Jump to content

Windows XP patched to avert new outbreaks from three more NSA exploits

But why Microsoft?

 

Source: Ars Technica UKMicrosoft (Windows Blog) 

Quote

On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of "destructive" exploits developed by, and later stolen from, the National Security Agency. (emphasis is mine)

 

winxp.jpg.a4cb00c9a3f371878f39c07f28bbd539.jpg

 

But why? I thought Windows XP is already unsupported? Wouldn't that hurt Microsoft more?

Quote

According to this updated Microsoft post, Tuesday's updates include fixes for three other exploits that were also released by the Shadow Brokers. A Microsoft blog post announcing the move said the patches were prompted by an "elevated risk of destructive cyberattacks" by government organizations.

 

"In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations," Adrienne Hall, general manager of crisis management at Microsoft, wrote. "To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows.

Preventing another WCry outbreak

In a separate blog post, Eric Doerr, general manager of the Microsoft Security Response Center, said the move was designed to fix "vulnerabilities that are at [heightened] risk of exploitation due to past nation-state activity and disclosures." He went on to urge users to adopt new Microsoft products, which are significantly more resistant to exploits, and not to expect regular security fixes in the future.

 

"Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies," he wrote. "Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly."

 

The only other time in recent memory Microsoft has patched an unsupported version of Windows was in 2014, when it issued a critical update for Windows XP during the same week it decommissioned the version. Tuesday's move suggests Microsoft may have good reason to believe attackers are planning to use EsteemAudit, ExplodingCan, and EnglishmanDentist in attacks against older systems. Company officials are showing that, as much as they don't want to set a precedent for patching unsupported Windows versions, they vastly prefer that option to a potential replay of the WCry outbreak.

You think that Microsoft is doing this for the benefit of their customers, I beg to differ. I see this as indecisiveness. Apple is true to their word when they declare a device to be unsupported. Here's a commentary from Peter Bright from Ars Technica as well:

Quote

Microsoft’s decision to keep patching Windows XP is a mistake

Microsoft officially ended support of the twelve-and-a-half-year-old Windows XP operating system a few weeks ago. Except it apparently didn't, because the company has included Windows XP in its off-cycle patch to fix an Internet Explorer zero-day that's receiving some amount of in-the-wild exploitation. The unsupported operating system is, in fact, being supported.

 

The decision to release this patch is a mistake, and the rationale for doing so is inadequate.

 

A one-off patch of this kind makes no meaningful difference to the security of a platform. Internet Explorer received security patches in 11 of the last 12 Patch Tuesdays. Other browsers such as Chrome and Firefox receive security updates on a comparable frequency.

 

Web browsers are complex. They're necessarily exposed to all manner of potentially hostile input that the user can't really control, and as such, they're a frequent target for attacks. They need regular updates and ongoing maintenance. The security of a browser is not contingent on any one bugfix; it's dependent on a continuous delivery of patches, fixes, and improvements. One-off "exceptions" do not make Internet Explorer on Windows XP "safe." There's no sense in which this patch means that all of a sudden it's now "OK" to use Internet Explorer on Windows XP.

 

And yet it seems inevitable that this is precisely how it will be received. The job of migrating away from Windows XP just got a whole lot harder. I'm sure there are IT people around the world who are now having to argue with their purse-string-controlling bosses about this very issue. IT people who have had to impress on their superiors that they need the budget to upgrade from Windows XP because Microsoft won't ship patches for it any longer. Microsoft has made these IT people into liars. "You said we had to spend all this money because XP wasn't going to get patched any more. But it is!"

 

Bosses who were convinced that they could stick with Windows XP because Microsoft would blink are now vindicated...

 

But the option Microsoft took is the worst of all worlds. It undermines efforts by IT staff to ditch the ancient operating system, and undermines Microsoft's assertion that Windows XP isn't supported, while doing nothing to meaningfully improve the security of Windows XP users. The upside? It buys those users at best a few extra days of improved security. It's hard to say how that was possibly worth it. (emphasis is mine)

5941290da7f2d_Screenshot(146).png.76ca6e4214773d3c398cf50c0416c9c1.png

 

Not to mention, they're not doing their latest OS Windows 10 any favors. Windows XP is a 32-bit operating system released in 2001 and it makes no sense at the moment to keep patching it. Just look at Apple, when they decide to stop supporting an OS or an old device, they do. Do you see Apple still releasing patches for an old iPhone 3GS or a 2008 polycarbonate MacBook running Mac OS X Snow Leopard at the latest? No. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Good game Microsoft. 

Ryzen 5 3600 stock | 2x16GB C13 3200MHz (AFR) | GTX 760 (Sold the VII)| ASUS Prime X570-P | 6TB WD Gold (128MB Cache, 2017)

Samsung 850 EVO 240 GB 

138 is a good number.

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, mynameisjuan said:

Please stop patching XP and let it die already. 

