Jump to content

Windows XP is still king

Dibya

By Dibya
in Windows XP

 Share

Recommended Posts

sdfox7

sdfox7

Posted
Posted
On 1/16/2017 at 4:28 PM, FranceBB said:

As we all know, Microsoft did psychological terrorism about Windows XP in 2014 in order to persuade users to move to newer OS. Then, they easily got rid of Vista as it wasn't widely used, and now they are applying the exact same terrorism to Windows 7, using the exact same words used 3 years ago about XP. 

"Care about your security? Then leave Windows 7 says Microsoft"

"The old OS suffers from ‘long-outdated’ security architecture"

"Microsoft is highlighting the security strengths of Windows 10 as the company waves an ‘early goodbye’ to Windows 7"

"Windows 7 is no longer capable of keeping up with the increased security requirements applicable to the PCs of today, and it’s based on long-outdated security architectures"

"Many hardware manufacturers no longer provide drivers for Windows 7, which means that modern peripherals such as printers are no longer recognised."

Ridiculous... just ridiculous... (except for drivers).

Any system can be "secure" if the user is reasonably proactive with their activities online as it relates to security. Example: if I was using risky behavior online I'm sure I could infect a Windows 7 or Windows 10 system in under 10 minutes.

I have been taking apart computer systems since I was a teenager, and feel legacy Windows such as Windows 2000 and XP can be used securely if you don't visit rogue websites, etc. Don't use Internet Explorer! Use a firewall! While these systems no longer receive updates, I don't believe they are really at that much greater risk than newer Windows systems. First, 2000/XP systems are a small target and not worth wasting time attacking. Second, Windows 7 and 10 are constantly receiving updates, which means they just as insecure as XP, it's just that someone has already found the vulnerability and Microsoft has chosen to fix the vulnerability. I personally don't believe that any new versions of Windows are more secure than the last; it's just that Microsoft has decided to patch the newer ones.

When Windows 2000 was launched, it was the "most secure version of Windows". It ended being the victim of many attacks during its 10-year lifetime, particularly the Blaster, Sasser and Sobig worms from 2003-2004. XP was released, it was the same mantra, being more secure than Windows 2000, but it too fell victim to the same worms that plagued 2000. Anti-Spyware 2011 and the Alureon Trojan affected Vista and 7.

No system is impenetrable. Once Windows 10 has been around for sometime, we will begin seeing the vulnerabilities of that system. These days, automated computer programs can crack any system once enough algorithms and commands are processed. Certainly, if you can make it, you can break it!

4
Link to comment
Share on other sites

FantasyAcquiesce

FantasyAcquiesce

Posted
Posted

Just dropping by
Man XP is so much more efficient with my T7200 processor than 7 could ever be. My 9 cell battery has ALMOST 4 hours with xp, the battery life is about an hour shorter on 7.

My only issue is watching html videos on kissanime, but I haven't checked the thread addressing this yet.
 

1
Link to comment
Share on other sites
NoelC

NoelC

Posted
Posted
On ‎1‎/‎17‎/‎2017 at 8:43 PM, sdfox7 said:

Don't use Internet Explorer!

I don't agree with that particular advice, because while IE seems insecure right out of the chute, it has a VERY GOOD security model under the covers - it's just set up badly by default.  All it takes is a little reconfiguration to be one of the most secure browsers you could run (take it from someone who's never been infected by anything). 

And it's still plenty functional and fast.  I was just panning around that gigapixel CNN inauguration image earlier on my 30" monitor.  Smooth and seamless.

IE gives you control over any number of features (such as running ActiveX, which you should NOT allow) and individual control over Add-ons (of which you should have very few), and zone-based site management (so, for example, you could promote a site you really, really trust to a more permissive zone if absolutely needed).

Every browser could benefit from implementing a DNS blacklist, and IE is as happy as any to have ad sites, malware sites, tracking sites, etc. fail to resolve.  Frankly I don't know why everyone doesn't do it, though setting up a DNS proxy server is a little bit complex.

I find IE works faster than the others.  For me, my home page is on screen literally a tiny fraction of a second after I double-click the IE11 icon on my desktop.  Opening the msfn home page takes about 1 second to display.

I'd certainly agree with the above advice if it were "Don't use Internet Explorer in its default configuration".

-Noel

Link to comment
Share on other sites
NoelC

NoelC

Posted
Posted (edited)
6 hours ago, JodyT said:

Of course, using Internet Explorer on Windows XP might be a no-no, since it's version 8 ...lol.  But yes, IE 11 gets the shaft for no good reason.  A good browser.

:)

Not to be argumentative here, but...

