"OK! OK! We'll Support It!" LOL

[dencorso]

I think comparing the running of Windows XP with Windows 9x/ME unsupported is foolish. [...]

I agree with you, because, IMO, Win 9x/Me security through obscurity is a myth I never believed in.

I really don't think Microsoft is out to mess with it's own products.

I agree with you again, because, IMO, it would bring MS no profit at all and headaches galore. IMO, whoever believes that is -- at least -- an above-average consumer of conspiracy theories.

So, don't misunderstand me: I think *no one* is *ever* safe. If you feel using Vista/7/8/+ you're even slightly safer, I have a newsflash for you: you really are not, but feeling safe may make you less careful, with all due respect.

One can try to eliminate all PEBCAK. One can use a hardware firewall at the router. One can use a real-time antivirus. One can even adopt a default-deny policy, if one likes it. Etc. All that is good and makes one safer. If there are security updates, one should use them all, too. But one ought to keep multiple known-good backups stowed away in safe places, so one can recover, no matter what.

[JorgeA]

So, don't misunderstand me: I think *no one* is *ever* safe. If you feel using Vista/7/8/+ you're even slightly safer, I have a newsflash for you: you really are not, but feeling safe may make you less careful, with all due respect.

One can try to eliminate all PEBCAK. One can use a hardware firewall at the router. One can use a real-time antivirus. One can even adopt a default-deny policy, if one likes it. Etc. All that is good and make one safer. If there are security updates, one should use them all, too. But one ought to keep multiple known-good backups stowed away, so one can recover, no matter what.

Do you (or anyone else reading this) have a handle on either the proportion (percentage) or the absolute numbers of computers that are affected by individual vulnerabilities patched by the monthly Windows Updates? Reading the patch descriptions, a lot of these vulnerabilities sound like awfully remote risks, or else they require special circumstances like the attacker having physical access to the machine. I'm just wondering how much more exposed an XP box will really be after April (or May) 2014, compared to (say) today when the OS is still getting patches.

--JorgeA

[bphlpt]

Since no one can know the type of vulnerability that might be discovered in the future, either in May 2014 or December 2020 or anytime in between, I don't think that anyone can really put any kind of number on that.

Cheers and Regards

[JorgeA]

How about, historically?

I'm trying to get a read on the magnitude of the question (based on historical experience).

--JorgeA

[Flasche]

How about, historically?

I'm trying to get a read on the magnitude of the question (based on historical experience).

--JorgeA

As I searched around I bumped into this forum. http://www.bleepingcomputer.com/forums/t/408136/win-98-viability-in-todays-web/ And one of the users stated

How much modern malware can run on Windows 98?

I would estimate in the high 80% range.

The Windows API has remained almost completely backwards compatible with itself for 20+ years. An application written in 1990 strictly to documented APIs would very likely work on any later (32 bit) version of the OS.

I would not recommend using any of the 9x series Windows operating systems in a networked environment. Even if a piece of malware was unable to run, it would try to run which in the pre-protected-memory versions of Windows will 90% of the time crash the whole system.

I echo Romeo29's suggest about using Linux instead. There are a number of modern and light weight Linux distributions available (such as Puppy Linux or Xubuntu; Linux Mint would be the best for novice users, but it's system requirements are fairly steep for a computer of this vintage.)

I'm not sure about how accurate his estimate is but I have found that you can get viruses today. ( I use avast and have gotten modern viruses on my computer ) I didn't let the viruses stay long so I don't want to know if their payload would of worked but I would be careful. ( if I recall I got it from adobes website when I downloaded flash 11 for 98)

*Note* dont ask what the viruses were as soon as I found them (daily check ups) I deleted them. (should of saved them in the vault)

EDIT: could be a rare occurrence since I haven't had an issue in over six months.

Edited January 29, 2014 by Flasche

[dencorso]

Not even historically. That kind of data is one of the many kind of unknowable data. The reasons why it *is* unknowable are many, and we may dwell on that if you so wish. The shor version is: there no known way of collecting such data with any reliability.

However, if the user base remains sufficiently high, MS may once or twice release, for an unsupported OS like XP, one or more security updates for things they come to deem may harm really hard their still supported products. Then again, they might as well not do it even so. Only time will tell.

