back to article Microsoft warns of post-April zero day hack bonanza on Windows XP

Microsoft has a Windows XP problem: people still like it and aren't willing to upgrade just yet. So it's warning users that if they don’t upgrade soon, hackers will lie in wait each new Patch Tuesday to reverse-engineer a full set of new vulnerabilities. "The very first month that Microsoft releases security updates for …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Wait, hear that?

Common sense is breaking out at Microsoft.

4
15
Anonymous Coward

Re: Wait, hear that?

Common sense? For the shareholders perhaps.

But the deliberate creation of a situation of 100s of millions of machines on the internet open to vulnerabilities published by M$ is cyber blackmail on a gargantuan scale. This policy, based entirely on M$'s need to generate revenue from new OS license sales, could result in a step increase in the proportion of compromised devices on the Internet from which to launch attacks on everyone else.

53
9
Silver badge
Linux

Re: Wait, hear that?

What might be considered blackmail by some, could be considering the required motivation to get off my arse and install Linux on the wifes' machine by others.

59
6

This post has been deleted by a moderator

Silver badge
Alert

Re: Wait, hear that?

What are they supposed to do, retard? Not patch win7 boxes? Continue to piss away resource on patching XP boxes after twelve fucking years?

Hey, your retard is showing. ;) Of course MS shouldn't be obliged to support what amounts to a really, really ancient OS, especially as Win7 mostly does what is needed. But I also suspect that Win7 is probably going to linger as much as XP thanks to the Fabulous Fred UI saddled on Win8.

It doesn't matter what MS do.

Oh, it does matter. A lot. If MS is in fact deliberately adding vulns to an OS, especially one still supported, they are probably liable under serious computer crime laws. I don't think any EULA can exempt them from say the CFAA; I don't think MS has asked their lawyers about the legality of seeding vulns on their OS. It could be interpreted as malicious intent...

15
13
Silver badge
FAIL

Re: Wait, hear that?

Theyre not seeding vulns, they're patching them. The problem is they wont be creating patches for XP so any vuln that is common to XP and 7 (or 8) will, effectively, lead to them disclosing the details of the vuln despite XP remaining vulnerable.

Did you just read the headline? Its not a particularly complex concept....

20
3
Silver badge
Pint

Re: Wait, hear that? @Ben Tasker

Ah, I had mis-read the paragraph mentioning the "permanent 0day". What the dude from MS actually says is that the first everything-but-XP patch would fix vulns and that clever reverse engineering would uncover what the vuln is, and thus a new 0day is "born" for XP. I had read it as "next patch update will open vulns". Must be my brain saying "It's Friday, go out already!".

It does make sense then. At least most companies do seem to be currently on the XP to 7 migration process, so hopefully it won't be much of an issue come April 2014.

2
0
Silver badge
Mushroom

Re: Wait, hear that?

Cheeky Fuckers.

Upgrade or we'll tell people how to break your stuff and steal things.

Blackmail.

Common sense? Bollocks.

27
8
Silver badge
Gimp

Be a M$ apologist!

it's the universal indicator of an idiot who believes himself knowledgeable.

5
7
Silver badge

Re: Wait, hear that?

Errm, I don't think they're actually going to disclose what the vulnerabilities are in Windows XP directly. Read the article, it stated there that the information can be deduced by reverse engineering the Windows 7 patch and then applying the principles on Windows XP.

Still, this is a problem … we still support software packages like CitectSCADA 6 which just doesn't run on Windows 7. Moreover, even if it did, the clients for whom we support it, are running it on earlier versions of Windows NT: Windows XP and Windows 2000.

The saving grace is that these machines are firewalled-off from the Internet. They're also owned by organisations with deep pockets (mining companies, defence, etc) so they can afford the security fixes.

That's small comfort for us though as a small business who still needs Windows XP because they still use it, and our network is a bit more open in that there's Internet access.

Guess my only option is to ensure everyone regularly checks their VMs for malware, and works with copy-on-write disk images so that any malware infection can be reversed quickly, whilst ensuring all other systems are kept up-to-date and secure.

7
0

Re: Wait, hear that?

If I were in your shoes, I'd make an 'air gapped' network for your 'CitectSCADA 6' type of support hardware / personnel and let them 'sneaker net' their way to the internet if they need that. This network would be really cheap to set up... Just a switch or two, some cat 5... No routers involved, no firewalls. OK, the Manuel Labour admin work might be a slight pain, but you DID mention some support for someone called 'defence', yeah?

6
0
Anonymous Coward

Re: Wait, hear that?

