Windows XP patched to avert new outbreaks from three more NSA exploits

[Droidbot]

1 minute ago, LAwLz said:

You still have to worry about inside threats.

That's true, but if you have that problem, there's more to worry about. 

[LAwLz]

17 minutes ago, Droidbot said:

That's true, but if you have that problem, there's more to worry about. 

Well the problem would be having 1 computer infected compared to maybe 5 computers infected. I know which scenario I'd prefer.

With laptops and BYOD getting more and more popular, there is always a risk of someone bringing an infected computer with them from outside to inside the network, without them even realizing it. Even people with no harmful intentions can be a threat from inside.

[mr moose]

2 hours ago, leadeater said:

That's both an issue of the software vendor not updating their software, not something a business can control, and not enough demand for them to do it, something an business can control but only as a collective. Parallel ports work perfectly fine on operating systems after XP it's just that a lot of hardware stopped including them. There are USB to parallel adapters that do work just have to do the required research to find them. Got a friend who is an electrical engineer who hit this exact issue.

 

A student management system for a university is very complex and has their own set of government regulations that need to be followed. Complexity isn't importance and I wouldn't write off what we do as lesser to a bank or a hospital. Not only do we train many nurses and doctors we operate the very same equipment and are licensed to carry out procedures as well for training purposes, we also have one of the worlds most respected veterinary surgeries.

 

I don't really want to debate the medical industry as I already said previously that is something I know very well and could talk about in much more length than I'd ever really like to.

 

And that's where I disagree, a lot of them are not genuine reasons they just sound like that until you dig deeper and understand much of it is nothing more than giving it a very low priority.

 

Take the earlier example I gave of the fax server of medical lab test records, that system could have been replaced so many times so much sooner and yet it wasn't. It's not even that expensive and now analogue fax is so outdated it's very hard to replace it and the software isn't IP fax compatible, self inflected issue right there.

 

If your student system crashes patients don't die and people don't have banks foreclose on their mortgage or close their accounts.  It's not about complexity but about damage mitigation.    As for the rest it seems to be your experience versus mine.

 

 

[leadeater]

23 minutes ago, mr moose said:

If your student system crashes patients don't die and people don't have banks foreclose on their mortgage or close their accounts.  It's not about complexity but about damage mitigation.    As for the rest it seems to be your experience versus mine.

Yea I'm not writing off what you are saying is wrong or the examples aren't true but a large number of XP systems that haven't been upgraded could have been and that percentage of XP systems likely doesn't include those embedded systems as well. The actual number is likely a good few percentage more if you take in to account those types of systems which aren't networked or never go on the internet.

 

Many of the XP systems that have been upgraded could have been done in a much more timely manor, so many were left until after the end of extended support.

 

It's also very rare for an IT system crash in a hospital to cause deaths but I do get what you are saying. More for interest sake but I have witnessed one first hand and these articles don't even cover the three previous failures that were withheld from being published due to public safety and trust concerns 

 

http://www.stuff.co.nz/manawatu-standard/news/10382358/Aged-IT-training-lack-blamed-for-hospital-outages

http://www.stuff.co.nz/manawatu-standard/news/9843514/Review-studies-hospital-system-crash

http://www.stuff.co.nz/manawatu-standard/news/71048861/hospitals-3m-puzzle-about-to-be-completed.

 

The cause of the crash was due to a cascade disk failure and the reason it took so long to fix was the SAN was so old HPE didn't have parts or anyone left in our country trained in the system, they were very lucky another company still had a full working model up from it that was decommissioned but not actually thrown away. Those failures alone cost them more than what it would have cost to replace it and funding was denied simply due "It's running fine and we have more important things to spend money on", well hindsight disagrees with that assessment and lessons should be learnt from past mistakes.

 

All I'm advocating for is a culture and mindset change so this type of thing just isn't inherently accepted and treated as normal when it shouldn't be, systems need to be maintained and upgraded plan for it and do it.

 

Edit:

FYI that upgrade mentioned in the article still hasn't been completed....