[bphlpt]

I haven't seen historical info like what you are looking for, but even if you could find it, I still don't know if it would help you now. I mean, not only would absolute numbers not be applicable, since the numbers of computers have drastically increased over the last 10 years for example, but now the market is changing more than it has before. Not only are the capabilities of the machines changing and the OS evolving such as 98 -> 2K -> XP etc, but now you have the market splintering into the Windows based OS, the various form factors such as desktop, laptop and tablet, the RT based products which don't run the same software, the Android, Google, Steam, and Linux based products, and of course more and more folks are just using Kindle type products or even smart phones for accessing the internet. So even if you had historical percentages, what would you compare it to today?

I understand what you are really asking - How safe will I be if I choose to use XP once official support ends? Like dencorso says, no one is safe from someone who is targeting you and willing to do what it takes to get you, no matter what OS you are using. You can dramatically improve your chances by using appropriate layers of protection such as routers, firewalls, anti-virus, etc You can even use an external machine, maybe Linux based as a gateway, sort of a super router, which has its own anti-malware systems, which keeps anything bad from ever even getting to your machine. But you will also see members here who say that they don't run any anti-virus programs on their machines at all, even if they run a more modern OS than 98, and they don't have any problems. Bottom line, more important than the OS or anti-malware installed, are the actions of the user. If you are careful about where you go on the internet, how you handle your emails, passwords on forums or sites you visit, whether other people have physical access to your machine, what you plug into your machine including USB keys, what you download, what discs you auto-load, etc., I don't think you'll have any problems. IMHO I think all those other things play more a factor in your safety than what OS you use. Just my opinion.

And if you are also careful about backups, both system and data, then even if you do have a problem you will be prepared to deal with it and be back up and running quickly.

I think the most important factor in deciding what OS to run is whether it will run the other software you need and want to run on the hardware you have at a speed you are comfortable with. If you are familiar with it and you like the way it works, that is even better. So my advice is to not over analyze it. If it meets your needs, don't worry about it.

Cheers and Regards

[JorgeA]

Thanks, guys.

I'm not a heavy XP user (Vista and 7 are my main OS's now), but I'm curious because of all the warnings that have been coming out of Redmond and other places concerning how unsafe XP will be in just a few months. Over in the "Deeper Impressions" thread I think the tendency would be to believe this is largely FUD, so I was hoping to get some measure of how widespread the "average" Windows exploit has actually been in the past (preferably in terms of percentages of Windows PCs, to dodge the "growing and splintering market" issue). As they say in the investing world, definitely "past performance is not a guide to future performance," but at least the observer might get some ballpark idea rather than groping in the dark as we seem to be forced to do.

But if the numbers (stats) just don't exist, or are not publicly available, then it's a moot point.

Thanks again.

--JorgeA

P.S. Just thought of something. I seem to remember occasionally running across stats for infected computers in countries where Windows piracy is said to be widespread and Windows PCs don't receive the monthly patches. Maybe that could serve as a sort of proxy for future unpatched XP systems, with the provisos that the numbers would be for "all" infections (not a per-infection average) and that such machines might also lack other basic protections such as current AV software and so forth.

Edited January 29, 2014 by JorgeA

[dencorso]

OK. That might be something but... how in the world can anyone know, especially nowadays, say, how many computers were there in Taliban-controlled Afghanistan, before the war, and of those, how many got infected, how many times, and what fraction of those computers were running legal OSes?

Not even jaclaz's crystal ball (let alone mine), in their best days, would ever yield even the vaguest estimates to these numbers.

That's another type of unknowable, even worse than the ones from my previous post, isn't it?

When you get served a bunch of numbers by the media or corporate sources, or any source at all, the first thing you must ask your own navel is: is it likely that those numbers may ever have been obtained in a minimally reliable way, if at all? -- Know thy unknowables...

[bphlpt]

I'm going to go along with the opinion that a lot of the warnings are "FUD". You need to look closely at where those statements come from including who pays their salaries, directly and indirectly, and officially and unofficially.

As to any stats you have seen, where did those numbers come from? From the OS suppliers that are trying to prove why you need the next "safer" OS? From the AV suppliers that want to prove how dangerous it is out there so you will buy their products, or the ones who want to prove how "effective" their product is stopping the viruses? If you have ever had a computer virus in the past did you ever report that fact to anyone? If there was any kind of automatic scanning on the net to try and pick up how many copies of a virus were active at any given time to then extrapolate how many there really were, once a machine is infected by one virus that machine might now be vulnerable to other viruses as well so even though it is one machine there might be multiple viruses. How is it counted? If the machine is wiped and the same, vulnerable , OS is put back on it then it is likely to get reinfected. It's the same machine with the same OS with the same virus, but a different occasion. How is it counted? If a machine gets a virus, it probably means there was no, or ineffective, AV software in place, so how does anyone know that the virus exists on that machine besides the machine owner, IF they are computer savy enough to know? If a protected, by AV software, machine is attacked by a virus - taking the idea that the AV software can phone home and report the attack does it report each attack , which could be millions of times a day if bots are involved and he is in the wrong place at the wrong time, or just once per day, or once per machine, or what? As you can guess, I don't understand how accurate stats can be gathered.

