same vulnerability has less chances to be exploited in practice.

I'm saying more work is involved. That's just a fact. If I want shell in a program it is harder to do on Windows 8 for most vulnerabilities. I have to do all of the work I would do on XP and then I would have to expend further energy bypassing the mitigation techniques.

So, we are into "weighting" the efficiency of the "automatic internal mitigation factors" introduced in the OS against the efficiency of "manual external mitigation factors" suggested by Charlotte, right?

What I'm arguing is that Windows XP is not a secure operating system, that Windows 8+ is a more secure operating system, and that attacking unpatched systems is much easier than attacking patched systems.

Saying "Oh, but you can put a router outside an XP box" doesn't really matter. You can do the same with 8. And, on top of that, routers don't add nearly as much security as people seem to think. Neither does being intelligent.

Like I pointed out earlier, that test would prove very little. You could just as easily ask 1,000 hackers if it's easier to hack Windows XP or Windows 8 and the vast majority would say "XP, duh". There's a statistic.

[dencorso]

You could just as easily as 1,000 hackers if it's easier to hack Windows XP or Windows 8 and the vast majority would say "XP, duh". There's a statistic.

As it's written, the above sentence actually makes no sense. Please do correct and elaborate it.

In any case, if I got right the gist of it, if the vast majority (of hackers? of invaders? of Venusian Incas? of Borg drones?) would say "XP, duh!", that surely *is* an added layer of security XP has, which the newer 7 & 8.x don't.