[mynameisjuan]

9 minutes ago, leadeater said:

 systems need to be maintained and upgraded plan for it and do it.

 

Edit:

FYI that upgrade mentioned in the article still hasn't been completed....

Finally someone who gets it. 

[dfsdfgfkjsefoiqzemnd]

1 hour ago, LAwLz said:

Well the problem would be having 1 computer infected compared to maybe 5 computers infected. I know which scenario I'd prefer.

1 infected computer within the network is still a huge issue.  WannaCry for example didn't make it past most routers when trying to infect PCs via IP scans (because almost all routers have port 445 stealthed by default).  However if you had one infected machine on your network, the worm didn't have to pass through the firewall anymore and had access to all the PCs on the network.  So unless you are giving each machine its own zone that no other machine can see (which kinda defeats the purpose of an internal network), one infection can be enough to take down all machines that weren't patched.

[LAwLz]

24 minutes ago, Captain Chaos said:

1 infected computer within the network is still a huge issue.  WannaCry for example didn't make it past most routers when trying to infect PCs via IP scans (because almost all routers have port 445 stealthed by default).  However if you had one infected machine on your network, the worm didn't have to pass through the firewall anymore and had access to all the PCs on the network.  So unless you are giving each machine its own zone that no other machine can see (which kinda defeats the purpose of an internal network), one infection can be enough to take down all machines that weren't patched.

I am not sure why you're responding to me here. Maybe you didn't read the full conversation.

 

This is a quick summary:

Person: XP is fine if it doesn't have Internet access. You don't have to worry about outside threats if your computer can't access the outside.

Me: You still have to worry about it spreading inside your network.

Person: If you have that problem then there's more to worry about. (to me, this implies he was thinking of a person inside the network deliberately spreading malware)

Me: *Gives examples of how an innocent person might bring malware into a network without realizing it, thus making the point that you should patch your computers even if they don't have direct access to the Internet*.

 

I mean, your post is strengthening my case that yes, you do need to patch your machines even if you do not have a direct Internet connect to them. Even a single infected computer could spread to a big part of your network.

[dfsdfgfkjsefoiqzemnd]

7 minutes ago, LAwLz said:

I am not sure why you're responding to me here

Because I kinda disagree with the idea of prefering one option over the other.  Due to how easily an infection can spread once it's inside the network, the only preferable option is to have no infections at all.  But for that Microsoft would have to provide support for every OS that still runs critical devices or infrastructure (so all the way back to 3.1 and maybe earlier).  In general I do agree with you though (as usual)

[wrath]

On 6/14/2017 at 6:19 PM, LAwLz said:

OK let's stop and think logical for one minute here.

 

Why do you think that people "won't learn" now that Microsoft has released a patch? Do you honestly believe that there are people out there who has been completely without patches for around 3 years now, who were on the edge of switching, but now because two exploits (out of many many more) has been patched they will just do a 180 and keep using XP?

 

Remember, this is not Microsoft backing down and releasing patches for Windows XP again.

This is Microsoft, 3 years after they stopped releasing updates, patching two extremely large issues which could spread to people using OSes which are still supported.

The more people that are patched, the fewer computers can spread malware. It's like with vaccination. The malware needs vulnerable computers to survive, so the more that are immune the harder it will be for it to spread.

 

Besides, what do you think people "need to learn"? That running an outdated OS is a bad idea? No shit. They already know that, just like I know drinking soda is not good for me. Do I still do it? Yes. Would I think it was good news that Coca Cola changed their recipe to be less harmful to me? Absolute! But not you. You would say "what? Coca Cola is making cola which is less detrimental to peoples' health? Boo! I want people to be unhealthy! I want them to suffer so that they 'learn their lesson'!"

 

Sorry, but I want computers to be secure. Right now you are championing against security, but through some amazing mental gymnastics you somehow think that more vulnerable computers = good.

Don't get me wrong I didn't say that it's bad they released a patch and that more vulnerable computers are good ,there is no point in arguing about this.