I hope you're right. After all, it wouldnt be the first time that a SCADA system owned by a group with deep pockets was compromised across the internet. Stuxnet attacking the Iranian nuclear program via SCADA vulns springs to mind.

It's all very well to be air gapped, but doesn't count for much when you have muppets wandering round with USB sticks.

9
0
Silver badge

Re: Wait, hear that? @Ben Tasker

So roughly the equivalent of some gentlemen in dark glasses walking around your shop saying "nice place you've got here be a shame if it burned down ! Now can I interest you in one of our fire alarms ?"

10
1

Scada on Windows ?? Deserve everything you get.

N/T

2
5

Re: Wait, hear that?

I've already started to do just that. I've had Ubuntu on trial for over 18 months. Its very good and stable with no driver issues (at least on my hardware) but i don't like Unity and its a little slow. Now i've installed Mint xfce on the same hardware. I had to fix one issue with graphics drivers on install and still have a minor issue with a realtek chip set on the wifi. But, i like the desktop (Mate) and its quick. Looks good and will do all that is required. I've also installed it on the wife's Asus netbook which also works really well without issue.

I've also trialled Opensuse and Debian in the past and still have Opensuse on an old laptop with a Pentium 4 and 512mB of memory. I use it as a jukebox. Works like a dream.

So, MS, the writing is on the wall. The LInux people are getting their act together. I'll be using XP until l it dies and unless there is a compelling reason to stay, i'll be installing Linux next.

17
3
Anonymous Coward

Re: Wait, hear that?

"If I were in your shoes, I'd make an 'air gapped' network"

Does Sneakernet mean anything to you?

Or Stuxnet?

3
1

Re: Wait, hear that?

they have a popular product.

they could keep selling it, keep offering new licenses for it, and keep patching it as long as it's relevant, something that is dictated by the market and not board meetings.

XP is still their most popular OS, the only reason market share has slipped to 2nd is because people are being forced off it / because nothing ships with it. In any other industry it would be identified as the most desirable product and have the most money pumped into it.

XP is still capable of generating revenue.

18
2
Silver badge
Linux

So it's blackmail with Windows and extortion with Android...

Can anyone guess who Google had in mind when they coined the "do no evil" tag?

4
1
Anonymous Coward

Re: Wait, hear that?

Unfortunately you are one of a tiny minority. The problem here is the many, many people with old Windows machines who haven't got a clue about updating them but are connected to broadband. If I wanted to create a botnet, and Microsoft obligingly accidentally revealed a way in to these machines, even if 80% of users had replaced Windows that is still a lot of machines for me to exploit. And in reality it will be more like 2% that change to Linux.

You underestimate the stupidity of the public.

Slightly off topic, Apple don't, and that explains the iPhone.

5
0
Facepalm

Re: Wait, hear that?

Reverse engineering a patch is not "telling" anyone anything. Your blind hatred for MS is making you critically stupid. The only way to not announce to the world what the patch is, is to not release it. Because you can be assured that if MS released patches without some documentation, IT departments around the world would scream bloody murder. Or tell me does linux release patches without documentation?

9
4
Thumb Down

Re: Wait, hear that?

Tell me. Does Apple patch OS's that are 12 years old anymore? Because that is how old XP is. MS has time and time and time again extended out support for XP. At some point enough of this crap. They need to discontinue support for it and use those resources on current OS's.

What you are suggesting would be the equivalent of supporting Windows 3.11 back in 2007 still.

I have no problems with abandoning a 12 year old OS. No matter how popular it may be.

5
7

Re: Wait, hear that?

@Kellic

,,,but MS is responsible for the extended XP's life when they kept it going to 'save' the netbook line from the 'evil cancer,' Linux. (Vista was too bloated to fit the limits of the netbook's hardware.)

So put the blame on MS for this length of service time!

BTW, if you know someone with an XP box, offer them a dual-boot with a modern Linux; Mint, Ubuntu, or any of the top distros. Using wine, much of their windows games and programs can still but used and run ... or they may discover that the Linux programs are valiant replacements, and many of those already installed with the Linux distro.

3
0
Silver badge

Re: Wait, hear that?

Its FUD pure and simple.

0
3
Silver badge

Re: Wait, hear that?

The solution is simple. Use a Linux desktop and XP in a virtual machine that is on a separate IP address and prevent any net access from Windows.

Voila. No vulnerabilities and you can still use (closed|)openDogshit if that's a requirement

2
0
Silver badge

Re: Now i've installed Mint xfce

..on the same hardware. I had to fix one issue with graphics drivers on install and still have a minor issue with a realtek chip set on the wifi.

utterly similar to me. Cept I went with mate. XP still exists in a virtual box, for legacy apps, but they NEVER go near the internet, except one old deliberately never upgraded copy of IE6, that I use to test websites on.

