Slashdot Mirror
XP Systems Getting Emergency IE Zero Day Patch
msm1267 (2804139) writes "Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks specifically targeting XP users.
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
Cool, When will they patch Windows 3.1?
Oh yeah, I forgot, it's down to userbase isn't it?
for Microsoft.
Patching a dead OS just confuses users. No, really, this OS is dead except sometimes.
the problem is when they get hacked, they aren't going to get rid of their machines or go offline.
they will just become one more in the zombie army, and the REST of us end up suffering.
Microsoft is doing the right thing here.
1) Stockpile exploits for Windows XP until after Microsoft no longer releases updates for it.
2) Hack XP users.
3) Profit!
We don't have a state-run media we have a media-run state.
is like pimping a 2 dollar whore.
"XP support is over" my ass.
So it not really that big of a deal to also update the desktop xp as well
I'm using XP on most of my desktop machines still. Whatcha gonna do 'bout it?
Glad MS has done this. It's a big and hilarious Fuck You to the HURRR BLACK HAT HAX0RS who have been sitting on vulnerabilities until last month.
XP is used in many commercial products which cannot easily be replaced by the end user. For example: http://rightfast.com/index.php...
They are not to support users. They are not to protect the internet. They are to protect commercial closed software. Richard Stallman was right about this, with closed source you are at the mercy of the company providing it. If more flaws come up, Microsoft will still patch them because otherwise users will flee to alternatives rather than newer Windows versions. Not all of them, but little by little is how you erode monopolies.
Ballmer gave his word that there would be no more updates. You can’t believe a damn thing that asshole says. This further proves that Microsoft is run by Republicans. They don’t give a fuck about their customers or the truth. Again they have proven themselves to be the most dishonest large corporation in the world.
Oh man, serves them well. When I go to that website I get "Your browser doesn't support Javascript". Seriously. The rest of the world disagrees though. If they can't make a website without depending on explorer specific js hacks it's no wonder they write software for specific OSes too.
Car analogy: I told the used car dealer to stop selling that garbage and just send all his vehicles to the dump. I mean they were all from like 2007 or before! I mean seriously, who uses a car that old (except for all the retro ones that were sold up until 2012 - and those suck too. They aren't hip at all)? They don't have the latest rear view cameras and other safety equipment or anything. It is no secret if you buy the after market warranty you can get your crappy old car fixed, but if you don't it isn't my problem you can't get parts when you need them because you are a dumb poopy pants. I throw everything away because there is a newer model that surely must be better because new and shiny!
Get a web developer
But they can be and are not bought by intelligent IT workers who review them ahead of time.
For some of us, MS Windows is only useful for legacy application. For instance, up to this year I had a production machine running XP. It is old and cannot be upgraded to MS Windows 7 or 8. but was running programs that I needed. I will phase out the programs and machine, but there was hardly a reason to buy a new machine. Like many other people, I do run MS Windows to do work, and when doing work something old is often good enough.
In addition, MS made a decision to push IE only web coding into the 21st century. As such there are intranet pages out there that still require IE. Again, it may not be cost effective to upgrade or replace these machines. Why should the MS business model drive the internal requirements of a small office?
No, it's easy. You only install the services you ne...
I'm sorry, I just can't keep a straight face anymore.
That is just a merchant site, their site works regardless of what browser you are using, however, it requires Javascript since it is Ajax based. My point is there are many businesses who use products which are running on top of XP and cannot simply be replaced because Microsoft has stopped support for the OS.
Look, XP is still perfectly fine for people who only read their emails and things like that. Why should they fork up $400+ for a new PC they don't need just because the current one is "old", yet works perfectly fine for their purpose?
Make sure you have a backup before you turn on "Automatic Update".
And remember, when your updated system crashes, you won't get any support from MS.
Good Luck
Wow, that's an utterly stupid analogy. No one is still selling Windows XP, and I doubt anyone cares if someone resells their old computer with XP on it. The problem is that people want Microsoft to continue issuing security patches for XP, even though no one (except for some governments) is actually paying MS for this service.
