Micro$oft will be creating hotfixes for XP for years to come

[XP Guy]

There are going to be many organizations that will keep existing
terminals running XP for years to come, and they will be paying
Macro$haft for paid / hotfix support for years to come.

I fully expect that these hotfixes will "leak" onto the web - one way or
another, and hence will be available to those of us looking for them.

What will be interesting to see is if Meekro$oft will force one final
WGA (Windoze Genuine disAdvantage) trojan into their last XP-update
session, to see if they can kill off as many "un-authorized" XP
installations as they can.

 

[DK]

There are going to be many organizations that will keep existing
terminals running XP for years to come, and they will be paying
Macro$haft for paid / hotfix support for years to come.

I fully expect that these hotfixes will "leak" onto the web - one way or
another, and hence will be available to those of us looking for them.

What will be interesting to see is if Meekro$oft will force one final
WGA (Windoze Genuine disAdvantage) trojan into their last XP-update
session, to see if they can kill off as many "un-authorized" XP
installations as they can.

That's what disk images are for. The moment anything is wrong, I can
restore the previous image in less then 5 minutes.

DK

 

[Good Guy]

There are going to be many organizations that will keep existing
terminals running XP for years to come, and they will be paying
Macro$haft for paid / hotfix support for years to come.

I fully expect that these hotfixes will "leak" onto the web - one way or
another, and hence will be available to those of us looking for them.

What will be interesting to see is if Meekro$oft will force one final
WGA (Windoze Genuine disAdvantage) trojan into their last XP-update
session, to see if they can kill off as many "un-authorized" XP
installations as they can.

I don't understand why people need hotfixes for XP when all the hotfixes
and patches over 14 years haven't made it any secure!

XP has reached its self-life and it can't be made any secure than what
it is at present. This is because of the way it was coded in the first
place. 14 years ago coding was different from what it is today.

Time to get Windows 8.1 or 8.2 from next Tuesday.

 

[Nil]

What a perfect Social Engineering ploy to get people infected.

Do NOT use leaked, unoffocial, so-called hotfixes or patches.

You got that right. Who would be so stupid? [No need to answer that,
it's a rhetorical question and I think we all know the answer.]

 

[R.Wieser]

David,

What a perfect Social Engineering ploy to get people infected.

You mean just like "get the last patches *now*" ploy from MS, so they could
infect you with their "XP is *obsolete* nagware" ? Or some time ago when
they could-and-did use their "very neccessary security updates" channel to
push WGA on the victims machines ?

Lolz.

Regards,
Rudy Wieser


-- Origional message:

 

[R.Wieser]

David,

Not even close.

Depends on how you look at it: MS'es described antics had *nothing* to do
with aiding the paying, legal user and have caused and now again will cause
troubles for them. On the other hand, those same antics have/will only
benefit MS itself. Yep, just like your garden variety of scamware. You
where talking about distrust, I suggest you also look there.

And pardon me, but spewing FUD so everyone stays in lock-step with MS looks
to me as a ploy in itself ...

Regards,
Rudy Wieser


-- Origional message:

 

[(PeteCresswell)]

Per DK:

That's what disk images are for. The moment anything is wrong, I can
restore the previous image in less then 5 minutes.

+1, except it takes me more like 20-30 minutes.

 

[XP Guy]

David,


And pardon me, but spewing FUD so everyone stays in lock-step with
MS looks to me as a ploy in itself ...

+ 10

If you don't trust any given hotfix you get your hands on, get it tested
by uploading it to VirusTotal. Hang on to it for a few weeks, test it
again. Read or ask about it on various XP-forums (such as on msfn.org).

Plenty of ways to know if it's safe / legit.

I can't tell you the number of malware types that have already used
the ploy of Masquerading as Microsoft HotFixes and Patched but the
Dumaru comes to mind.

============
This mass-mailer worm was discovered on 19th of August, 2003. Dumaru is
a file infector and a mass-mailer worm which tries to disguise itself as
a security patch coming from Microsoft. The worm drops an IRC-controlled
backdoor component to the infected system.
============

That's a really lame (and old!) example.

We all know the hundreds of gimicks used in email spam that try to
convince the recipient that the included attachment is this or that.
Those are examples of when malware is "pushed" to a target or potential
victim.

The opposite, where someone is seeking a file, and it's hosted somewhere
for widespread anonymous access, and said file is not what it claims to
be (but is instead malicious, viral, trojan, what-ever) is a far less
common and useful way to distribute malware.