All of which is not to say that viruses do not exist. I use a router, a software firewall and anti-virus software to be on the safe side. But mostly I just try to be smart and careful.

Cheers and Regards

[CharlotteTheHarlot]

As I searched around I bumped into this forum. http://www.bleepingcomputer.com/forums/t/408136/win-98-viability-in-todays-web/ And one of the users stated

How much modern malware can run on Windows 98?

I would estimate in the high 80% range.

The Windows API has remained almost completely backwards compatible with itself for 20+ years. An application written in 1990 strictly to documented APIs would very likely work on any later (32 bit) version of the OS.

I would not recommend using any of the 9x series Windows operating systems in a networked environment. Even if a piece of malware was unable to run, it would try to run which in the pre-protected-memory versions of Windows will 90% of the time crash the whole system.

I echo Romeo29's suggest about using Linux instead. There are a number of modern and light weight Linux distributions available (such as Puppy Linux or Xubuntu; Linux Mint would be the best for novice users, but it's system requirements are fairly steep for a computer of this vintage.)

I'm not sure about how accurate his estimate is but I have found that you can get viruses today. ( I use avast and have gotten modern viruses on my computer ) I didn't let the viruses stay long so I don't want to know if their payload would of worked but I would be careful. ( if I recall I got it from adobes website when I downloaded flash 11 for 98)

*Note* dont ask what the viruses were as soon as I found them (daily check ups) I deleted them. (should of saved them in the vault)

EDIT: could be a rare occurrence since I haven't had an issue in over six months.

It is way more nuanced than that. 80% is a WAG. Just for example, if the malware file ( or any one of its files ) is compiled to Unicode then almost any Win9x system is immune to that particular example. If the malware is ANSI but imports functions from NT core files it will be immune. Sure the bad guy could get real backward compatible and dutifully compile without dependencies and check all the boxes for max compatibility, but that's about as likely as Microsoft programmers doing the same thing. New malware will be a product of the time it was created, most likely using the most popular tools ( or most bootlegged ) of the era.

The biggest problem in the discussion is the acceptance that Microsoft is "supporting" Windows in the first place, and that all the endless critical security fixes are more than a placebo. Yes, some are probably helpful, but many are not. To answer Jorge's question, there is a large cottage industry of "security professionals" that poke and prod at all parts of Windows, flooding this and overloading that, essentially discovering what everyone knew all along and that is that function arguments and parameters that were written by humans, using programming languages created by humans, to generate code for computer hardware designed by humans, and most importantly owned and operated by humans sheeple - are fallible and imperfect. Their work product is an endless stream of theoretical exploits that under some set of circumstances, can be exploited. What Microsoft releases are fixes to the ones they tested and reproduced under certain circumstances.

Put the computer behind a router/hardware firewall, do NOT use MSIE unless absolutely necessary, and change all registry hooks away from MSIE to the alternate browser. Disable uPnP. Then knock off all the autostart vulnerabilities and weaknesses ( Google/Yahoo/Bing/Java updaters, Messenger, etc ). These will advance the computer from the 50% secure status to the 99th percentile. Note, I said the "computer". The biggest failing is the operator who can singlehandedly drag that security level right back down to the sewer. I see it every day, Vista and 7 are the new XP RTM. It doesn't matter if they have Windows Update running ( they all do, but on XP I don't ). They are all running standard accounts ( but on XP I use admin ). They all use the Windows default MSIE all patched up from WU ( I do not ). They plug in wherever the Internet is available, wide-open router or even directly into the ISP modem. They click wildly on whatever meets their fancy ( this supports what Dencorso said about false sense of security ), type their name whenever prompted, click on ads, fall for phishing attacks. The point is, Microsoft cannot cure stupid, and no amount of fixes pushed out in WU will ever change this.