Don't be salty it's not good for your health :))

 

[mr moose]

9 hours ago, leadeater said:

Yea I'm not writing off what you are saying is wrong or the examples aren't true but a large number of XP systems that haven't been upgraded could have been and that percentage of XP systems likely doesn't include those embedded systems as well. The actual number is likely a good few percentage more if you take in to account those types of systems which aren't networked or never go on the internet.

 

Many of the XP systems that have been upgraded could have been done in a much more timely manor, so many were left until after the end of extended support.

 

It's also very rare for an IT system crash in a hospital to cause deaths but I do get what you are saying. More for interest sake but I have witnessed one first hand and these articles don't even cover the three previous failures that were withheld from being published due to public safety and trust concerns 

 

http://www.stuff.co.nz/manawatu-standard/news/10382358/Aged-IT-training-lack-blamed-for-hospital-outages

http://www.stuff.co.nz/manawatu-standard/news/9843514/Review-studies-hospital-system-crash

http://www.stuff.co.nz/manawatu-standard/news/71048861/hospitals-3m-puzzle-about-to-be-completed.

 

The cause of the crash was due to a cascade disk failure and the reason it took so long to fix was the SAN was so old HPE didn't have parts or anyone left in our country trained in the system, they were very lucky another company still had a full working model up from it that was decommissioned but not actually thrown away. Those failures alone cost them more than what it would have cost to replace it and funding was denied simply due "It's running fine and we have more important things to spend money on", well hindsight disagrees with that assessment and lessons should be learnt from past mistakes.

 

All I'm advocating for is a culture and mindset change so this type of thing just isn't inherently accepted and treated as normal when it shouldn't be, systems need to be maintained and upgraded plan for it and do it.

 

Edit:

FYI that upgrade mentioned in the article still hasn't been completed....

 

What I read in those articles is a complete lack of investment into the infrastructure and support staff for that hospital.   This is a different situation to the issues I outlined.  That hospital could easily have avoided all those problems had (as you said) they undertaken proper planned maintenance.  The issue I am describing could not be avoided with programmed maintenance and requires full system overhauls (hardware and all) running into hundreds of millions (for IT alone) over several years.  

 

I just don't think it's fair to lump businesses that are hamstrung with legacy issues in with organisations that are just lazy/underfunded.

 

 

[leadeater]

3 hours ago, mr moose said:

 

What I read in those articles is a complete lack of investment into the infrastructure and support staff for that hospital.   This is a different situation to the issues I outlined.  That hospital could easily have avoided all those problems had (as you said) they undertaken proper planned maintenance.  The issue I am describing could not be avoided with programmed maintenance and requires full system overhauls (hardware and all) running into hundreds of millions (for IT alone) over several years.  

 

I just don't think it's fair to lump businesses that are hamstrung with legacy issues in with organisations that are just lazy/underfunded.

 

 

I know it's different that's why I said it was just for interest since there can be a ton of reasons why a company's may still be on XP, like the UK NHS for the same reason as this hospital.

 

Lack of proper funding in to IT is rather common especially in public sector but it also happens in the private sector, this is a core issue that needs to change.

 

Then there are the legacy issue claims which there most definitely are but there are others which are used as an excuse. Large and complex systems get deployed and maintained but what doesn't happen typically is upgrading from the original OS that it was deployed on even if it can because most places wait until major upgrades and do everything at once. There is no technical reason for it it's just the done thing because there is little incentive to do so and proposing such a change almost always get denied through change control systems because "risk" while putting zero weight on the need to stay up to date.

 

Change control is there to manage and control risk but is also often called the handbrake of IT often holding up or blocking simple and low risk tasks.

 

Saying legacy issue to me is nothing more than saying we haven't tried or haven't prioritized the work highly enough, if it truly is then it needs to demonstrated. This is my stance because I have heard this excuse a lot, looked in to and found no there is no technical reason the software cannot run on a newer OS they have already upgraded to the required version to do so.

 

Where I work certainly is not a poster child for the issues I'm talking about, we have had all the same problems. Being who we are means we have to deal with a much wider range of systems than most places typically would and adds a large amount of complexity to our IT systems. We have all the types of equipment brought up in this discussion because as a university that has courses in all major subject areas we also have all that equipment too.