And malicious examples of XP hotfixes should exist currently - if they
exist at all!

XP has been around for years - and theoretically so has the desire for
power-users to seek out and download these hotfixes - so the opportunity
to leverage that desire by hackers to plant XP hotfixes should have
already existed for many years, and now the onus is you, Dave, to show
evidence that hackers have indeed tried to distribute malicious or viral
"hotfixes" through various distribution channels (file lockers,
torrents, etc).

 

[R.Wieser]

David,

I suggest Linux or an Etch a Sketch for you.

And I suggest you step off that high horse of yours. You might fall and
hurt yourself.

Regards,
Rudy Wieser


-- Origional message:

 

[Paul]

I don't understand why people need hotfixes for XP when all the hotfixes
and patches over 14 years haven't made it any secure!

XP has reached its self-life and it can't be made any secure than what
it is at present. This is because of the way it was coded in the first
place. 14 years ago coding was different from what it is today.

Time to get Windows 8.1 or 8.2 from next Tuesday.

You get some of the benefits of later Windows, with this. EMET.
There's no reason to panic.

http://www.microsoft.com/en-us/download/details.aspx?id=41138

Paul

 

[XP Guy]

============
While users can still run XP after Tuesday, Microsoft says it will no
longer provide security updates, issue fixes to non-security related
problems or offer online technical content updates.

http://www.cleveland.com/business/i...soft_windows_xp_support_e.html#incart_m-rpt-1
============

Note the phrase "Microsoft says it will no longer ... issue fixes to
*non-security* related problems".

Microsoft will no longer issue fixes to *non-security* problems.

Leaving the door open to issue fixes for *security* problems?

Or is that their way of admitting they will be continuing to provide
paid-support hot fixes for the forseeable future?

CEO of Malwarebytes joins in and helps to spread FUD with this:

--------------
Marcin Kleczynski, CEO of Malwarebytes, says that without patches to fix
bugs in the software XP PCs will be prone to freezing up and crashing,
while the absence of updated security related protections make the
computers susceptible to hackers.

He added that future security patches released for Microsoft's newer
systems will serve as a way for hackers to reverse engineer ways to
breach now-unprotected Windows XP computers.

"It's going to be interesting to say the least," he says. "There are
plenty of black hats out there that are looking for the first
vulnerability and will be looking at Windows 7 and 8 to find those
vulnerabilities. And if you're able to find a vulnerability in XP, it's
pretty much a silver key."
-------------

And then we have the rational, sane people:

------------
Mike Eldridge, 39, of Spring Lake, Mich., says that since his computer
is currently on its last legs, he's going to cross his fingers and hope
for the best until it finally dies.

"I am worried about security threats, but I'd rather have my identity
stolen than put up with Windows 8," he says.
-----------


Now can someone explain why Macro$haft is so ****ING RETARDED as to NOT
REALIZE a golden opportunity to re-activate retail and on-line sales of
Windoze-7 for those people WHO DO NOT want to replace their hardware?

 

[Good Guy]

There are going to be many organizations that will keep existing
terminals running XP for years to come, and they will be paying
Macro$haft for paid / hotfix support for years to come.

Just heard on BBC that the British Government has signed a one year
contract with Microsoft so that Microsoft can continue developing
patches for XP for the British Government. the cost of the contract is
£5,000,000 (£5 Million pounds). Now this is throwing away good money
for bad business deal. For £5 million they could upgrade nearly 90% of
the machines in Government Offices. After all, the government is laying
off staff to cut costs so they don't need so many desktops or laptops.
<http://www.computerweekly.com/news/...m-Microsoft-deal-to-extend-Windows-XP-support>

 

[darkrats]

Not a problem if you know the right people.

There are a few trustworthy "computer geeks" who have the ability to supply
XP updates even after official support ends.
They have access to corporate accounts that will be getting extended
support, and I have no doubt that real working updates will become available
to those who know where to look.

Of course, you should download from trusted individuals/sites, and always
scan them anyway before using.

I think the whole thing about security and XP is similar to the Y2K worries.

I run XP with a good firewall, antivirus and malware scanner.
I back up my drive regularly to an external drive, so I can do a restore in
less than 10 minutes.

XP and Office 2003 will be on my working computer for years to come, until
they no longer make hardware that works with them.
Not worried about activation. There are plenty of sites where you can get
copies of XP VLK (corporate) that does not need activation.