No one expects Ford or Toyota to do recalls for 20+ year old cars when safety problems are discovered. Everyone with a brain knows that quarter-century-old cars do not offer nearly the crash protection that newer cars do, but there's no push to get automakers to somehow retrofit old cars to meet modern crash standards. But somehow MS is expected to provide endless support for an ancient OS?
It has nothing to do with intelligent IT workers, majority of times these purchase decisions are made outside the knowledge of IT, the IT department is simply tasked afterwards with the support. Even if IT is involved, a lot of times politics are involved to a point where the OS is not even considered as a topic. Also many of times you have very little choice when it comes to what OS the appliance supports, you may not have a choice.
XP updates are initiated via IE.
Either Microsoft continues to accept responsibility for its obsolete systems, or it shall forfeit all copyrights and patents to those systems.
“He’s not deformed, he’s just drunk!”
I tried using Internet explorer 6 on my old Windows XP computer out of curiosity but the browser kept crashing. I guess modern websites use HTML code that MSIE 6 doesn't understand properly.
even when I was able to visit some online stores, the stores told me to upgrade my web browser because MSIE 6 is no longer supported. lol
LOL at the idea IT has anything to do with purchasing. Back to school, Timmy. When you hit the real world you'll understand.
Ironically, my laptop cost a lot more than my car.
The analogy isn't really fair, though. Your car doesn't get pulled abut and poked and investigated by random wandering people throughout the entire day looking for a vulnerability. Even in a crime-ridden area. Your car isn't a guardian on the front line between all your financial, personal and secret information and the public Internet (whether you have a firewall or not, the OS is still the guardian of your data here).
And, still, cars get recalled, discontinued, or just taken off the road no matter their age. If it's not a "vintage" car, good luck as it gets older getting it to pass whatever your local roadworthiness test is, especially with shrinking emission limits and tightened safety requirements.
I speak as someone whose car is 15 years old - I wouldn't touch a PC over 4-years-old for my own use unless it was incredibly well-managed (and, yes, I manage networks for a living and have managed much older PC's adequately - I'm only two years past a XP->Windows 8, Office 2003->2013, Server 2003->Server 2012R2 upgrade, precisely because it worked and it was managed adequately, but we still couldn't carry it forever). I speak as someone who buys an "old banger" of a car every time my one won't pass the next test or starts edging out of roadworthiness, and never pays more than the cheapest of new laptops for the next one.
XP is dead. Kill it. Stop dragging it. It was good and fun while it lasted, but 7 or even 8 (with some tweaks) isn't that much of a loss at all. And I've yet to see a decent reason for a program you are using not to be updated to run on 7 (and, sorry, that matters more than anything else - the OS is irrespective if you're putting all your trust, money and maybe even life / business into an app that people can't be bothered to maintain once a decade or so).
I've put people on Ubuntu in the in-between. I've pulled Windows 8 into a system people can recognise and get along with. I've needed to support the most dumb, and the most eager, and the most knowledgeable users simultaneously.
But XP is dead. The fact that I acknowledge it is extremely telling. I never kill anything without a purpose. It's tricky to even install the fucking thing on anything approaching modern hardware (a lot of BIOS do not support legacy IDE any more, and SATA installs can be a minefield of AHCI drivers in XP).
You want to keep it? Install Linux and virtualise it. But, for fuck's sake, stop running it as the primary barrier between your personal files, local network and the Internet (no Internet firewall in the world can stop you getting infected and spewing your data OUT of the network, especially in the consumer/home use price ranges).
Because they choose to buy from MS. If they wanted not to be driven by MS business model, they shouldn't have bought Windows XP in first place. They made their choices, now will suffer the consequences.
thanks
At least switch to a non-Microsoft browser and email client - something that'll continue to get updated like Firefox, Chrome, Thunderbird, etc.
#DeleteChrome
Switch them over to Linux, and they'll never know the difference except that they won't have to reboot several times a day.
Good, inexpensive web hosting
Where's my patch?? My hardware doesn't have drivers for anything later and MSIE7 won't install onto 95.