I used IE exclusively back when I actively ran XP - from 2001 to 2006.  I never got infected.  Are you saying there are new threats that have been specifically crafted against IE8 since XP was in common use?

I've just booted up my XP VM to take a look around and make sure I was remembering correctly......  IE8 has the same ability the modern IE releases have to do things like disable ActiveX in the Internet Zone.  I'm afraid I have to stick to my statement:  If you leave IE set to defaults, you're taking risks.  If you set it rationally, not so much.

IESettings.png

Thing is - security issues aside - I suspect many modern web sites use glitzy new features IE8 can't handle, such as HTML5, so the advice to run a modern version of one of the browsers that still support XP is probably a good one for that reason.

I admit, it is kind of gratifying to see the XP Pro desktop sitting idly with 19 processes using a little over 100 MB of RAM total.  That miserly treatment of RAM certainly was welcome back when RAM was scarce and expensive, and address spaces were limited to 4 GB.  We've gotten used to the newer systems needing 1000 MB or more when idle, but honestly, 1 GB of RAM is now no more of an impact on a well-endowed system than 100 MB was back then, and there are undeniable advantages to 64 bit computing.  And yes, I do remember XP x64 (I ran it for a few years).

-Noel

P.S., a side note on security...  I've recently delved into the OpenSSL library because of some issues it caused with my products and I needed to find a bug in the startup code.  That's the security library many, many products rely on for encryption.  I hate to criticize others' code, but it's no panacea of grace and goodness.  The world's security essentially has been running on what I would call junkware code.  And the design decisions the current developers are making are questionable (for example, it's no longer possible to statically link OpenSSL 1.1 into a DLL and have it unload; they've created a setup where the process has to exit before things are uninitialized - ridiculous!).

It could easily be said that proprietary code (such as is found in the underpinnings of Microsoft's browsers) might be better than what's in OpenSSL.

Edited by NoelC
1
Link to comment
Share on other sites
Jody Thornton

Jody Thornton

Posted
Posted
16 minutes ago, NoelC said:

Thing is - security issues aside - I suspect many modern web sites use glitzy new features IE8 can't handle, such as HTML5, so the advice to run a modern version of one of the browsers that still support XP is probably a good one for that reason.
 

That's basically what I mean.  I actually liked IE 7 on XP (at the time) but not for today's browsing.

:)

1
Link to comment
Share on other sites
sdfox7

sdfox7

Posted
Posted (edited)
6 hours ago, JodyT said:

Of course, using Internet Explorer on Windows XP might be a no-no, since it's version 8 ...lol.  But yes, IE 11 gets the shaft for no good reason.  A good browser.

:)

Yes, my point was that Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 for Windows XP have not been officially patched in nearly three years, not including POSReady or other unoffical updates. Internet Explorer 6 for Windows 2000 has not been patched in nearly 7 years, and is mostly unusable on the web. 

At the time of this writing, Firefox 51.x or Opera 36.x are the latest versions available, and are safer to use since they are still being updated even for XP. While XP may have flaws at the operating system level, every OS does and the browser is a critical component for maintaining security.

Even when patches end for those versions, they would still be safer than using a browser that hasn't been patched in three years. Also, IE 8 is problematic on the web in many ways these days. Many websites reject it. Even Chrome 49 is a safer choice even though it hasn't been patched in nine months.

Edited by sdfox7
2
Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted

The main security weaknesses of (unpatched) IE8 and earlier on XP come from its use of older algorithms that now have known weaknesses. If you wish to use IE8 on XP, I strongly recommend installing POSReady '09 updates, then disabling the older, weaker encryption and hash algorithms:

On 12/1/2016 at 1:58 PM, Mathwiz said:

[T]he [POSReady '09] IE8 update (and probably earlier versions) fix a couple of issues most of the Internet says "cannot" be fixed on IE8 on XP:

  • Closes FREAK vulnerability
  • Adds AES support to IE8 (AES was added to schannel.dll many updates ago, but IE8 wouldn't use it)

Of course IE8 is pretty ancient compared to other XP compatible browsers, but at least if you do use it at a secure website, the security will be less likely to be compromised.

One more thing. If you use IE8 with secure websites, you should probably consider disabling the old RC2 and RC4 cipher and MD5 hash algorithms. I've attached a .reg file to do that.

Disable insecure algorithms.reg

You should also disable SSL 2.0 and SSL 3.0 in Internet Options / Advanced / Security. Enable only TLS 1.0.

To use the newer, more secure TLS 1.1 or 1.2 protocols with IE 8, you'll need to install a TLS proxy like ProxHTTPSProxy.

Link to comment
Share on other sites
NoelC

NoelC

Posted
Posted

Relying on patching is penny wise and pound foolish stuff, and it puts you under Microsoft's thumb.