People have allowed far too much credit to be given to Microsoft, especially this stuff about them supporting Windows. Windows is supported by the community. They even get credit for things they have nothing to do with. My two favorite examples were:

- Windows XP SP2 allegedly fixed the malware problem of the RTM era. No, that one was from bad timing and corrected by hardware. When broadband came along it preceded affordable routers with hardware NAT firewalls. People plugged straight into the ISP modem, got their static IP address, used MSIE 6 and then scratched their heads when they got blasted in 24 hours flat. The cure? The hardware came along gradually when routers became in demand because of Wi-Fi and suddenly people were buying real hardware firewalls without even realizing it (few were buying them before they got laptops, their ISP's like AOL or Cable or DSL never even suggested it ). So, by now plugging their desktops in there also ( and they had no choice because modems usually have but one Ethernet jack ) they locked down their "network" accidentally. Fanboys would have us believe it was the software firewall in SP2 that saved the world ( give me a break, it is trivial to alter in XP's registry, it is done easily from a batch command ). XP's timing was simply unfortunate because Internet access was exploding at the same time it was. And the hardware sucked too.

- Vista SP1 allegedly cured all its problems. Not even close. Vista was a victim of the hardware of its RTM era. Actually it was a victim of Microsoft who released an OS more suited for future hardware approximately 3 years into the future. Few people had Core2 Duals and Quads at RTM, most on single-threaded machines and especially underpowered laptops. Fast forward a couple years and Vista would be snappy and nice, whether it was RTM or SP1, on the ever-expanding ( and quite excellent ) Core2 systems. Anything installed on these systems or newer runs excellent. Microsoft had nothing to do with it, except for the initial mistake of allowing a major release to be unsuitable for the average user's hardware. ( and this was exactly the same case at Windows XP RTM too, the hardware sucked in 2001, and was much better by SP2 ).

While a bit off-topic perhaps, this is only to demonstrate how propaganda and/or FUD takes root and becomes part of the history. And I don't mean to slam Microsoft here, just to scold them ( or their fanboys ) for taking credit where none is merited. Unfortunately the security issues are rife with this. People seem to get washed over with relief when they see screens full of vulnerability patches in WU. I feel that is much more placebo then medicine. As so many are about theoretical exploits, edge cases where some buffer is overflowed leading to some hypothetical attack I can't believe the hype.

Just for starters, the original, unpatched, allegedly vulnerable files still exist after the Windows updates ( mostly ). They are preserved in well-known folders hanging off the Windows directory. If these things were show-stoppers they would be destroyed, not saved for a rollback. A smart bad-guy would just write his malware attacker to import functions from these files ( rather than the new "safe" versions ) since he knows full well the locations. Or he would do even more bad things than that.

None of this is to say it is a bad idea to patch Windows files - but it is not the real way to secure the computer. It is more akin to hiding your jewelry and money within your house. The real security starts at the front door ( and back, and side ). Doing the stuff in the house might help or might not depending on the burglar that walks in the front door and how thorough he is. I say lock the door and hide the door and remove the mailbox and telephone. This is done by getting the computer behind a router, and some other stuff.

Anecdotally, my own little experiment is alive and well. This XP computer I am on was inherited by me exactly three years ago. At that point I placed it on a network behind a router, no Windows Updates since ( actually since even before then ), only using an administrator account, not using MSIE, not using AV. None of that has changed. I've done my own security tweaks like killing uPnP on the computer and router and changed the registry so that MSIE can only run if I make it run. And obviously took a fine toothed comb to tasks and services and other avenues ( no stupid applications are phoning home and updating ). To be sure, I take this computer into very dangerous websites intentionally ( places where frightened fanboys would poop their pants ) and no drive-by attacks or phishing trips have arisen. NB: this computer was that of a friend of mine who passed away. In the several years he had it he managed to get blasted several times, and interestingly the first one was through FIOS when the tech hooked him straight into their wide-open router and within 24 hours his Windows XP SP2 was infected, and there were several other occasions later. I decided to keep it as a tribute to him, cleaned it up, added SP3 and my own tweaks. I didn't even wipe out the HDD! So I am using a OS that has been compromised but manually repaired. The point is that security is a multi-faceted subject. The hardware, the software and the user. Focusing on one third of it, the software ( actually less than a third since the OS is a subset of that ) is not enough.

This is an easy experiment to replicate too. Anyone can set up another Windows XP ( or whatever ) system behind a router and try it with no AV and no WU. Just be smart and have an escape plan ( back it up, have a spare cloned HDD ). What have you got to lose? Nothing. Life is too short to live in fear and way too short to wait for AV processes and endless WU. I probably don't require an administrator account most of the time, but that's just part of the experiment. At least I have the ability to run any software without issue anytime I feel like it, any utility, any experiment. Running as admin, with no AV and no WU, that should mean three strikes for Windows XP. Right? Wrong.