So there you go.

 

[DK]

Per DK:

+1, except it takes me more like 20-30 minutes.

It helps to keep the boot partition small. Easy to do if you don't
let installers use default "Programs and Documents" path.

 

[J. P. Gilliver (John)]

XP has been around for years - and theoretically so has the desire for
power-users to seek out and download these hotfixes - so the opportunity
to leverage that desire by hackers to plant XP hotfixes should have
already existed for many years, and now the onus is you, Dave, to show
evidence that hackers have indeed tried to distribute malicious or viral
"hotfixes" through various distribution channels (file lockers,
torrents, etc).[/QUOTE]

Let's all calm down, shall we?

The _potential_ threat is there.

So far, no-one has _shown_ that it exists yet in practice.

That's all there is to it; either real threats will arise, or they won't
- and continuous restatement of the above two points won't change
things.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

They are public servants, so we will threat them rather as Flashman treats
servants. - Stephen Fry on some people's attitudo to the BBC, in Radio Times,
3-9 July 2010

 

[J. P. Gilliver (John)]

Marcin Kleczynski, CEO of Malwarebytes, says that without patches to fix []
He added that future security patches released for Microsoft's newer
systems will serve as a way for hackers to reverse engineer ways to
breach now-unprotected Windows XP computers.[/QUOTE]
[]
We had this last time round. After a while, it became clear that _most_
of the exploits that were derived from/designed for XP wouldn't run
under 98 (though I don't think even 98Guy could _prove_ that _none_ of
them do, as you can't prove a negative; he could perhaps claim that few
if any of those that did were actually out there in the wild, though).

While I'd argue that the _incentive_ is higher this time round, I
_suspect_ that more or less the same will happen (i. e. "patches
released for" - i. e. bugs found in! - "Microsoft's newer systems" will
require code that won't run under XP to exploit them).

But we'll have to wait to see!
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

They are public servants, so we will threat them rather as Flashman treats
servants. - Stephen Fry on some people's attitudo to the BBC, in Radio Times,
3-9 July 2010

 

[J. P. Gilliver (John)]

In message <[email protected]>, darkrats

XP and Office 2003 will be on my working computer for years to come, until
they no longer make hardware that works with them.
Not worried about activation. There are plenty of sites where you can get
copies of XP VLK (corporate) that does not need activation.

[]
Just for curiosity, did those (VLK) exist with SP2 and SP3 in them? (And
possibly more fixes?)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

They are public servants, so we will threat them rather as Flashman treats
servants. - Stephen Fry on some people's attitudo to the BBC, in Radio Times,
3-9 July 2010

 

[R.Wieser]

J.P.

The _potential_ threat is there.

True.

The problem is that someone has taken a high-intensity lightbeam and aimed
it onto a single spot, purposly(?) ignoring anything outside of the
illuminated area.

Fact is that *every* Windows OS MS has made has been on the life-sustaining
drip (currently known under the name "patch tuesday") for its whole
lifetime. In other words: *all* of them exist under a persistant threat.

Granted, when now yet another security problem will be found for XP it will
be harder to get a fix for it. On the other hand, you might see some
"hackers" come up with them -- just like they have done a few times in the
past, way before MS came with their own.

And by the way: Finding out potential problems for XP isn't that hard: just
keep informed of the bugs for Vista/7/8.x and you know the weak spots for XP
too.

As a last remark: I think I saw someone mention that the way MS stated their
"no more patches !" could well mean that *security* related patches might
still be created and available for XP. Would be a good idea, knowing that
XP currently still makes up over 25% of the OSes out there ....

Regards,
Rudy Wieser


-- Origional message:

XP has been around for years - and theoretically so has the desire for
power-users to seek out and download these hotfixes - so the opportunity
to leverage that desire by hackers to plant XP hotfixes should have
already existed for many years, and now the onus is you, Dave, to show
evidence that hackers have indeed tried to distribute malicious or viral
"hotfixes" through various distribution channels (file lockers,
torrents, etc).

Let's all calm down, shall we?

The _potential_ threat is there.

So far, no-one has _shown_ that it exists yet in practice.

That's all there is to it; either real threats will arise, or they won't
- and continuous restatement of the above two points won't change
things.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

They are public servants, so we will threat them rather as Flashman treats
servants. - Stephen Fry on some people's attitudo to the BBC, in Radio Times,
3-9 July 2010[/QUOTE]

 

[XP Guy]

While using improper usenet message composition style by top-posting and

Fact is that *every* Windows OS MS has made has been on the life-
sustaining drip (currently known under the name "patch tuesday")
for its whole lifetime.