 

We still have XP computers connected to scientific measuring equipment or that one in house written application that is critical to passing information around HR and finance systems that is on Server 2003 and the person who wrote it no longer works for us. These issues do exist but the majority were never upgraded from XP for no reason at all and then became our problem once XP extended support ended and it was identified as a risk to the university and a project created where we had to go in a force service owners to upgrade often doing all the work ourselves, remember XP extended support had already expired.

[mr moose]

2 hours ago, leadeater said:

Saying legacy issue to me is nothing more than saying we haven't tried or haven't prioritized the work highly enough, if it truly is then it needs to demonstrated.

 

 

This from a firm who specializes in CNC operations, a q&a for companies that can't upgrade their OS:

http://www.controleng.com/single-article/for-machines-that-cannot-be-upgraded-what-needs-to-change-now-that-microsoft-windows-xp-support-has-ended/ca31607ec0c97a6267c25dec3762cfeb.html

 

If the company is lucky enough to have the CNC machines made by a company that still actively supports them then you might be lucky, but many CNC run from ISA cards.  You will never get windows 10 installed on a pc that still has ISA slots.     I know this because some 8 years ago I helped a company move to new premises where they installed all new CNC machines (well over $2M worth) as upgrading the old ones was not possible.  

 

I really don't know what other evidence would make it clear that this issue is real and not just about the money.

 

 

 

[leadeater]

Just now, mr moose said:

 

I really don't know what other evidence would make it clear that this issue is real and not just about the money.

Where have I said they don't exist, I'm saying most are an excuse and are not real or were not real. Perception is the key don't let the few real ones sway you in to believing the false ones, particularly the ones that after an upgrade proved to be false.

[mr moose]

49 minutes ago, leadeater said:

Where have I said they don't exist, I'm saying most are an excuse and are not real or were not real. Perception is the key don't let the few real ones sway you in to believing the false ones, particularly the ones that after an upgrade proved to be false.

Here:

 

2 hours ago, leadeater said:

Saying legacy issue to me is nothing more than saying we haven't tried or haven't prioritized the work highly enough, if it truly is then it needs to demonstrated. This is my stance because I have heard this excuse a lot, looked in to and found no there is no technical reason the software cannot run on a newer OS they have already upgraded to the required version to do so.

I'm not going to argue about perception.  Because I have already linked to an industry website that shows this is an actual problem.    

 

If you can get an ISA emulator or USB to parallel adapter that has all the appropriate sync and clock specs for your CNC then great, They probably already have upgraded, but even in the Hobby world there are numerous posts from home enthusiasts working with legacy PC's and open source CNC software just trying to avoid the issues that arise from newer OS's, aka lack of ISA slots and native parallel ports.

 

Given it is only 5.6% XP market share (that's 112M pc's) don;t forget that many photo scan and copy stations, copy machines, interactive displays and so on run XP. It is not a stretch to assume many are not keeping XP by choice.

 

This from Cannon indicates that you can upgrade many of their XP based machines if you are willing to upgrade 90% of the machine (ram, CPU, monitor etc) while they do indicate a certain number of their products will NOT tun on anything after XP. 

https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0ahUKEwioj-q_v8HUAhWEvrwKHdfvCzEQFgg3MAM&url=https%3A%2F%2Fcsa.canon.com%2Fonline%2Fwcm%2Fconnect%2Fcsa%2F3b08dcc6-5d13-4711-a0b3-8785599188d0%2FCanon-Solutions-America-Windows-XP-End-of-Support.pdf%3FMOD%3DAJPERES&usg=AFQjCNFXUSjqj4i6IGKjLaXlmpaMBwGB4A&sig2=EycroWHr1bpvUcAtFqlT6g&cad=rja

 

I really don't know what else to say,  I have now given you two industry links to proof that there are products and machines out there that will not run on any OS after XP without major upgrades (effectively to the point of new machines) at which point a business is effectively starting from scratch again.   

