Windows XP patched to avert new outbreaks from three more NSA exploits

[KuJoe]

On 6/14/2017 at 8:32 AM, hey_yo_ said:

Windows XP is a 32-bit operating system released in 2001 and it makes no sense at the moment to keep patching it

Except that businesses are paying them a lot of money for patches for legacy OSes. Server 2003 is based off XP so they are already creating the patch for companies paying for it, all they are doing is taking the paid patch and making it public which I don't think companies should be happy with. Imagine paying thousands of dollars for a patch from a company and then a few months later they hand it out for free. It's good PR I guess.

[captain_to_fire]

5 minutes ago, KuJoe said:

Except that businesses are paying them a lot of money for patches for legacy OSes. Server 2003 is based off XP so they are already creating the patch for companies paying for it, all they are doing is taking the paid patch and making it public which I don't think companies should be happy with. Imagine paying thousands of dollars for a patch from a company and then a few months later they hand it out for free. It's good PR I guess.

If they can pay Microsoft to patch XP/Server 2003 for them, then Microsoft shouldn't feel obligated to patch everyone elses XP computer.

[JoostinOnline]

1 minute ago, hey_yo_ said:

If they can pay Microsoft to patch XP/Server 2003 for them, then Microsoft shouldn't feel obligated to patch everyone's XP computer.

This is just as much Microsoft's fault as it is the NSA's. They turned their back on all customers when they gave the government the source code. 

[KuJoe]

Just now, hey_yo_ said:

If they can pay Microsoft to patch XP/Server 2003 for them, then Microsoft shouldn't feel obligated to patch everyone's XP computer.

And I'm sure the companies writing the check agree with you. I'm undecided how I feel about this but I figured it was worth giving more facts about this. Also another thing I just remembered is that Windows XP will receive security updates until 2019 I believe with a single registry edit so my comment was pointless since XP is still being patched even without businesses paying for it.

[KuJoe]

1 minute ago, JoostinOnline said:

This is just as much Microsoft's fault as it is the NSA's. They turned their back on all customers when they gave the government the source code. 

Link to your source? This is the first time I've ever read that MS handed their source code to anybody. I'd love to read the specifics.

[Dabombinable]

3 minutes ago, KuJoe said:

Link to your source? This is the first time I've ever read that MS handed their source code to anybody. I'd love to read the specifics.

By extension of these countries getting the source code:
https://www.wsj.com/articles/SB1042592554169993184

http://www.zdnet.com/article/microsoft-turns-over-all-win7-and-server-source-code-to-russias-new-kgb/

https://www.petri.com/no-back-doors-microsoft-opens-windows-source-code-to-eu-governments

http://www.infosecisland.com/blogview/14382-Microsoft-Gives-Source-Code-to-Chinese-Government.html

[mr moose]

3 minutes ago, KuJoe said:

Link to your source? This is the first time I've ever read that MS handed their source code to anybody. I'd love to read the specifics.

MS has handed over their source code to many governments, is was the only way they could continue selling in many countries (specifically the EU) without facing a barrage of antitrust lawsuits. 

 

https://www.geek.com/news/microsoft-to-share-source-code-with-governments-552302/

 

It's been happening for quite a while now.

[LAwLz]

6 minutes ago, hey_yo_ said:

If they can pay Microsoft to patch XP/Server 2003 for them, then Microsoft shouldn't feel obligated to patch everyone elses XP computer.

I think it is mind blowing that you and other people in this thread are basically saying:

"I want people to not be safe. I want hospital equipment to be vulnerable. I don't want security patches."

 

Everyone who says this is a bad move are advocating for unsecurity. You might think that you are fighting for safety, but you're not. If you were then you should be happy that more systems can now be safe. You should not get mad when a company does something good and decides to lower the risk of a massive attack spreading all around the world.

In my eyes you are even more against safety than the people who are willingly using XP. 

[captain_to_fire]

9 minutes ago, JoostinOnline said:

This is just as much Microsoft's fault as it is the NSA's. They turned their back on all customers when they gave the government the source code. 

I'm not an American but I know that the NSA is (or should be) working closely with US-CERT in order to alert operating system vendors like Apple, Google and Microsoft about vulnerabilities so that the said companies can release an over the air update to patch said CVEs. Unfortunately, NSA seemed to have relied too much on "security by obscurity" and worked against the interest of the American people.

 

By the way, Microsoft has long given governments access to the Windows source code since 2003. [Here]

[KuJoe]

2 minutes ago, Dabombinable said:

By extension of these countries getting the source code:
https://www.wsj.com/articles/SB1042592554169993184

http://www.zdnet.com/article/microsoft-turns-over-all-win7-and-server-source-code-to-russias-new-kgb/

https://www.petri.com/no-back-doors-microsoft-opens-windows-source-code-to-eu-governments

http://www.infosecisland.com/blogview/14382-Microsoft-Gives-Source-Code-to-Chinese-Government.html

 

1 minute ago, mr moose said:

MS has handed over their source code to many governments, is was the only way they could continue selling in many countries (specifically the EU) without facing a barrage of antitrust lawsuits. 