The regular monthly patch cycle did not exist until probably 2004 (or
SP-XP2?). Windows 9x/me did not experience anything like "patch
tuesday" during their life cycle.

In other words: *all* of them exist under a persistant threat.

When MS stopped supporting Win-98 in July 2006, there was a grand total
of 33 security issues that had been identified during it's 7-year
lifespan:

=======================
Vulnerability Report: Microsoft Windows 98 Second Edition:

http://secunia.com/advisories/product/13/?task=advisories

Affected By:
33 Secunia advisories
22 Vulnerabilities

Unpatched:
9% (3 of 33 Secunia advisories)

Most Critical Unpatched:

The most severe unpatched Secunia advisory affecting Microsoft Windows
98 Second Edition, with all vendor patches applied, is rated Less
critical.
=======================

Now compare that to the most current (and probably very close to the
final tally):

Vulnerability Report: Microsoft Windows XP Professional:

========================
http://secunia.com/advisories/product/22/?task=advisories

Affected By:
446 Secunia advisories
668 Vulnerabilities

Unpatched:
10% (44 of 446 Secunia advisories)

Most Critical Unpatched: The most severe unpatched Secunia advisory
affecting Microsoft Windows XP Professional, with all vendor patches
applied, is rated Highly critical.
========================

Over the past year, the number of "Secunia" advisories for XP has been
increasing at the rate of about 2.5 per month, and the number of
vulnerabilities has been increasing at the rate of 7 per month. In Dec
2012 there was 44 unpatched vulnerabilities. That number hasn't changed
in 15 months.

The truth is that Win-9x/me has alway been harder to break into from a
remote access point vs the NT line (2k/XP etc). The term "internet
survival time" was coined as a way to measure how long it would take for
fresh install of win-2k or XP-SP0/1 to be hacked by a worm when the
computer was directly connected to the internet for the first time (with
no firewall or nat-router).

Typically, back in 2001 to 2004 your win-2k or XP system with a fresh
install would be hacked in 10 to 20 minutes - with no user intervention
or action required! In fact, unless you were behind a nat-router (which
was a new concept for residential DSL connections back 10+ years ago)
you had a hard time performing your first on-line update before your
system was hit by a network worm.

Win-9x/me was, either by design or "dumb luck", a far less vulnerable OS
in terms of it being made to reliably be tripped up by exploit code
(heap spray, buffer-over-run exploits) than the NT line. 9x/me was
never vulnerable to network worms the way NT was - because of all the
open ports and services that OS's like 2K and XP turn on by default. In
fact, the default setting for file and print sharing is enabled for XP,
but is disabled for 9x/me.

The "security" concept that is frequently mentioned with 9x vs NT is the
idea of being able to control what the local user can do with the
system, and it is true that the local user sitting at the 9x/me keyboard
has access to the entire system (all files, registry, etc).

But in terms of internet security and exposing a system to remote
exploit code, the NT line fell far short of being as invulnerable to
such exploit paths as 9x/me was, and the Secunia numbers posted above
are perfect examples of that.

Granted, when now yet another security problem will be found for
XP it will be harder to get a fix for it. On the other hand,
you might see some "hackers" come up with them -- just like they
have done a few times in the past, way before MS came with their
own.

Patches for several components of IE6-sp1 which were made available for
Win-2K during Q3 and Q4 of 2006 were found to be compatible with
Win-9x/me. Both 9x and 2K shared the same version of IE at the end of
their life, and hence those files were operational under both OS's.

I fully expect that future patches for other system files made for Vista
and Seven will be tried on Win-XP by power-users and enthusiasts, and
you will probably be able to read about their efforts on the MSFN.org
message board because there is no similar, coordinated effort or depth
of user-knowledge for XP that exists on usenet.

 

[Good Guy]

Let's all calm down, shall we?

The _potential_ threat is there.

So far, no-one has _shown_ that it exists yet in practice.

That's all there is to it; either real threats will arise, or they
won't - and continuous restatement of the above two points won't
change things.

There is more threat from Heartbleed bug then from XP not being patched.

<http://www.bbc.co.uk/news/technology-26954540>

People should get over it and move on. In any case, XP won't run on any
new machines because of lack of XP drivers for new hardware. Old
machines must have died by now.