Is Windows XP still relatively secure?

[sparty411]

The title says it all. I'm wondering what the consensus is around here, in regards to how secure XP is as a daily driver, now that POSReady 2009 updates are finished. I've disabled remote desktop, enabled Windows firewall, enabled my routers firewall.. What are your thoughts? What can I do to lock XP down, security wise?

[dencorso]

On 11/9/2014 at 9:59 PM, dencorso said:

You remind me of Marathon Man: Is it safe?... 

Now, seriously: nothing is safe, but XP is about as unsafe as 10 (maybe even less, now that it's below 2% market share, and MS compilers set Subsystem Version to 6.1 by default... ).
However, security is mainly a PEBCAK, more than anything else. My 2¢, which you asked for. 

[sparty411]

21 hours ago, dencorso said:

Now, seriously: nothing is safe, but XP is about as unsafe as 10 (maybe even less, now that it's below 2% market share, and MS compilers set Subsystem Version to 6.1 by default... ).
However, security is mainly a PEBCAK, more than anything else. My 2¢, which you asked for. 

Understood

The FUD these days is strong, and has made me question my choice of OS. I do intend to continue using XP well into the foreseeable future, but wanted input in regards to whether or not I was being irresponsible by continuing to use it well past EOS.

[HarryTri]

Now that your OS isn't updated anymore you must be more careful. A good antivirus software is necessary in my opinion (you don't mention to have one installed).

[sparty411]

11 minutes ago, HarryTri said:

Now that your OS isn't updated anymore you must be more careful. A good antivirus software is necessary in my opinion (you don't mention to have one installed).

Does ClamAV still receive definition updates? Would that suffice?

[Mathwiz]

I think XP is still OK for day-to-day use, as long as you have a good AV and an up-to-date Web browser, such as one of @roytam1's builds. If you use browser plug-ins like Flash and/or Java, keep them up-to-date also:

For AV recommendations you should check out this thread:

... especially the discussion toward the end of the thread, since XP MSE no longer receives usable updates.

If you have Office 2010 installed on XP, make sure it's up to date too, or at least as up-to-date as possible without breaking XP compatibility:

So, still plenty of updating to do, even without updates to the OS.

One last thing: there was a recent kerfuffle over vulnerabilities in CTF. But you may not need CTF; if not, you can disable it:

 

[sparty411]

5 hours ago, Mathwiz said:

I think XP is still OK for day-to-day use, as long as you have a good AV and an up-to-date Web browser, such as one of @roytam1's builds. [...]

Thank you for compiling all of these together in one post for me! Very helpful!

[Mcinwwl]

Media keep rumouring about how unsafe XP is, but I'm keeping an eye on media news, and no rumour about massive and/or sophisticated attacks targeting XP are present.

Most attacks targeting "home users" are still starting with phishing or compromised website. First you can fight against simply being careful and learning some best practices, plus using e-mail vendor who filters spam well second you can fight back using updated browser and maybe trying some isolation.

Most attacks on home users are still ransomware or fake payments. First you defend yourself by making regular backup, second by using 2FA and being invulnerable for phishing.

No big security hole was found since WannaCry/eternal Blue, so if you have POSReady2009 updates, you shall be secure enough.

So, from home users perspective, sane XP user is still more secure of dumb clicker using whatever up-to-date system.

If you really want to be aware of your outadted systems, you should start with your router, Android devices and iOT, which often contains simples tsecurity flaws "by design" and never get updated.

Really, hat makes me wonder is why people whinning about outdated XP systems don't rush against Android devices being constantly far behind what google updates on daily basis, not even mention totally loosing support after few months

[TrevMUN]

Part of why I come to MSFN is to be aware of any discovered security vulnerabilities that might affect Windows XP/XP64 and what to do about them.

Also, I get great advice on general security practices hanging out here. Through @Sampei.Nihira I learned about NoVirusThanks' OSArmor and I've been using it ever since on all my machines. I also like running Spybot Search and Destroy primarily for its Immunization tool for browsers, and the ability to route a lot of known malware sites to 0.0.0.0 via the HOSTS file, just in case I ever stumble into a trap. (I haven't yet, but I'd rather have that layer of security just in case.)

As far as browsing habits go, I make sure every browser with add-on capabilities has some sort of proactive script-blocking system, such as NoScript for the Firefox-based ones, and uBlock Origin for the Chrome-based ones. I double that up with AdBlockPlus, though mainly I use that to get rid of a lot of the cruft that makes browsing YouTube such an annoyance. (This used to work much more effectively, but YouTube has been redesigned a few times since then.)

12 hours ago, Mcinwwl said:

Really, hat makes me wonder is why people whinning about outdated XP systems don't rush against Android devices being constantly far behind what google updates on daily basis, not even mention totally loosing support after few months

I think the FUD campaign Microsoft (and tech journalists) conducted as April 2014 approached are largely responsible for the general mentality people have regarding XP. I had made my thoughts known about it back then, but both journos and Microsoft themselves really, really wanted people to believe that the moment Windows XP stopped receiving updates, anyone who didn't upgrade would find their computers a playground for zombie botnets, malware, and all sorts of nastiness.

Also, from the gaming side of things, Microsoft already laid the ground for that by denying XP any newer DirectX versions with the release of Vista in 2006. Games slowly stopped providing DirectX 9 support years before, and more and more people started looking down their nose at gamers with XP machines. (Now the process is repeating with Windows 7, as I knew it would. Bleh.)

13 hours ago, Mcinwwl said:

If you really want to be aware of your outadted systems, you should start with your router, Android devices and iOT, which often contains simples tsecurity flaws "by design" and never get updated.

More of a side note than anything, but for almost ten years now I've wanted to try making a router/firewall dedicated PC. I even planned to use the hardware my daily driver desktop, Palouser, had been using until earlier this year when I upgraded her, but her previous setup appears to have a motherboard failure that won't make the parts suitable for 24/7 usage anymore. Haven't really had the need to do so anyway, in recent years I've been renting rooms (apartments are too expensive where I currently work!) and so router management's out of my hands.

Still, this is probably a good reminder that when I do eventually move somewhere and I'll have to be responsible for my own network, I should probably give the "Router/firewall in a PC" project a try. I imagine a PC running PFSense or something would be much easier to keep up to date and upgrade/mantain than a commercial router.