XP OS vulnerabilities after April 8, 2014

[Flasche]

I have no real reason to cite my statements. I don't care if people question whether I've gone to school for CS or not, or what work I've done. You can choose not to believe me.

 

I'm not saying that what your saying is wrong, but formally debating your statements.

 

 

Your theory on why they push new OS's is incorrect. Yes, they like money. But they don't make money by having an insecure OS, it has hurt them for years, especially on the server end of things. There is no one saying "Hey how do we get really secure but still be exploitable?" Literally no one ever has said this, because the idea of being 100% secure is just inane to begin with.

 

Yes M$ pushes the new OSes on you so they can make money. That is how they make the bulk of their money, and is why they are changing to a "renting" OS style. (though I do admit that MS does have one of the best OS support lengths especially compared to Linux's) As for security I started to become skeptical of Security being the number 1 priority when some how an IE vulnerability that has existed for almost 10 years but has somehow, mysteriously, never been discovered until just days after XP goes EOL? (thankfully with this one M$ gave in to public pressure and did release the update for XP)

[enxz]

Flasche, sorry, that first post was meant for submix, not you.

The Linux kernel is a free open source piece of software. Yet decade old vulnerabilities are still found once in a while. It happens.

It is not their number one priority. But they have poured millions into it. I know Microsoft security developers and they're very good, they do their best, and that's what they're paid to do.

Edited May 18, 2014 by enxz

[Flasche]

Flasche, sorry, that first post was meant for submix, not you.

 

I know, I just don't care whether you cite them or not.

 

 

Microsoft security developers and they're very good, they do their best, and that's what they're paid to do.

 

Its not M$, but the NSA which is purposely making companies (rather compliant or not) to have the vulnerabilities.

Edited May 18, 2014 by Flasche

[enxz]

Well, that's certainly an interesting theory if you attribute it to the NSA. I've wondered if they do that myself, and I hope to one day figure it out if I ever do move to MS's security team.

[submix8c]

Well...

Hey,


I have no real reason to cite my statements. I don't care if people question whether I've gone to school for CS or not, or what work I've done. You can choose not to believe me.


In terms of other experts, I know of no certification that teaches anything important in this context. I've only seen one ever that has you exploit a service using homegrown exploits. If anyone wants to come in here and say they know more than me and discuss things, by all means.


Stealth mode is useless. A port must be closed to be stealthed. A closed port is still secure. Any open port means you are no longer invisible.


So either every port is closed, and stealth does nothing. Or one or more ports are open, and stealth does nothing. It is a marketing gimmick and is very easy to dismantle logically.


While I may choose to move to MS at some point, as I admire their security team, I have no interest in NSA work (I am ethically opposed to that type of work). I work for a private company with absolutely no dog in this fight.

I think you miss the point. You've come to MSFN citing how much of an "expert" you are in two single topics. You appear to be a self-appointed "expert". I could care less about your credentials but DO dispute that you're (how should I say this) "smarter than the average bear". Indeed, I have already proven "stealth" absolutely works even with TWO PORTS OPENED (ports 21/80). It ABSOLUTELY prevents access to my FTP/WWW! I had to TURN OFF Stealth to access them in ANY case as they appeared INVISIBLE! Please disprove that since I personally know this for a FACT and I do NOT claim to be an "expert". YES, I ABSOLUTELY tested that and went NUTS figuring out what my problem was. Go ahead do the same and prove me wrong.

 

Now, if you have "no dog in this fight" what IS your problem? This Topic (and the other) had to do with vulnerabilities and you have spoute/touted absolute nonsense and argued with OTHER esteemed members.

 

To put this more politely, please go away.

 

*cough*Windows8Fanboy*cough*TossXP*cough*

Edited May 18, 2014 by submix8c

[dencorso]

Flasche, sorry, that first post was meant for submix, not you.

 

I know, I just wanted to let you know that I dont care if you site or now.

 

Maybe you meant "I don't care whether you cite them or not"?

 

@enxz: Welcome back!

While we disagree, it's good to have diversity of opinions around.