Crash rate on teh old XP apps is about once per hour using those old apps. crash rate on linux..well the ONLY thing that really messes it up is disconnecting NFS mounted drives, that DOES send the whole system into a total guru meditation as the file browser tries to make sense of things.

In terms of desktop mail browser office suite and the ability to run the odd specialised windows app, Linux MInt IS XP done properly. Up to date, secure and suits older hardware perfectly.

Ubuntu Unity and windows 8 have gone off chasing a chimera of mobile swipe screens.

If all you want is a reliable machine you can use standard office software and internet apps on, Mint is the top contender.

I actually had to smile when installing a new laser printer in Mint was easier than on XP..

8
1
MJI
Silver badge

Re: Wait, hear that?

So why does WIn 7 not allow full screen DOS?

XP does

Therefore some of us still need XP

2
0
Bronze badge

Re: Wait, hear that? @RetroTom

>XP is still capable of generating revenue.

But MS are determined, they don't want that revenue and are prepared to shot themselves in the foot just to prove the point.

I've always maintained that MS should release XP Second Edition as a paid for new product, which is basically XP SP4 plus the bits they decided for commercial reasons to not release for XP but did include in Vista and Win7 to encourage people to upgrade. Obviously, a companion release for AD and Group Policy would be useful.

5
0

Re: Wait, hear that?

Apple has produced at least six good versions of OS-X in 12 years. They stopped selling the 12 year old version about 11 years ago. Microsoft has produced only one good version of Windows to follow XP in that time. Microsoft was still selling XP licences for new machines (netbooks only, but still new machines) as recently as October 2010, and some of them were still in the channel being sold new as recently as 2011. It's hardly surprising that some of them are still in use.

3
4
Black Helicopters

Re: Wait, hear that?

If I was in MS's shoes, I would open-source Windows XP entirely - Mainly as a way to trip up Linux who is on a dangerous trajectory now, but also to suck in game developers who would otherwise be available for games compatible with open source.

Luckily, Steve Ballmer is still there to destroy shareholder value and drive away business to the competition.

2
1
Silver badge

Re: Wait, hear that? @Ben Tasker

More like "Nice shop you have there, pity your fire alarm isn't working. Can I sell you a new one?"

2
1
Silver badge

Re: Wait, hear that?

"XP is still capable of generating revenue."

Yup. You _did_ see the line about "premium support" in there didn't you?

2
0
Silver badge

Re: Now i've installed Mint xfce

"Well the ONLY thing that really messes it up is disconnecting NFS mounted drives, that DOES send the whole system into a total guru meditation as the file browser tries to make sense of things."

You need to learn about "umount -l"

2
0

Re: Wait, hear that?

"Upgrade or we'll tell people how to break your stuff and steal things."

What? Do they really think we gonna roll over when they bark?

Microsoft is so fucking stupid. Instead of blackmailing their largest customers-base they should release a Windows XP mark 2 (upgraded internals from Win7/8 and UI of Win XP).

Why is that so hard? Why so much resistance with Windows XP?

7
3
Anonymous Coward

Re: Wait, hear that?

corrected: "they HAD a popular product."

corrected: "they should keep selling it..."

Like I wrote before. Why not release an Windows XP mark 2. Upgraded kernel and subsystems with the classic XP UI.

Microsoft is a company run by stupid apes. No wonder they team up with Nokia. Idiots meets idiots!

2
1

Re: Wait, hear that?

"Does Apple patch OS's that are 12 years old anymore?"

... and were do they stand? STILL an insignificant blip on the radar. They lost me after they ditched that beautiful brushed metal look from 10.4.x to a ridiculously dated grey gradient 90's look of 10.5 without giving me the option to revert to the brushed metal look (especially when their computers and peripherals finally had a brushed metal enclosures).

Apple is as bad as microsoft. I'd rather have Acorn computers LTD. back alive than those 2 crap-corporations. It's all crap these days. Crapp phones, crap computers and crap OS's.

2
0
Silver badge
FAIL

Good lord the retards are out in force today

"But the deliberate creation of a situation of 100s of millions of machines on the internet open to vulnerabilities"

Try reading the article for comprehension numbnut.

Good fucking grief, I'm usually getting hammered here for being too anti MS but in this case they are doing absolutely nothing wrong

3
1

Re: Wait, hear that?

