42 comments

[ 5.3 ms ] story [ 90.1 ms ] thread
Were they not vulnerable to hackers now and in the past?
Yes, but only until Microsoft issued a fix for any vulnerabilities discovered. After April 8th, no more fixes, just bugs that can be exploited forever.

Rumors have it that hackers are detecting and cataloging vulnerabilities that they're holding in reserve for the day Microsoft stops support for XP, after which they'll have a field day exploiting known vulnerabilities, secure in the knowledge that the errors will remain in place until the victims finally dump XP.

Not only that... The main concern is that since Vista/7/8 are derived from XP, they also share critical vulnerabilities hidden inside the core of the OS. If Microsoft stops publishing patches for XP, there is a non trivial risks that attackers will be able to look at a patch for a newer Windows version, reverse it and make an exploit that will work perfectly on XP, which won't get the security fix.
No they're not. Check the major version numbers. Windows 2000, 2003 and XP were build on version 5 of the NT kernel/architecture. Vista involved a major overhaul and was version 6. Windows 7, 8 and 8.1 are versions 6.1, 6.2, and 6.3, respectively.
Given that this site is dedicated to programmers, I'd expect you to realize that a new version of a program isn't a complete rewrite.
As much of an overhaul there may have been, it seems unlikely that NT 6.0 was started from scratch. Is there no chance vulnerable sections of the codebase carried over?
You can't make blanket statements like that. It depends on where the vulnerability is.

For example, Vista has a substantially-rewritten networking stack. A networking exploit in Vista would not necessarily translate over to XP.

On the other hand, there's a lot of legacy code around in GDI+ for decoding graphics formats. A file format exploit would be highly likely to carry over to XP.

Fair enough. I misunderstood the parent when posting that. Re-reading it and your comment, it makes more sense.

That makes me curious as to just how much legacy code still exists in Vista/7/8/8.1, and where. I guess it's time for me to do some more research.

The version numbers don't indicated complete and utter uncommonality of the code base, they just indicate points of major revisions. XP and Vista/7/8 do still share a lot of common sub-systems, code, and designs, many vulnerabilities that will be discovered and patched in currently supported versions of windows will definitely apply to XP.
> just bugs that can be exploited forever.

...or until someone else patches them; remember the WMF exploit at the end of '05? There was an "unofficial", but just as effective, patch released before Microsoft released theirs.

<sarcasm>Is that a feature or a bug built in?</sarcasm>
> The need to update computer operating systems has come at a time of major new investment in cybersecurity, including the creation of the new military U.S. Cyber Command, based at Fort Meade. But the unglamorous work of updating operating systems was a lower priority than buying expensive, high-tech systems to monitor and rebuff cyberattacks, critics said.

“Nobody is going to be promoted on the back of moving from XP to Windows 7,” said Christopher Soghoian, a computer security expert and principal technologist for the American Civil Liberties Union. “It’s so mundane but so important.”

---

Sad, but true...you'd think if there would be one sector of society in which the mundane-but-important work could be rewarded, it'd be in the government sector, where the force of law and regulation would make it a political priority, even if it will never become a glamorous role.

People might not get promoted but running a smooth transition can get a contractor quite a bit of money.

Working in government this is exactly what is happening. The XP to Win 7 transition is being run by contractors where I work.

If you wonder where older tech workers go, think 'Enterprise' in government or large non-tech companies.

I think everyone agrees that government work should be rewarded. To my (developing) understanding, the gov't is dragged down by good intentions & conflict.
I work for a non-federal US govt.

The key issue is that the economy exploded in 2008 and the PC refresh cycle ended. The other issue is that Microsoft shipped a stinker with Vista, and took the liberty of breaking lots of legacy Microsoft tech in 7.

Few big organizations actually upgrade zone rating systems... They replace the devices. Because the upgrade cycles of PCs were stopped like 5-6 years ago, getting the budget for PC replacement was very difficult. Government bean-counters like slow growth in budget lines. Going from $10M/year to $0 to $30M for a bug refresh results in poor results.

You don't need a whole pc refresh, just put in $100 solid state drives. I haven't thrown away any computers since ssd's came out.
What a great idea. I had noticed that software requirements for machines seem to have relatively plateaued (other than for GPU requirements for gaming but that's a very different matter) but if you have a dual-core system (not single core or single core hyperthreaded), I would image that shoving an SSD in is going to keep you bubbling along happy for quite some time.

Great idea.

Autocorrect mangled part of my post. The issue is that desk-side visits for OS installs or part upgrades are both expensive and error prone.

If you are outsourcing the process, you're easily looking at $250-400 of labor per unit for an asset that is worth < $100. As an added issue, you're going to have quality issues that are even more expensive to deal with.

I've been a contractor at several DHS projects over the years, and believe me, the problem is not technical; it rarely is in the government. It's not even political most of the time. It's just bad management and, mainly, poor planning. Most everyone in IT roles know keeping around XP and old IE/Outlook is bad. They really do (or maybe I'm way too optimistic)...
Website operators ought to stop serving content for XP users like they did with older version of Internet Explorer. A vulnerable computer puts everyone at risk. Maybe also point these users to a free Linux download.
Non-American governments especially should take this opportunity to switch to Linux.
Agreed. CentOS 3 will be supported forever, b*tches.
My school is still running XP for all of its desktops.
Yup. Retail stores and banks as well. There's plenty of large institutions that are using XP for day-to-day operations.