Not wishing to rekindle an old discussion at this point, I still remain firm on my main vision that no matter how good the security included, no OS is or can ever be really secure, because what man does, man can undo (or what one human being closes, another human being can pry open, to put it on a more "politically corret" form, which is the norm, nowadays...).

And I also remain firm on my belief that, as Flasche most aptly has already put, PEBCAK (or unsafe user behavior) is more relevant as a source of insecurity than any software/hardware protections that can be added to the OS, so that XP is not so insecure as you insist it is (which is much different from considering it secure).

We do, however, have irreconciliable beliefs, from an ontological POV: you (as I'd expect from a security professional) believe it is possible -- and eventually will actually be implemented -- to have an OS keep secure despite the user, whereas I consider that impossible to be done by physical means alone (and hence resticted to the domain of sci-fi). Even more, to deny an user the ability to engage in risky behavior is actually to deprieve him of freedom, on a more philosophic take on it, so I'd really dread such a future, not dream about it. One must be careful what one wishes...

[Flasche]

Maybe you meant "I don't care whether you cite them or not"?

 

Why yes I do . Sometimes I type to fast for me to render .

 

 

whereas I consider that impossible to be done by physical means alone (and hence resticted to the domain of sci-fi). Even more, to deny an user the ability to engage in risky behavior is actually to deprieve him of freedom, on a more philosophic take on it, so I'd really dread such a future, not dream about it. One must be careful what one wishes...

 

+1

[enxz]

submix,
 

I think you miss the point. You've come to MSFN citing how much of an "expert" you are in two single topics. You appear to be a self-appointed "expert". I could care less about your credentials but DO dispute that you're (how should I say this) "smarter than the average bear". Indeed, I have already proven "stealth" absolutely works even with TWO PORTS OPENED (ports 21/80). It ABSOLUTELY prevents access to my FTP/WWW! I had to TURN OFF Stealth to access them in ANY case as they appeared INVISIBLE! Please disprove that since I personally know this for a FACT and I do NOT claim to be an "expert". YES, I ABSOLUTELY tested that and went NUTS figuring out what my problem was. Go ahead do the same and prove me wrong.


Now, if you have "no dog in this fight" what IS your problem? This Topic (and the other) had to do with vulnerabilities and you have spoute/touted absolute nonsense and argued with OTHER esteemed members.


To put this more politely, please go away.


*cough* Windows8Fanboy *cough* TossXP *cough*

 

You've misunderstood stealth ports. If you had to enable those ports, is your computer invisible right now or not? It's that simple - right now, with you taking inbound connections, is your computer invisible? The answer is no - a stealth port is a closed port, and if your ports were closed you would not be seeing this text right now.


I have no interest in discussing stealthed ports, it was debunked years ago and there's plenty on that.


My dog in this fight is that users can come to forums looking for advice, as was done here, and what they'll receive is "oh you're secure". That endangers them. People can have their finances crippled by advice like that.


I also don't even run Windows outside of for development so I find it funny I'm being called a fanboy.


As for whether I'm a self appointed expert, whatever, doesn't matter. What I know is that I have education and experience. What I know is that I've hacked systems (legally, I don't do anything blackhat), defended systems, broken complex software, written complex programs, etc. I'd say that doesn't make me a novice, whether I'm an expert or not, and I'm certainly quite qualified to discuss these things.


And if you truly hate my posts so much, that's a shame, but you should try to ignore them if they bother you.


@Dencorso,


Hello again.


I would never deprive a user of access to a system. I don't believe in locking users out of their systems - to me that only means they'll find some way around it, leaving the security gained from such a technique totally lost.


I do believe there is a software solution to most security problems, though. Nothing so far is very close, unfortunately.


While users can certainly cause infections right now, and we can all agree this is a problem, I don't believe it's the users fault. That's the only difference here.


That said - if a user visits a website on Windows XP compared to 7 or 8, an attack has to be considerably more complex on 8 than on previous versions.