I know right. I'm a bit concerned that some ATM terminals are still rocking Windows XP under. Terrifying!

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Well, some companies and school/colleges/unis tend to have XP due to hardware support. Some departments use old machines that require XP. 

3 minutes ago, mynameisjuan said:

Please stop patching XP and let it die already. 

Some people need as they have hardware that is supported only by XP. 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

The large majority of business infrastructure around the world still runs on XP, if that goes we're all fucked.

 

Wcry was a big wake up call for security experts and MS.

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Abdul201588 said:

Well, some companies and school/colleges/unis tend to have XP due to hardware support. Some departments use old machines that require XP. 

Some people need as the have hardware that is supported only by XP. 

No one is stopping these institutions to use Windows XP. However, Microsoft is not obliged to keep an antiquated 32-bit OS patched. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Abdul201588 said:

Well, some companies and school/colleges/unis tend to have XP due to hardware support. Some departments use old machines that require XP. 

Some people need as the have hardware that is supported only by XP. 

Its up to the company to take proper security measures and upgrade hardware then, if its software then they need to spend money on new software or pay for custom. 

 

XP is a big security hole in a business and I still cant believe how many places are still using XP. 

Link to comment
Share on other sites

Link to post
Share on other sites

This is a good thing. Why are people comparing that they are releasing patches which could prevent malware outbreaks? Even if you think Windows XP is old and should be abandoned, the fact is they machines are still out there running XP. Those machines won't get updated just because Microsoft stop giving out updates, that has already been proven. So why keep patches which are already developed to themselves. 

 

It's like having the cure for AIDS, but keeping it secret because "people need to learn to have safe sex. They won't learn if I give them the cure". 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, hey_yo_ said:

No one is stopping these institutions to use Windows XP. However, Microsoft is not obliged to keep an antiquated 32-bit OS patched. 

 

1 minute ago, mynameisjuan said:

Its up to the company to take proper security measures and upgrade hardware then, if its software then they need to spend money on new software or pay for custom. 

 

XP is a big security hole in a business and I still cant believe how many places are still using XP. 

I forgot to mention, most of the XP machines are only on the network and have no internet access at all... Although there could be an virus infection from a USB. But at my university all XP machines are on their own separate network and cannot communicate with any other PCs. Basically they have their own network

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Abdul201588 said:

I forgot to mention, most of the XP machines are only on the network and have no internet access at all... Although there could be an virus infection from a USB. But at my university all XP machines are on their own separate network and cannot communicate with any other PCs. Basically they have their own network

A worm doesn't need an active internet connection to infect. All it needs is a network, preferably a local area network. That is how WannaCry spread. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Not sure why anyone is complaining about companies staying XP because of this when companies already pay to have custom updates..... Also windows embedded is supported until 2019 which can be brought over to XP very easily.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, hey_yo_ said:

A worm doesn't need an active internet connection to infect. All it needs is a network, preferably a local area network. That is how WannaCry spread. 

I do know that, Like I said the PCs still can infected. But again, they need those PCs for the required hardware. 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

11 minutes ago, mynameisjuan said:

XP is a big security hole in a business and I still cant believe how many places are still using XP. 

You think that's bad, there's a store here in town that still runs their entire business off DOS.  Database, CSM, automation, et al.

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, Abdul201588 said:

 

I forgot to mention, most of the XP machines are only on the network and have no internet access at all... Although there could be an virus infection from a USB. But at my university all XP machines are on their own separate network and cannot communicate with any other PCs. Basically they have their own network

Isolation based clients are not the worry. Its the XP machines that are on the network and have some kind of internet access that is the problem. I have seen businesses with a ton of customer data on XP machines that are unpatched and if compromised hurts innocent customers.

Link to comment
Share on other sites

Link to post
Share on other sites

lots of businesses pay for custom update schedules for XP. they'll be producing updates until 2019 and probably beyond that. 

 

source: family member works for a big bank, the last XP machines were running on a MS update contract until 2018

idk

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, Abdul201588 said:

Well, some companies and school/colleges/unis tend to have XP due to hardware support. Some departments use old machines that require XP. 

Some people need as they have hardware that is supported only by XP. 

Okay so they change the hardware, no good clinging onto the past.

System Specs:

CPU: Ryzen 7 5800X

GPU: Radeon RX 7900 XT 

RAM: 32GB 3600MHz

HDD: 1TB Sabrent NVMe -  WD 1TB Black - WD 2TB Green -  WD 4TB Blue

MB: Gigabyte  B550 Gaming X- RGB Disabled

PSU: Corsair RM850x 80 Plus Gold

Case: BeQuiet! Silent Base 801 Black

Cooler: Noctua NH-DH15

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, mynameisjuan said:

Its up to the company to take proper security measures and upgrade hardware then, if its software then they need to spend money on new software or pay for custom. 

 

XP is a big security hole in a business and I still cant believe how many places are still using XP. 