 

https://www.geek.com/news/microsoft-to-share-source-code-with-governments-552302/

 

It's been happening for quite a while now.

Thanks for the links, that makes a lot of sense now. I thought they were just handing it over to the NSA for laughs but they are handing it out for sales. Good on them I guess, maybe if they hand it out enough it'll finally go open source.

[Dabombinable]

Just now, KuJoe said:

 

Thanks for the links, that makes a lot of sense now. I thought they were just handing it over to the NSA for laughs but they are handing it out for sales. Good on them I guess, maybe if they hand it out enough it'll finally go open source.

They won't, not as long as they hold a monopoly. And due to nations/"trade" unions which have access to the source code, Windows is probably the least secure OS to ever exist. If not the least secure piece of software.

[KuJoe]

2 minutes ago, LAwLz said:

I think it is mind blowing that you and other people in this thread are basically saying:

"I want people to not be safe. I want hospital equipment to be vulnerable. I don't want security patches."

 

Everyone who says this is a bad move are advocating for unsecurity. You might think that you are fighting for safety, but you're not. If you were then you should be happy that more systems can now be safe. You should not get mad when a company does something good and decides to lower the risk of a massive attack spreading all around the world.

In my eyes you are even more against safety than the people who are willingly using XP. 

I think the problem people have is they are only releasing some patches to the public which causes people to think they are OK using an older OS because Microsoft will patch them if the vulnerability is bad enough. Now in 2019 when they end support for POS systems, they should take the XP patching servers offline for good.

[KuJoe]

1 minute ago, Dabombinable said:

They won't, not as long as they hold a monopoly. And due to nations/"trade" unions which have access to the source code, Windows is probably the least secure OS to ever exist. If not the least secure piece of software.

Having access to the source code doesn't make it insecure, if it did then all Linux distros would be just as insecure.

[captain_to_fire]

Just now, KuJoe said:

Having access to the source code doesn't make it insecure, if it did then all Linux distros would be just as insecure.

I could be wrong with this but I think the reason why Windows is so vulnerable is because of their proprietary NT kernel. 

[mr moose]

1 minute ago, KuJoe said:

I think the problem people have is they are only releasing some patches to the public which causes people to think they are OK using an older OS because Microsoft will patch them if the vulnerability is bad enough. Now in 2019 when they end support for POS systems, they should take the XP patching servers offline for good.

Nah, the people who are still using XP are either doing it intentionally and therefore know the risks or are slack/poor/non enthusiasts and don't care thus probably don't even know these updates where released.    Either way the chances someone is thinking they are safer because MS released a handful of patches recently is highly doubtful.

[captain_to_fire]

Just now, mr moose said:

Nah, the people who are still using XP are either doing it intentionally and therefore know the risks or are slack/poor/non enthusiasts and don't care thus probably don't even know these updates where released.    Either way the chances someone is thinking they are safer because MS released a handful of patches recently is highly doubtful.

I think there should be a pop-up or a sign at the bottom right of the desktop or at the quick access in the taskbar that says "Your Windows version is insecure and obsolete." Kinda like the reminder when someone uses counterfeit version of Windows but without turning the desktop black.

 

*By the way, those two screenshot are not from my computer. My copy of Windows is from Dell the OEM. 

[Sir Asvald]

2 hours ago, Windspeed36 said:

No, the majority of the time they don't have to - they simply chose to stick with it because a) it works and b) the upgrade cost to move forward is too high. Business need to pull their heads out of their ass and stop sidelining IT projects. Systems need to be maintained & upgraded. It's not a simple buy it and you're set for life - versions change, features added, support moves on. 

 

Yes, there are certain cases where an app developer has not made a version compatible with the new operating system - well shit, find a new vendor. Windows 7 has been around for 8 years and Vista for 11 - they've had that long to update their software.

 

I also understand that some hardware isn't compatible with newer OS' - either A) get new hardware or B) put it on a closed system and remove the risks of an internet connected device.

 

Microsoft should not have to support a 16 year old operating environment. That's what Apple has done so well - they're forcing you to upgrade so they can stop supporting older OS'. 

That analogy has no comparison to the XP issue - companies have simply been trying to avoid the upgrade costs by sticking with what they have already.

 

 

There is no justifiable reason for a company to maintain a Windows XP environment. Cost is not a valid reason - if you can't afford to maintain a vital business component because it's too expensive, there's something wrong with the business environment. 

But what you forget to realise most companies will have these machines off the network and they don't connection to the internet. So if someone does try to infect them the PC only get infected and not the network. In some cases, the XP machines will have their own network, completely separate from the other main network. Yes, there better hardware available but some small to medium business cannot simply afford to "upgrade" in one go. 