If you look at exploit development guides (like on corelan.be) you'll see how simple basic attacks are. Then they add DEP, and it gets a bit harder. Then they add ASLR and suddenly the tutorials have to get a lot more theoretical, because there's no consistent way around ASLR when implemented properly - the tutorials will only show against improper implementations because only those can be attacked without further vulnerabilities.


But I think all I really wanted to get across is that I stumbled onto msfn again and saw advice that I consider dangerous. I consider it dangerous, and I think maybe others should question whether they should be giving advice on these matters. I personally would not want to feel responsible when someone got infected due to my advice.

[bphlpt]

As someone who, (in full disclosure, doesn't use XP at this time), has said that I believe that XP can continue to be used safely, I don't have any problem admitting that a standard, default Win8 installation is probably safer for the average user or their mom or grandfather than a standard, default XP installation, in both cases without any third party software installed, thanks to the improved security of Win8 compared to XP, and I really don't think that anyone can legitimately argue with that, nor do I believe that anyone has tried to dispute that in this thread, or other threads on this board.
 
I also don't believe that anyone can argue with the published figures that there have been as many if not more vulnerabilities in other pieces of software besides the OS, Flash and Java being just two examples, than there have been vulnerabilities in the OS itself.
 
And I'm glad to hear that you agree that PEBCAK errors exist and that they are a prime source of computer vulnerabilities, even if you are under the, IMHO mistaken, belief that they can, and should, be solved by yet more software which, IMHO creates an even larger surface for attack and more potential problems and source of poorer performance and OS bloat.  But I'm willing to let that be an area that we agree to disagree.
 
And I'm glad to hear that you do not think that an OS should totally deprive a user access to a system or totally disallow risky behavior, even if it would be safer if it did.  If it did, that would be analogous to making cars safer by coating them with three feet of foam rubber and limiting them to a top speed of 5 MPH.  Just think of how many lives would be saved!
 
But I don't think that anyone here has suggested that a stock XP should be promoted for use by the untrained user or mom or grandfather.  To continue the car analogy that would be like giving the keys of a Ferrari to an untrained and unlicensed 14 yr old and telling them to "Have fun!"
 
But I, and dencorso and others, believe that XP and other older OS can be used safely by users that:
 
1. have been trained to at least minimize the PEBCAK errors
2. keep all their other apps updated
3. include, and keep updated, appropriate third party anti-virus, anti-malware and software firewall apps
4. use an external hardware router with included "hardware" firewall
5. make regular backups of both the OS and user data, just in case
6. don't use IE unless you absolutely have to (my personal opinion)
7. think about what they are doing and use common sense
 
Even if you do all the above, regardless of what OS you use, is this still true?:
 

... if a user visits a website on Windows XP compared to 7 or 8, an attack has to be considerably more complex on 8 than on previous versions.

Probably, but not enough to effect the user AFAIK. IMHO a user who does all the above is not likely to ever notice the improved security of Win8 compared to XP.

 

<rant>

And while there were definitely safety improvements in Win8, surely you can't believe that other "improvements" in Win8, such as the UI and the reliance on the store, were added strictly for the user's benefit, do you?  You don't think that there might not have been the tiniest bit of MS self interest involved, or the desire by MS to make a buck or two, or ... (add whatever other accusation that has been leveled at MS) ... ?  And yes, I agree and understand that every business that has ever existed has to have had at least some self interest or it didn't survive.  But MS and their "fanboys" don't seem to want to admit that there was any altruistic thoughts involved at all.  "It was all for the benefit of the user."  Yeah, right, sure.  :sheesh:

 

<OT>

And I won't even try to talk about the impact that the NSA and all other similar organizations worldwide have had, because I'm sure their influence has effected everything they could, from cell phones, communications, transportation, TV, travel, security and surveillance systems, etc, not just computer OS.  All in the name of protection and increased security, and unfortunately seemingly necessary in this day and age, but at what cost?
</OT>

</rant>

 

Anyway, no one has said that XP is as "safe" as Win8. We have just said that an XP user can be safe. Using an older OS can be hard work, the older the OS, the more work involved. But it can be done.

