Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


glnz

POSReady 2009 updates ported to Windows XP SP3 ENU

Recommended Posts

Posted (edited)
On ‎4‎/‎6‎/‎2020 at 5:23 PM, Mcinwwl said:

I mailed to them, and they replied they:

If they ever release anything for XP, we would first need to verify how it works together with POSReady patches.

That's rather interesting as 0patch has already released something for XP.

If you look on their micropatches' page ( https://0patch.com/patches.html ), you will find the following info posted regarding an 0patch Pro micropatch they issued for:

CVE-2017-0176 Microsoft Windows XP/Server 2003 EsteemAudit

Microsoft Windows XP SP3/Server 2003 SP2 RDP privilege escalation

This CVE was patched by MS with KB4022747 for both XP and POSReady 2009 in June of 2017, while the details of 0patch's efforts in June of 2017 can be found here:

https://blog.0patch.com/2017/06/a-quick-analysis-of-microsofts.html

So there you have it, if anyone wants to take the plunge and run 0patch on an XP-hacked POSReady 2009 system, I would love to hear if any other micropatches get applied.

For instance, even though it's for Windows 7, I'm wondering if the current Microsoft Type 1 Font Parsing Remote Code Execution issue reported by MS in March would have the 0patch micropatch for it applied to XP/POSReady 2009 as well.

Edit:  Regarding my question in the last paragraph, after doing some more research, I believe the answer would actually be no as each micropatch issued by 0patch is "applicable to a specific executable module (usually EXE or DLL), based on that module's cryptographic hash"; therefore, since files such as ATMFD.DLL may have the same name in different operating systems, they would not have the same cryptographic hash.  I suppose if one was concerned about this specific vulnerability in XP/POSReady 2009, the best way to mitigate it would appear to be to simply rename the ATMFD.DLL file which is found in C:\Windows\System32\ as per 0patch's advice.

Edited by XPHomeSP3
grammar & typos; added more info

Share this post


Link to post
Share on other sites

Believe it or not, there's a poor sod who's having new difficulty with AOL-based verizon.net email on Outlook Express on his XP machine, and he posted his travails at

< THIS THREAD AT DSL REPORTS >

Apparently the issue may be that his Outlook Express does SSL but not TLS.  However, I recall, thanks to the folks on this thread, that there was some kind of update to XP that added some TLS or better TLS to XP.  Was that two or three years ago?  Do you remember what that was, and is it still available somewhere?  (I remember installing it and feeling a wave of technical satisfaction wash over me like a dip in a tropical ocean or a good whisky.)

Stay well and wash your hands for 20 minutes.

Share this post


Link to post
Share on other sites

Sounds like the same issue I had a week or so ago using Yahoo's e-mail system.
I suddenly found I couldn't send with Eudora, although I could receive OK.
Windows Live Mail 2009 wouldn't work either. I didn't try Outlook Express but I'm sure it would have failed as well.
It appeared that the SMTP server had stopped accepting TLSv1 logins, and the clients concerned could not use anything higher.
I fixed it with a Hermes Mail update to Eudora, which adds TLSv1.2 capability to it.
Someone later reported that it was working again for him on Outlook Express, and I then confirmed that by sending from Windows Live Mail, so it might have been just a temporary glitch, but it was failing to send for several days!
Even if this wasn't permanent, I'm sure ISPs will stop accepting old protocols eventually.
:)

Share this post


Link to post
Share on other sites
Posted (edited)
16 hours ago, glnz said:

However, I recall, thanks to the folks on this thread, that there was some kind of update to XP that added some TLS or better TLS to XP.  Was that two or three years ago?  Do you remember what that was, and is it still available somewhere?

Starting from January 2018, TLS is a recommended standard for email, see RFC 8314.

There were some updates and multiple fixes for encryption, cryptography and other security issues in Windows POSREady 2009 added in 2015-2018. The most important are:

  • Added support for AES-128 and AES-256 encryption (2015+)
  • Added support for SHA-2 (SHA256, SHA384, SHA512) hashes (2017+)
  • Added support for TLS 1.1/1.2 (2017+)

However, there is missing support for TLS extensions and TLS 1.3 (standard since August 2018):

  • If the server side uses extension for Server Name Indication (SNI, 2003+), you can ignore warnings that the certificate is issued for another domain. SNI was added to Vista.
  • If the server side uses Elliptic Curve Cryptography (ECC, 2006+) for digital signing in certificate, you can do NOTHING. Windows XP libs cannot verify such a certificate and cannot connect to the server.

There are some programs which use either updated OpenSSL libs or Gecko-based engine and can properly work with TLS 1.3 and TLS extensions. For example, Eudora OSE is a fork of Thunderbird so it uses Gecko engine, but it is outdated (2010), so it may not work properly with TLS 1.3 or extensions for TLS 1.2 updated in 2011.

Edited by Usher

Share this post


Link to post
Share on other sites
12 minutes ago, Usher said:

If the server side uses Elliptic Curve Cryptography (ECC, 2006+) for digital signing in certificate, you can do NOTHING.

True, but luckily there's ProxHTTPSProxyMII which gives you ECC support system wide and works fine on XP, although some websites are not particularly happy when it handles them and break. But generally it works fine.

Share this post


Link to post
Share on other sites

Here's a new blow - SpiderOak (which has a great totally-encrypted backup and sync-across-devices app) has just recently changed its security certificates so that SpiderOak on an XP machine (using SpiderOak One version 6.1.5, the last version that worked on XP) no longer connects to anything.  No backup or sync on my XP.