[Xanthe_2871]

On 6/14/2017 at 5:38 AM, mynameisjuan said:

Please stop patching XP and let it die already. Until they stop businesses will continue to use it and risk not only their data but customers data as well. 

We still use XP at my work. My personal workstation runs Windows 7 but the central OPs PC that handles our customer records is an XP machine. We have to keep it until we can move over the data, but since it's in a proprietary file format for use by a depreciated program, we literally have to hand write the entire thing, one customer at a time, and no one's done that so far.   

[Xanthe_2871]

On 6/14/2017 at 6:40 AM, hey_yo_ said:

That's like saying the Google Nexus One is a great phone (which it was a great phone during its time), therefore Google should keep it officially updated until now. 

But, if they did that would be pretty cool, right? Supposedly that's what Windows 10 is, and any system running it today will still be kept up to date 20 years from now. Who knows if it will really be the final version. 

[Guest]

On 6/14/2017 at 10:40 PM, Abdul201588 said:

Well, some companies and school/colleges/unis tend to have XP due to hardware support. Some departments use old machines that require XP. 

Some people need as they have hardware that is supported only by XP. 

No, the majority of the time they don't have to - they simply chose to stick with it because a) it works and b) the upgrade cost to move forward is too high. Business need to pull their heads out of their ass and stop sidelining IT projects. Systems need to be maintained & upgraded. It's not a simple buy it and you're set for life - versions change, features added, support moves on. 

 

Yes, there are certain cases where an app developer has not made a version compatible with the new operating system - well shit, find a new vendor. Windows 7 has been around for 8 years and Vista for 11 - they've had that long to update their software.

 

I also understand that some hardware isn't compatible with newer OS' - either A) get new hardware or B) put it on a closed system and remove the risks of an internet connected device.

 

Microsoft should not have to support a 16 year old operating environment. That's what Apple has done so well - they're forcing you to upgrade so they can stop supporting older OS'. 

On 6/14/2017 at 10:45 PM, LAwLz said:

This is a good thing. Why are people comparing that they are releasing patches which could prevent malware outbreaks? Even if you think Windows XP is old and should be abandoned, the fact is they machines are still out there running XP. Those machines won't get updated just because Microsoft stop giving out updates, that has already been proven. So why keep patches which are already developed to themselves. 

 

It's like having the cure for AIDS, but keeping it secret because "people need to learn to have safe sex. They won't learn if I give them the cure". 

That analogy has no comparison to the XP issue - companies have simply been trying to avoid the upgrade costs by sticking with what they have already.

 

 

There is no justifiable reason for a company to maintain a Windows XP environment. Cost is not a valid reason - if you can't afford to maintain a vital business component because it's too expensive, there's something wrong with the business environment. 

[LAwLz]

6 minutes ago, Windspeed36 said:

That analogy has no comparison to the XP issue - companies have simply been trying to avoid the upgrade costs by sticking with what they have already.

 

There is no justifiable reason for a company to maintain a Windows XP environment. Cost is not a valid reason - if you can't afford to maintain a vital business component because it's too expensive, there's something wrong with the business environment. 

Of course it's a cost issue.

 

If money was not an issue then they could just shut down the entire fabric, tear it down, build an entirely new one using all the latest hardware, and none of these issues would exist. But in the real world, you can't just do that. Spending millions of dollars on machines that could be unimportant (not all XP machines store extremely sensitive info) as well as disrupting production is usually something that's avoided. The company I am at right now bought one new robot a few weeks ago and it was a major event. They have something like 15 robots in total, some of which from the 90's, and every single one is a very hefty investment. They can not afford to replace things left and right, especially not things which work. You might say there is something "wrong with the business environment" but welcome to the real world. Most companies do not shit out money.

 

What you also have to remember is that in the public sector they have a fixed budget, and every dollar spent on one thing is a dollar not spent on something else.

For example hospitals have to choose. Do we blow 500,000 dollars on a new MRI machine even though our old one works just fine, but it runs and outdated OS, or do we hire a few more personnel so that we can save the people currently in the waiting room from not dying? It's easy to assume that your area is the most important one and should take priority above all else, but that's why you have risk analysis to determine what things takes priority.