Experience has shown me that it's far better to configure systems to avoid visiting the places that present attempts to compromise your browser - whatever one, and however patched - than to trust that all the vulnerabilities have been found (by the Microsoft or OpenSSL teams).  And if you do happen somehow manage to visit a bad site (e.g., because your blacklist is imperfect), avoid downloading the components that will infect you.

It's like getting bullet-proof glass for your car then driving through the worst neighborhood and hoping nothing gets through - opposed to just not driving there.

Regarding security breaches through monitoring your communications, the hypothetical likelihood of a determined attacker monitoring and decrypting your comms - vs. discovering some other id*** user's password is still "123456" or "password" seems a bit remote.

-Noel

Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted

I'm all for blocking known bad Web sites, and you can find a simple tool for doing so here: http://accs-net.com/hosts/DNSKong.html

But bad sites aren't the only risk to your security online. These days, you could be compromised quite easily by a MITM attack from someone at your ISP. Blocking bad sites will do nothing to prevent that.

And no one is trusting that "all" vulnerabilities have been found, by M$, OpenSSL, or anyone else. But "known" vulnerabilities should still be taken care of, especially when it can be done quickly and easily. If you're still using IE 8, I'd put installing the POSReady '09 fixes for it, followed by disabling known-to-be-weak cryptography via the registry, in that category.

These are not mutually exclusive ideas. Of course you shouldn't tempt fate by driving through bad neighborhoods, but if your key-less entry system has a known weakness, you shouldn't use your superior discretion in route choice as an excuse to ignore the manufacturer's recall notice. Criminals have been known to work in "nice" neighborhoods too.

Link to comment
Share on other sites
jumper

jumper

Posted
Posted

> [T]he [POSReady '09] IE8 update (and probably earlier versions) fix a couple of issues most of the Internet says "cannot" be fixed on IE8 on XP:
> ...
> * Adds AES support to IE8 (AES was added to schannel.dll many updates ago, but IE8 wouldn't use it)
Are there direct download links for these updates? Thanks.

1
Link to comment
Share on other sites
NoelC

NoelC

Posted
Posted
5 hours ago, Mathwiz said:

These are not mutually exclusive ideas.

Certainly not.  And if only patching didn't come with any risk or downsides it'd be an easy choice.  We just need to be able to trust the people doing the patching.  That's not as easy as it once was.

Never forget that patches could introduce other vulnerabilities, instability, or loss of efficiency.  Possibly more problems than were originally left in and exploited.  The authors caused the vulnerabilities and there's no guarantee they do perfect work when patching.  And let's not forget who laid off their testing staff.

I'm not saying patching is bad.  It's been generally good; updated systems are generally better than those out of the loop.  It's just that it needs to be considered for what it really is, not some oversimplified ideal.

-Noel

1
Link to comment
Share on other sites
Bersaglio

Bersaglio

Posted
Posted (edited)
8 hours ago, jumper said:

Are there direct download links for these updates? Thanks.

Schannel update with AES 256 support: 

http://download.windowsupdate.com/c/msdownload/update/software/secu/2015/10/windowsxp-kb3081320-x86-embedded-enu_d8e991e08445605d85c48425684c7850d1d63a36.exe

P.S. Latest Internet Explorer 8 cumulative security update, by the way (both updates require POSReady 2009 registry tweak to install on Windows XP SP3 ENU) 

http://download.windowsupdate.com/d/msdownload/update/software/secu/2016/11/ie8-windowsxp-kb3203621-x86-embedded-enu_4bb8d54d9e0509e9dc96426f9c27e8d984b49df9.exe
Edited by Bersaglio
update, correction
4
Link to comment
Share on other sites
OldSchool38

OldSchool38

Posted
Posted

Due to missing some of my old games that aren't available in linux, I've been giving Windows 7 a spin the last few days on my dell 330, in spite of putting in a Core 2 Quad 2.66 (which worked great on linux), the thing still seems to stutter from time to time when I'm running multiple browsers and video files.  I never had that issue in XP and have been considering downgrading to the older, but faster system-also being more compatible with my games.  Win 7 has always seemed like just a bloated version of Windows xp anyways.  My question regarding security issues is this-if I were to use windows XP again with sp3 fully updated (not sure I would trust going the POS update route due to not knowing what M$ might try to stick in there) along with my usual battery of security programs-how risky do you think it would be compared to your average ubuntu based linux distro?  I've run Linux over the last year with no problems, but I've heard some guys say that it's really no more secure than windows in reality-it just doesn't have the large following Windows does and thus is less of a target.  What do you guys think?

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...