[Flasche]

While a bit off-topic perhaps,

No I think you were perfectly on topic. You managed to answer all of the recent questions on this thread

[...] - Vista SP1 allegedly cured all its problems. Not even close. Vista was a victim of the hardware of its RTM era. [...]

I also perfectly agree with you especially on vista. Vista was a victim of M$ who released it too early then plagued it with extreme over advertising just to make as much money off of it.

Fanboys would have us believe...

Now this question is off topic but everywhere I go their is always rants on fanboys. Dont get me wrong I hate them but there is some thing worse than a fanboy http://static.giantbomb.com/uploads/original/0/6470/1461657-hatersgonnahate.jpg

[jaclaz]

Well, in any case I have made the move to Vista x64 Ultimate Edition since I had started this thread, so there's no looking back. [...]

Besides I've migrated now, so I'm good for three years.

In your opinion.

Now, with all due respect, in my own opinion, I'm good for at least the next 10 years: yesterday I've activated my 6th XP Pro SP3 x86 machine (two of which are also bootable into 98SE). MS will stop supporting XP next April... well, it can do that, all right. Myself, I couldn't care less whether it actually does it, or backs off in the last moment.

I don't know. I really don't think that running an unsuported OS sounds safe. And I'll say it again. I think comparing the running of Windows XP with Windows 9x/ME unsupported is foolish. 9x/ME's kernel is way simpler than Windows NT's, which still exists in Vista, 7 and 8. So an attacker of those systems can get to XP as well. So you shouldn't use 9x/ME's security through obscurity as a precedent for how things my go with XP.

I sense a lot of folks think that Microsoft is out to screw with people on Windows Updates. Somehow they believe Microsoft is undermining the system. I really don't think Microsoft is out to mess with it's own products.

JFYI I run a few machines with "outdated" (and out of support) OS since years:

http://www.msfn.org/board/topic/158823-why-you-should-avoid-buying-windows-8/?p=1019348

Now, is it "smart"?

To some extents it is, the stupid machines use the stupid OS they run to do stupid things (like all the things PC's do), in exactly the SAME stupid way they stupidly did that when the respective OS's were mainstream, and they do that in what would be considered an insanely low-powered (as BOTH processing power AND mains power consumption goes).

But of course those machines are not intended to stupidly do the new stupid things like (say) Silverlight or HTML5 sites expect, so it is not a good idea for people wanting to have "recent" software on these "oldish" OS's.

Some "statistics" (number of BSOD's/issues did not change since this was posted):

http://www.msfn.org/board/topic/155290-windows-8-deeper-impressions/page-56#entry1022946

Now, try guessing on which of those 4 machines I once got a virus?

Yes, it was the XP one, and it happened (obviously) when the OS was fully supported, in 2009, and due to "local" compromising (infected USB stick).

Now, please, try stating that comparing running unsupported XP to running unsupported NT 4.00/Win2K is foolish, go ahead, make my day.

jaclaz

[Flasche]

[...] ..."Now, try guessing on which of those 4 machines I once got a virus?

Yes, it was the XP one, and it happened (obviously) when the OS was fully supported, in 2009, and due to "local" compromising (infected USB stick).

Now, please, try stating that comparing running unsupported XP to running unsupported NT 4.00/Win2K is foolish, go ahead, make my day.

Hmm that is indeed very interesting. Personally I haven't used NT 4 or Win2k but nonetheless I have seen similar results with my machines. My Windows 7 computer seems to always catch a case of the flu for when I do my daily checks I remove a daily 1-3 viruses. My Vista machine is much better but I do catch a virus or two once a month. My recent POSReady 2009 came with viruses ( Thanks M$ for not cleaning the install ) but after that was all good and havent seen one since. My windows 98 computer as already stated hasnt had a virus in 6 mounths and that was a freak inncident. I use malwarebytes and Avast with a router firewall. (Upnp is disabled) I do pose a question for you Jaclaz. Are you a heavy downloader like I and always venture the unknown. What browser do you use (I use seamonkey). If you use firefox do you use no script. I do use noscript but only on the 98 computer for extra protection. In the end comparing my computers to yours not only showed whom the safer/smarter user is, but showed the real backbone of security. (the user)

[dencorso]

[...] comparing my computers to yours, not only [has] showed whom the safer/smarter user is, but [has also] showed the real backbone of security (= the user).

What did I say some posts back?

[...] One can try to eliminate all PEBCAK. [...]