I know of a number of large organisation networks running windows xp where the LANs are not connected to the internet and where USB is disabled. They run, they work, they do the job. Alongside them you can often find smaller LANs that have internet facing PCs, but totally isolated so that never the two will talk. It is not difficult for organisations to make IT decisions, but the cost of change to W7 is indeed huge. Especially if XP and Office still meet the corporate need.

1
0

Re: Wait, hear that?

Please take time to read the original blog from MS http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx You will find the register has alter the contacts.

Microsoft is NOT introducing new issues, its just not supporting old ones. So when cross systems vulnerabilities get patched in Windows 7, Windows 8, and Widows 8.1 etc., there will have been no patch for Windows XP, that is what the original blog is saying.

0
1

Re: Wait, hear that?

Sadly I think most did just read the headline, and then the 1st to paragraphs. I doubt very much if anyone took the time to read the real blog, because it could not be ore different to what is inferred by the reg in this one.

0
1

Re: Wait, hear that?

Please take time to read the original blog from MS http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx You will find the register has alter the contacts.

Microsoft is NOT introducing new issues, its just not supporting old ones. So when cross systems vulnerabilities get patched in Windows 7, Windows 8, and Widows 8.1 etc., there will have been no patch for Windows XP, that is what the original blog is saying.

CitectSCADA 7 supports Windows 7, other than that you could probably run CitectSCADA 6 in Hiper-V 3 or VMware 9.

RE your virtual disk comment about people thinking they don't need antivirus and updating of virtual machines .. they do need it unless the host is not connected to the internet.

0
0

Re: Wait, hear that?

Apple DONT support a 12 year old OS, why should Microsoft.

Please take time to read the original blog from MS http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx You will find the register has alter the contacts.

Microsoft is NOT introducing new issues, its just not supporting old ones. So when cross systems vulnerabilities get patched in Windows 7, Windows 8, and Widows 8.1 etc., there will have been no patch for Windows XP, that is what the original blog is saying.

0
2
Thumb Up

Re: Wait, hear that?

Ahhh sweat words of someone with an entire mind, and who read the original Microsoft Blog .. sadly most have not by the looks of it.

But I blame the reg writer who was untruthful in this article.

0
2
Thumb Up

Re: Wait, hear that?

But, But, .. But .. few took time to reed the original Microsoft Blog, so they are fired up by the Reg article that is full of trash.

0
2

Re: Wait, hear that?

Of course, when you do upgrade, we'll do exactly the same thing to you again a few years down the line. And that's a promise.

2
0
Anonymous Coward

Re: Wait, hear that?

"XP is still their most popular OS"

No, it's the OS most people are stuck with. Windows 7 is their most popular OS for now at least.

0
1
Anonymous Coward

Re: Wait, hear that?

"BTW, if you know someone with an XP box, offer them a dual-boot with a modern Linux; Mint, Ubuntu, or any of the top distros. Using wine, much of their windows games and programs can still but used and run"

Or just upgrade them to Windows 7 for a bullshit free experience that just works...

1
1
Anonymous Coward

Re: Wait, hear that?

"No vulnerabilities"

erm, you realise that most Linux distributions have far MORE vulnerabilities than Windows XP?

0
1
Silver badge
Unhappy

Re: Wait, hear that?

"Microsoft is so fucking stupid. Instead of blackmailing their largest customers-base they should release a Windows XP mark 2 (upgraded internals from Win7/8 and UI of Win XP)."

Not such a great idea - one big reason why people hang on to XP is that older applications that run fine with XP don't work with the Win 7/8 internals, whatever UI you want to put on there.

0
0
Silver badge

Re: Wait, hear that?

"erm, you realise that most Linux distributions have far MORE vulnerabilities than Windows XP?"

So you KEEP telling us. Makes no difference to me I wouldn't use MS OSs if you offered me a free trip to Vogsphere. Guess I'll just have to be careful

(You might actually learn something if you analysed the levels of severity of these 'vulnerabilities' )

1
0
Anonymous Coward

Re: "Linux distributions have far MORE vulnerabilities"

"you realise that most Linux distributions have far MORE vulnerabilities than Windows XP?"

I realise that's what the MS shills say. I hope you're not one.

I have no idea what the claim actually means (kernel? kernel + OS? Kernel+OS+apps, for example). Or what is classed as a vunerability. It wouldn't make sense to compare a fully loaded Linux distribution against a core OS such as Windows XP. But some people might try it anyway.

I fact I have no idea what information people have to substantiate that claim, as although I have seen the claim several times I have not yet seen it substantiated.

There were a few attempts recently to claim that web site defacements were vulnerabilities. Not a good start.

Are you going to have a go at substantiating your claim, or is it just utter rubbish?

CVE?

2
0

Page:

This topic is closed for new posts.

Forums