Some very expensive (above million dollar) machines out there only work properly with Windows XP. I do see that myself as well. 

My eyes see the past…

My camera lens sees the present…

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, sof006 said:

Okay so they change the hardware, no good clinging onto the past.

Some hardware is too costly and too time-consuming to change - sometimes even impossible. Old OSes are fine, as long as they're airgapped and disconnected from the internet or updated through custom update programs. 

idk

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, Droidbot said:

Some hardware is too costly and too time-consuming to change - sometimes even impossible

It is never impossible, too time consuming means they are just lazy and cost will always be a thing in IT. There is no excuse not to upgrade these machines. 

 

One of the companies I was a director of IT at, it cost me around $200,000 to replace the XP machines, along with pay developers to recode the 30 or so custom programs that were built before I got there. On the last day of XPs support I just about ripped the PCs out of the hands of the employees that refused to switch to 7. There was a deadline and I stuck to it. 

 

It was time consuming, super costly, but not impossible. Or I could of made the decision to not bother and leave unsecure machines that could be infected and leak millions of credit card and customer data. A half way decent IT department would not let their PC still run XP. 

Link to comment
Share on other sites

Link to post
Share on other sites

I can see reason in the patches: LEGACY SYSTEMS AND TOOLS.

Sure, you shouldn't be using anything legacy anymore (which includes XP), but the sad reality is that XP isn't just a blip on the radar when it comes to active users.

Remember kids, the only difference between screwing around and science is writing it down. - Adam Savage

 

PHOΞNIX Ryzen 5 1600 @ 3.75GHz | Corsair LPX 16Gb DDR4 @ 2933 | MSI B350 Tomahawk | Sapphire RX 480 Nitro+ 8Gb | Intel 535 120Gb | Western Digital WD5000AAKS x2 | Cooler Master HAF XB Evo | Corsair H80 + Corsair SP120 | Cooler Master 120mm AF | Corsair SP120 | Icy Box IB-172SK-B | OCZ CX500W | Acer GF246 24" + AOC <some model> 21.5" | Steelseries Apex 350 | Steelseries Diablo 3 | Steelseries Syberia RAW Prism | Corsair HS-1 | Akai AM-A1

D.VA coming soon™ xoxo

Sapphire Acer Aspire 1410 Celeron 743 | 3Gb DDR2-667 | 120Gb HDD | Windows 10 Home x32

Vault Tec Celeron 420 | 2Gb DDR2-667 | Storage pending | Open Media Vault

gh0st Asus K50IJ T3100 | 2Gb DDR2-667 | 40Gb HDD | Ubuntu 17.04

Diskord Apple MacBook A1181 Mid-2007 Core2Duo T7400 @2.16GHz | 4Gb DDR2-667 | 120Gb HDD | Windows 10 Pro x32

Firebird//Phoeniix FX-4320 | Gigabyte 990X-Gaming SLI | Asus GTS 450 | 16Gb DDR3-1600 | 2x Intel 535 250Gb | 4x 10Tb Western Digital Red | 600W Segotep custom refurb unit | Windows 10 Pro x64 // offisite backup and dad's PC

 

Saint Olms Apple iPhone 6 16Gb Gold

Archon Microsoft Lumia 640 LTE

Gulliver Nokia Lumia 1320

Werkfern Nokia Lumia 520

Hydromancer Acer Liquid Z220

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, revsilverspine said:

I can see reason in the patches: LEGACY SYSTEMS AND TOOLS.

Sure, you shouldn't be using anything legacy anymore (which includes XP), but the sad reality is that XP isn't just a blip on the radar when it comes to active users.

But Microsoft no longer has responsibility for an operating system they declared obsolete already. It's a sign of indecisiveness in Microsoft's part.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

54 minutes ago, mynameisjuan said:

Please stop patching XP and let it die already. Until they stop businesses will continue to use it and risk not only their data but customers data as well. 

That is a very poor way of seeing things.

Just because consumers were forced to move away from XP, doesn't mean business should move as well.

You do realize that XP was and still is a great OS, right?

If it weren't from the artificial limits that Microsoft wouldn't allow to be lifted from XP; XP would still be the popular OS among consumers today.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, NvidiaIntelAMDLoveTriangle said:

You do realize that XP was and still is a great OS, right?

That's like saying the Google Nexus One is a great phone (which it was a great phone during its time), therefore Google should keep it officially updated until now. 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, NvidiaIntelAMDLoveTriangle said:

That is a very poor way of seeing things.

Just because consumers were forced to move away from XP, doesn't mean business should move as well.

You do realize that XP was and still is a great OS, right?

If it weren't from the artificial limits that Microsoft wouldn't allow to be lifted from XP; XP would still be the popular OS among consumers today.

Poor way of seeing security flaws? Businesses should be the priority to get off XP as they tend to hold on to sensitive data.

 

This is not an argument of if XP is a good OS or not, its about security. 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×