Those annoying Swiss!  We have them surrounded - let's invade.

Share this post


Link to post
Share on other sites
23 hours ago, FranceBB said:

there's ProxHTTPSProxyMII which gives you ECC support system wide and works fine on XP

I'm not sure about TLS 1.3 support with this proxy and I don't remember which crypto libs it uses, so I didn't mention it. Could you provide these details, please?

Share this post


Link to post
Share on other sites
7 minutes ago, Usher said:

I'm not sure about TLS 1.3 support with this proxy and I don't remember which crypto libs it uses, so I didn't mention it. Could you provide these details, please?

It doesn't have TLS1.3 support yet, however it has ECC support which means that websites using TLS1.2 and ECC will work on XP on every program. Now, the cherry on the cake would be TLS1.3 support. Anyway the project is open source and written in Python 3.x, so if anyone wants to help, please do it.

Share this post


Link to post
Share on other sites

Dear Anti-Swiss Army Comrades --

I just posted the following at that DSL thread - but what do you think?

Quote

Woof Woof and Elzar - My Outlook 2003 on my XP machine continues to work with my crappy email account at [myname]@verizon.net. I had been using Outlook Express until about a year ago, and that also worked.

Could it be that your Internet Option settings are holding you back? Outlook Express is intimately tied to those settings.

Control Panel - Internet Options - Advanced Tab - scroll all the way to the bottom and see what SSL and TLS options are checked. Right now, I have SSL 2.0 and 3.0 and TLS 1.0 checked, and my TLS 1.1 and 1.2 are UNchecked. I don't remember why.

(By the way, I am plagued by duplicating emails from only verizon.net, not my other email account. There is constant re-downloading, and it is much worse the last few weeks than before.)

What do you see?

Is the above related to anything interesting?  And why do I have TLS 1.1 and 1.2 UNchecked?

Share this post


Link to post
Share on other sites
Posted (edited)
22 hours ago, glnz said:

I just posted the following at that DSL thread

It's not a problem with DSL, I'm afraid, it's about email.

In shortest words, if you don't use any proxy or antivirus scanning email messages, use following settings for email:

  1. Turn off all SSL versions, turn on all TLS versions in Internet Options (TLS 1.1 and 1.2 are unchecked by default during update)
  2. Check (turn on) secure connection for all email accounts in Outlook Express and set proper connection ports:
  • SMTP: secure connection, port 587
  • POP3: secure connection, port 995
  • IMAP: secure connection, port 993

Some mail servers may still work with port 465 for secure SMTP connections, but port 587 is a current standard.

If any account is unavailable at all in Outlook Express, open webmail for that account in Firefox and check security/encryption properties for that connection. For example, for msfn.org forum you can see the following info in technical details:

Encrypted connection (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256-byte keys, TLS 1.2)

Acronyms starting with EC are for ECC unsupported by Windows XP, see ECDHE above.

Note, that:

  • Encryption details are negotiated starting from the strongest protocols, so OE may work for some account even if Firefox negotiates ECC use in this case.
  • Some email servers (for example Gmail) allow to use weaker protocols for email clients if you change settings in webmail.

If you need more info, search for other, more adequate topics.

Edited by Usher

Share this post


Link to post
Share on other sites
Posted (edited)

I'm updating an older XP Home installation (2011), and it's gone fairly smoothly for the most part, but I seem to have hit a snag with the .Net Framework 4.0 updates.

They all fail with error 0x800B010B.

I'm sure this has been encountered and solved several times over throughout the course of this thread, but I have very little desire to scan through 200+ pages at the moment :)

EDIT: I should clarify that I've also used the dotnetfx cleanup tool and reinstalled the whole of dotnetfx 4.0 + updates, and I've applied the POSReady hack before doing so.  I should also note that all the updates that are failing are post-2014 and are designated as being for Windows XP Embedded, which could be the problem, maybe.

I note also that every post-2014, non dotnetfx40-related update has installed successfully as far as I can tell.

c

Edited by cc333
clarification

Share this post


Link to post
Share on other sites
On 4/14/2020 at 10:53 PM, cc333 said:

I'm updating an older XP Home installation (2011), and it's gone fairly smoothly for the most part, but I seem to have hit a snag with the .Net Framework 4.0 updates. They all fail with error 0x800B010B. I'm sure this has been encountered and solved several times over throughout the course of this thread, but I have very little desire to scan through 200+ pages at the moment 

I suspect that you are asking in the wrong topic. It looks like you have missed updates for certificates (rootsupd, rvkroots) and possibly some other updates described as optional (f.e. timezones). It's really hard to guess with so many updates…

Share this post


Link to post
Share on other sites

Great news - SpiderOak One's latest version 7.5.1 is working on my XP!  Call off the invasion of Switzerland!  Retreat!  Retreat!

I didn't mean what I said.  I LOVE the Swiss.  Swiss chocolate, Swiss watches, and old Swiss girlfriends!!!

Grüezi mittenand!

Broscht!

  • Like 1

Share this post


Link to post
Share on other sites
39 minutes ago, glnz said:

Call off the invasion of Switzerland!  Retreat!  Retreat!

Hahahahaha

Fun fact, last time I've been in Switzerland was two years ago. I was planning to back there again in the summer to visit CERN but then this whole global mess called coronavirus happened... :'(

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...