Cheers and Regards

Edited May 19, 2014 by bphlpt

[Monroe]

A great discussion going on here ... I want to add and also ask a question dealing with XP security.

 

First, when the last XP updates were released April 8th, I waited about two weeks and then did an image backup, after getting everything as "near perfect" as I can ... that would be cleaning the registry with my 5 cleaners, getting rid of all junk and unnecessary stuff, running Malwarebytes and finally doing a registry defrag and and regular defrag ... there are several other things I also do in between but just to make my point ... after I've done everything on my "checklist", I then proceed to make the image backup.

 

OK, I had that completed and then MS released that "one last" XP update so naturally I waited one week and made another image backup on May 8th that now has "all" the final XP updates in a 100% perfect backup ... usually find something I missed but so far I have not, my checklist seems to have been perfect so far this time around.

 

I only mention all this as a heads up to get a good image backup made for any "future" problems ... should a person mess up or get their XP setup messed up, they will have a very simple solution to get back to May 2014 when they did have a 100% perfect working XP setup and the if need be ... they can experiment with software or fix any problems that have come along.

 

With XP slowing fading into the sunset (very slowly fading) that "image" backup will probably be a lifesaver countless times in the future.

 

All this is just a mention for newer readers who are still on XP for the future.

 

Now my question dealing with security ... again for new readers who may not be aware of these two programs.

 

I don't hear much mention these days of using SpywareBlaster and an updated Hosts file. I certainly use both on my machine and feel they both can offer good extra protection for a person's XP setup. Just like to hear opinions on using SpywareBlaster and a Hosts file and just how much a benefit they would be?

 

SpywareBlaster

 

http://www.brightfort.com/spywareblaster.html

 

 

Hosts File ... updated

 

http://winhelp2002.mvps.org/hosts.htm

 

...

[Flasche]

I don't hear much mention these days of using SpywareBlaster and an updated Hosts file. I certainly use both on my machine and feel they both can offer good extra protection for a person's XP setup. Just like to hear opinions on using SpywareBlaster and a Hosts file and just how much a benefit they would be?

 

SpywareBlaster

 

http://www.brightfort.com/spywareblaster.html

 

 

Hosts File ... updated

 

http://winhelp2002.mvps.org/hosts.htm

 

...

 

I personally like Spywareblaster. It is good at removing alot of tracking cookies and other spyware (hence the name of the app). I personally use 2 anti-virus (Avast and clamwin/sentinel) 1 anti-malware (Malware bytes) then 2 anti-spyware (SuperAntiMalware, Spywareblaster). (with the two AV's I had to white list their folders from each other so they don't try to kill each other) Having two using real time protection is not a good thing and not recommended, but I never had an issue (still wouldn't do it though).

 

EDIT: If your still wondering you can look at some reviews here http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html (if you like cnet)

 

Another thing to note, is that I now use SuperAntiSpyware as my main spyware, IMO I thought that SuperAnti was better.

Edited May 19, 2014 by Flasche

[jaclaz]

A great discussion going on here ... 

Actually it is seemingly the SAME one that ALREADY went on here ::

http://www.msfn.org/board/topic/163539-are-ms-updates-for-xp-really-necessary/

 

The only "news" are seemingly that Kelsellenenvian has an "incredibly simplistic view" on the matter and that noone here is qualified to give security advice, and that the fact that we are giving it is dangerous.

 

No doubts about the dangerousness of giving security advice , some doubts on how people become qualified for giving it compare with the reknown expert Armand Gracious http://www.msfn.org/board/topic/127283-experts-say/ , but the point is obviously that noone is actually doing anything more than expressing one's own opinions on the matter.

 

jaclaz

[submix8c]

(sigh...)

You've misunderstood stealth ports. If you had to enable those ports, is your computer invisible right now or not? It's that simple - right now, with you taking inbound connections, is your computer invisible? The answer is no - a stealth port is a closed port, and if your ports were closed you would not be seeing this text right now.