And people wonder how "easy" it is for those darn hackers to "steal info." It's easy to steal from a house with the door wide open.

1. All computers running Windows XP will be vulnerable after April 8th

2. Everyone has known about this for more than 6 years.

3. Microsoft already extended it once.

4. To the person who said this: "For all the money we collectively give Microsoft, they were not too receptive to extending the deadline. There was some grumbling that they were not willing to extend." ... A) See 1 through 3. B) You suck at your job.

I laugh-cringed at #4 when I read it in the article. I find it totally plausible for someone in the government to really say/believe this. It's pathetic, but I fear it's common enough in executive positions for some reason.

Tangentially, this is why in every project I've been at I always push for upgrading to the latest browser. Initially there is some resistance, but once in a while you meet with a gov manager, that has some pull, and will push back on IT. That's been the case at CBP. A year ago we were all supporting IE8 and cursing every minute of it. Now we're happily developing to IE11 and latest FF. Sadly it takes an adamant developer to push repeatedly for this when it should be IT itself forcing users and all developers to upgrade, if for nothing else than plain old security. I think they're "getting it" now though...

No they won't. The government will pay Microsoft lots of money to get patches just for themselves.
I fear this very utter waste of money. Someone at microsoft must be crying laughing.
The more interesting lapse will be that all those bank ATMs that run XP will also be vulnerable. Presumably some folks are saving their bestest zero day for April 9th. That said, its an effect that software has that isn't well managed yet. Companies go out of business all the time and their software which is running control processes or lumber mills or what have you stops being supported. Basically the costs get paid in bulk a bit later as computer is taken offline and the operation halted while a replacement is developed. Its going to be a very 21st century sort of phenomena. Computers with out of date software that touched everyone really only became ubiquitous around the turn of the century.
My understanding is that bank ATMs aren't on Windows XP proper, they're on Windows XP Embedded. According to this document:

https://www.microsoft.com/windowsembedded/en-us/product-life...

The equivalent end-of-support date for XP Embedded appears to be January 12, 2016 (though I don't understand the end-of-license date about a year later). And I'd have to think that that banks using XP Embedded for ATMs would be extremely likely to pay for ongoing security fixes if they still depended on it in 2016.

(comment deleted)
A very good reason to move to a Linux distro instead.

Ubuntu/RedHat/SUSE abandoned the distro? Well, hire devs to support it. You have the code.

If they didn't have the resources to upgrade from XP to something else in the last decade, what makes you think they have the resources (or knowledge) to hire developers?
> Ubuntu/RedHat/SUSE abandoned the distro? Well, hire devs to support it. You have the code.

They are too incompetent to switch from xp to vista or 7. What makes you think they could survive the transition to linux, let alone maintain a distribution?

The problem with an organization that finds it difficult to upgrade away from a 12 year old operating system is decidedly not an abundance of technical talent, and even more so not an abundance of kernel hacking talent.
Maybe it's a stupid remard, but - isn't Windows XP vulnerable as it is right now anyway?

Also, if someone is still running Windows XP in 2014, he probably doesn't use the newest updates and antivirus anyway, so his security is weak in other respects too.

> Maybe it's a stupid remard, but - isn't Windows XP vulnerable as it is right now anyway?

Yes, but until April 8th Microsoft will patch any uncovered vulnerabilities. After April 8th, hackers can have a field day because no one will patch any detected flaws. That's a big difference.

> Also, if someone is still running Windows XP in 2014, he probably doesn't use the newest updates and antivirus anyway ...

Not true, not true at all. It's too easy for a user to turn on automatic updates and run an antivirus program. My point is that one of these features will disappear 22 days from today, and hackers are going to exploit that fact to the fullest. There are even rumors that hackers are saving discovered XP vulnerabilities for use after April 8th, because they'll never be fixed and can therefore be exploited over and over.

It's more good business sense than rumour it doesn't take a genius.

People might even be ready to start hijacking automatic updates. XP uses the very old way of a custom site and some activeX to launch the update methods. MS probably wants to stop supporting that crazy old site a soon as possible.

> It's more good business sense than rumour ...

Yes, very true. This is something most people don't understand about hacking -- it's just a business, much like any other. What was once an entertainment for a bright, bored youngster is now a trade, with tools and goals.

> People might even be ready to start hijacking automatic updates.

It's my hope that Microsoft will think of a way to prevent automatic updates from being taken over by just anyone after they close down the "real thing".

Any organization with enough money can pay MS to continue to keep the patch train going, and many do. Whether or not the government will or will instead choose to upgrade or to remain vulnerable is an open question.
This is expected. Here in the UK, the National Health Service is rapidly moving away from it. When I say rapidly, a friend of mine who is an HP reseller is deploying 750 workstations a week at the moment with Windows 7 on.

The big chunk of pain though is really windows 2003 server which is EOL July 2015. People seem to have missed that one coming!

They said the same thing about 98SE when its support period ended.

I used it for several years after that, and never got infected. Ditto for my XP installation, which is approaching 8 years old.

If 98SE was any indication (Google "kernelex"), with XP's popularity and persistence being much greater, I think once again a whole "cottage industry" will form and continue to provide various bugfixes/patches and enhancements to XP for another decade or more...