[dfsdfgfkjsefoiqzemnd]

2 hours ago, Windspeed36 said:

Microsoft should not have to support a 16 year old operating environment. That's what Apple has done so well - they're forcing you to upgrade so they can stop supporting older OS'. 

The difference of course is that there's just no important machines or infrastructure that depend on an Apple OS.  The entire world runs on Windows and Linux, Apple just doesn't have to keep such issues in mind. 

If all your customers' machines only ever are used at home or the local Starbucks, you can force obsolecense all you want without having to worry about the danger.  When people's health or lives depend on the machines that run your OS however, it's a whole other ballgame. 

 

Also they're not forcing anything, there are still plenty of people using Apple devices that don't get updates anymore. 

[Blebekblebek]

Why people arguing about this?
If it's not your problem don't make it one.

 

If MS provide support for it, so be it, why not?
Companies and government paying them to keep it together until 2019 (or whatever date limit they'll post later on)

 

Most games still won't run on XP, most softwares already bail out from XP

How is this even related to your daily activities?

[captain_to_fire]

1 minute ago, Captain Chaos said:

Also they're not forcing anything, there are still plenty of people using Apple devices that don't get updates anymore.

Definitely. But how many Mac users complain when Apple stops updating Mac OS X Lion which the 2008 polycarbonate MacBook can only run at the latest? How many iPhone users complain that Apple will cease support for 32-bit apps in the next iOS 11 update and that iPhone 5 users will no longer receive the update? 

 

It's because it's resource and manpower intensive to maintain something old instead of focusing all their efforts into something new. Can you imagine how wasteful it is for a wireless carrier who has reached 95% LTE coverage but still maintains an antiquated 2G network when they could repurpose the spectrum they use in 2G to LTE or better yet 5G? As a business, it won't give the wireless carrier any favors, it will just slowdown innovation.

[mr moose]

1 minute ago, hey_yo_ said:

Definitely. But how many Mac users complain when Apple stops updating Mac OS X Lion which the 2008 polycarbonate MacBook can only run at the latest? How many iPhone users complain that Apple will cease support for 32-bit apps in the next iOS 11 update and that iPhone 5 users will no longer receive the update? 

 

It's because it's resource and manpower intensive to maintain something old instead of focusing all their efforts into something new. Can you imagine how wasteful it is for a wireless carrier who has reached 95% LTE coverage but still maintains an antiquated 2G network when they could repurpose the spectrum they use in 2G to LTE or better yet 5G? As a business, it won't give the wireless carrier any favors, it will just slowdown innovation.

I complained when my sons gen 1 ipad wouldn't let me install the latest apps because ios was obsolete and I couldn't upgrade to the latest.

[captain_to_fire]

Just now, mr moose said:

I complained when my sons gen 1 ipad wouldn't let me install the latest apps because ios was obsolete and I couldn't upgrade to the latest.

And Apple didn't care and majority of their users just sucked it up. My iPad Air would still get the next iOS 11 but the chances of my iPad becoming unsupported in iOS 12 is highly.

[Blebekblebek]

10 minutes ago, hey_yo_ said:

Definitely. But how many Mac users complain when Apple stops updating Mac OS X Lion which the 2008 polycarbonate MacBook can only run at the latest? How many iPhone users complain that Apple will cease support for 32-bit apps in the next iOS 11 update and that iPhone 5 users will no longer receive the update? 

 

It's because it's resource and manpower intensive to maintain something old instead of focusing all their efforts into something new. Can you imagine how wasteful it is for a wireless carrier who has reached 95% LTE coverage but still maintains an antiquated 2G network when they could repurpose the spectrum they use in 2G to LTE or better yet 5G? As a business, it won't give the wireless carrier any favors, it will just slowdown innovation.

How is this even related?
 

Does Windows Software works on MAC and vice versa?

 

Also, People do complain, alot, but there's nothing they can do about it, Apple just don't care.

 

[suicidalfranco]

MS doing something good?

I'm impressed... and shocked