No, sir, you misunderstand. Post#39

Bear in mind, the it's using my external Dynamic IP provided by my ISP (the one the Router sees) and my Firewall (3d Party) does NOT have "Stealth Mode" set. I get a different result if the Firewall has "Stealth Blocked Ports" enabled. -AGAIN-, I have FTP/HTTP ports passing through the Router and have some "special" settings in the Firewall itself (for e.g. Local File Sharing, etc.). -ALSO- note that i do NOT have my Main PC on the Router in the DMZ.

Note that I said "Firewall (3d Party)" and that I did NOT set it in the Router.

 

Incoming Requests to Ports21+80 are Port Forwarded to my Website. When the FTP/HTTP Services are not running, the port is Closed.

 

When I set it OFF in the SW Firewall and using the GRC Website, it shows Ports# 0->39+80 as Closed (Blue) but not "Stealth" (Green) of which all others are indicating. Open Ports are indicated by Red, of which none show that. Now, when I set it ON in the SW Firewall the result is Ports#0->20+22->71 are showing Closed (Blue) and all others (including Ports#21+80) are "Stealth" (Green). Note that the SW Firewall specifically states "Stealth Blocked Ports", not a WORD about "Unblocked" or "Closed" Ports.

 

Now, where YOU, sir, are missing the boat is the fact that these are INCOMING, and NOT Outgoing. Stealth Mode is SPECIFICALLY for INCOMING, so yes, I CAN see this text. As a matter of fact, I'm typing this right now with tha 3d Part Software Firewall set Closed. IOW, I am accessing MSFN via their WWW-Port, For a certainty, I can't seem to get to MSFN via the actual IP obtained by "ping" or "tracert" as it reroutes me to "<ip>/cgi-sys/defaultwebpage.cgi". Why, I don't know, as it's a Static IP and -may- use an entirely different port (I'm not going to bother to check that).

 

I'll be back to edit this for the Router Firewall Test -and- provide the pertinent screen shots.

 

(I despise FUD...)

[enxz]

submix,

I obviously know that stealth is for incoming and you still don't get what it does. All a stealth port is is a closed port that doesn't send a signal back or sends an ICMP timeout signal back. It's just a closed port in the end. So either all of your ports are closed and you are "invisible" or all of your ports are closed except for some and you are no longer invisible, whether 99% of them are 'stealthed' or not. It's very simple. You can google for more.

tl;dr: The only way stealth ports keep you invisible is if you close every single port. If you close every single port you're going to have a fun time trying to connect to the internet, as you've already seen since when you stealthed your 80 you ended up blocking traffic. So now you're left with a system that has all ports 'stealthed' (closed with a lack of response) and one port (more, in reality) open, completely defeating any 'hidden' attribute it may have given you.

Your screenshots will show exactly what I'm saying. You've just misinterpreted the results.

@bphipt,

Multiple users have argued that XP is more secure than 8, or at least that' show it's come off. But even still, a 'locked down' XP is just a misunderstanding of how programs are secured.

ex: You can say "Oh, I've sandboxed program Y" but unless you understand the sandbox, it's meaningless. Sandboxing is enforced by the kernel, at best, which means that weakness in the kernel means weakness in the sandbox. Without understanding how those weaknesses manifest one can not simply say "I'm more secure because I used a sandbox" - you need to know quite a lot more.

I am not a fan on Windows 8 or really MS as a company. At no point have I said that they aren't profit driven. I've said that they will make less money if they are not secure, and that their security team has done solid work.

So let me put it this way: XP users can not be safe. XP users can be lucky.

@jaclaz,

People should be very careful about stating opinions in ways that seem like they're stating facts.

Yes, this conversation is truly more of the same. No doubt about it, that last topic is quite similar.

Edited May 19, 2014 by enxz

[Flasche]

So let me put it this way: XP users can not be safe. XP users can be lucky.

 

That's the problem. Its not XP user can only be lucky, but ALL windows users can only be lucky. Infection is normally caused by pebcak, and, it also all goes down to the probability of YOU being attacked.

Edited May 19, 2014 by Flasche