 

EDIT: You mentioned it already. 

 

Quote

There is no justifiable reason for a company to maintain a Windows XP environment. Cost is not a valid reason - if you can't afford to maintain a vital business component because it's too expensive, there's something wrong with the business environment. 

I do agree with this. It's the small/medium companies that can afford it. 

[dfsdfgfkjsefoiqzemnd]

15 minutes ago, hey_yo_ said:

I think there should be a pop-up or a sign at the bottom right of the desktop or at the quick access in the taskbar that says "Your Windows version is insecure and obsolete." Kinda like the reminder when someone uses counterfeit version of Windows but without turning the desktop black.

There already is a pop-up every time you start an XP machine.  However they did give an option to not show it anymore, which is what most users probably used.

 

[captain_to_fire]

Just now, Captain Chaos said:

There already is a pop-up every time you start an XP machine.  However they did give an option to not show it anymore, which is what most users probably used.

 

I don't know. The last time I used an internet connected XP computer was back in 2015. It was in an internet café and I didn't saw this. 

[dfsdfgfkjsefoiqzemnd]

I installed XP on my old Netbook last year to mess around a bit, and I do recall getting a notification.

[mr moose]

13 minutes ago, Captain Chaos said:

There already is a pop-up every time you start an XP machine.  However they did give an option to not show it anymore, which is what most users probably used.

 

I miss XP

 

[LAwLz]

38 minutes ago, KuJoe said:

I think the problem people have is they are only releasing some patches to the public which causes people to think they are OK using an older OS because Microsoft will patch them if the vulnerability is bad enough. Now in 2019 when they end support for POS systems, they should take the XP patching servers offline for good.

Except that logic doesn't make any sense.

 

The people who are still on XP ran it for over 3 years without any updates. Do you really think that they were OK with running it completely without patches for 3 years, and then they were just on the edge of switching but because of these two patches they now think it is OK to keep running it? That does not happen.

 

The consumers that still run Windows XP are few and don't give a damn. They are already determined to keep using XP for one or more reasons. These two updates won't affect their decision since the previous 100 patches did not.

 

Companies that still run Windows XP are mostly aware of the risks. These companies are not idiots that don't realize XP is unsupported. They are aware of the risks but still have not upgraded for various reasons. They are aware that XP is not secure. These two patches will not affect them either, other than make them slightly more secure.

 

Is this patch even distributed through Windows update to XP? Because I find it hard to believe that you can be completely oblivious to the fact that XP is no longer supported, but at the same time read Microsoft's Windows Experience blog. I don't think people will believe "oh wow strange that I have not gotten an update for 3 years but now I've gotten two. I guess there were no issues with Windows XP at all that needed to be fixed for those 3 years!".

 

 

So no, the argument that "people will now think that XP is supported and safe!" does not hold water.

[captain_to_fire]

42 minutes ago, mr moose said:

I miss XP

 

Welcome to Windows XP by Microsoft, the new version of Windows that brings your PC to life. Experience the best, experience Windows XP. 

To begin the tour, click any selection.

[KuJoe]

1 hour ago, LAwLz said:

Except that logic doesn't make any sense.

 

The people who are still on XP ran it for over 3 years without any updates. Do you really think that they were OK with running it completely without patches for 3 years, and then they were just on the edge of switching but because of these two patches they now think it is OK to keep running it? That does not happen.

 

The consumers that still run Windows XP are few and don't give a damn. They are already determined to keep using XP for one or more reasons. These two updates won't affect their decision since the previous 100 patches did not.

 

Companies that still run Windows XP are mostly aware of the risks. These companies are not idiots that don't realize XP is unsupported. They are aware of the risks but still have not upgraded for various reasons. They are aware that XP is not secure. These two patches will not affect them either, other than make them slightly more secure.

 

Is this patch even distributed through Windows update to XP? Because I find it hard to believe that you can be completely oblivious to the fact that XP is no longer supported, but at the same time read Microsoft's Windows Experience blog. I don't think people will believe "oh wow strange that I have not gotten an update for 3 years but now I've gotten two. I guess there were no issues with Windows XP at all that needed to be fixed for those 3 years!".

 

 

So no, the argument that "people will now think that XP is supported and safe!" does not hold water.

Techically XP is still supported until 2019 and the people that still run XP hopefully changed the registry key so they have been receiving patches this whole time. Windows Update for XP/2003 is still alive and well. Either way, I don't have an opinion which is why I'm jumping back and forth to both sides of the fence playing devil's advocate.

[KuJoe]

2 hours ago, hey_yo_ said:

I could be wrong with this but I think the reason why Windows is so vulnerable is because of their proprietary NT kernel. 

They aren't more vulnerable per se, they are more widely targeted because of their market share though so whether or not it was open source or proprietary wouldn't make it less of a target. Making a virus/malware/trojan for Linux/UNIX/Mac just isn't as profitable as it is for Windows.