Well, they aren't being "hacked".
A researcher is merely trying to ascertain the security level of the systems.
After finding any vulnerabilities, they will down load whatever valuable data they find and post it as an example of how insecure the system was. It's all done with the best of intentions.
If a vulnerability that turns an XP machine into a zombie that can endlessly send out spam emails, for instance, it's a pretty safe bet that their ISP will simply disconnect them and won't allow them to reconnect until they are using a newer version of the OS.
File under 'M' for 'Manic ranting'
The fuck are you on about, cunt? Our household just had a safety mailout+free fix on one of our 15 year old Nissans. I don't know much about Ford nor Toyota, but Nissans aren't hipster cars, so you're not expected to landfill them after your Applecare runs out.
And expecting an old car to come up to modern safety regulations isn't the same thing as finding that it has always had a fault which would have been immediately so identified if spotted during manufacturing.
So many people angry today because MS does something responsible and impossible to attack with reason alone.
If the one they have works perfectly fine they should stop bitching about how they don't get updates.
If you think you need updates you clearly don't think your system works fine as is.
There are a lot of people out there who may not be able to afford better hardware, or a copy of Windows 7. Given a choice between a roof over the head versus an upgrade of Windows, I'm sure not many would choose homelessness.
Then there is the fact that a lot of XP systems cannot be upgraded, and are part of an embedded system. A friend of mine has a $9000.00 sewing machine that runs XP, and if one tries to stick W7 on it, it won't have the drivers to move the embroidery head.
Then there is software that requires XP to function. Another friend of mine has a CNC mill for 2D wood carving that he copies data to a full size PCMCIA card. The reader/writer on the computer will not work with Vista or newer, and it won't work in a VM, so it is XP or nothing.
People don't -want- to run XP... but a lot have to. Just like the guy who drives the 10 year old Honda Civic. It isn't because he is in love with the car, but that he can't afford a new car, or he has other priorities.
One would think if they know how to reinstall their network drivers they'd be just fine in keeping their system secure enough.
"That's right...I said it."
Microsoft is doing the right thing here.
And in the process giving XP users less reason to switch to another browser like firefox that still does receive security updates on XP.
After all, it is a hellavu lot easier to switch to a new browser than it is to switch to a new OS.
No one expects Ford or Toyota to do recalls for 20+ year old cars when safety problems are discovered.
XP was still being sold to OEMs until late in 2010, and I'd expect computers running XP were probably on the shelves until mid 2011.
So, yes, people do expect security fixes for a three-year-old computer.
I see where you are coming from. But there is an element of moral hazard to this too.
I think the last patch that Microsoft should push to XP should be a patch removing all of the networking stack.
When support is dropped, it should be put into the public domain so others can provide support.
But are you using IE or a more secure and standards-compliant browser like FireFox or Chrome?
-----
Posted from my XP machine.
XP is used in many commercial products which cannot easily be replaced by the end user. For example: http://rightfast.com/index.php...
I'm going to go out on a limb here and say that there's nothing wrong with XP in an embedded environment (such as in a bank's ATM). Exploits in most operating systems are almost always related to application-level attack surfaces, such as IE and Flash (as was this particular vulnerability). In a point of sale unit, there is no one surfing the web with the browser. As long as the front-facing application and hardware are properly locked down, there should be no problems. Note that Target's POS data breach was NOT done through the machines themselves, but through the backend network itself. Granted, lack of address space randomization makes it an easier target, but note carefully that the exploit discussed in the article was available on ALL platforms and IE versions, not just XP/IE6.
Where a company or user will get into trouble is if they're using Windows XP + IE6 in a user-controlled, internet-facing computer. And let's be clear here, it's been IE6 and not really XP that was the problem since the latest patches and the firewall was turned on by default. If they rely on IE6, then there's a good bet that they also rely on Flash or a Java plugin as well, and that's just tripling your attack surface, especially if they're not kept up to date as well for reasons of compatibility or laziness.
There's sort of a media feeding frenzy about Windows XP and it's end-of-life. Yes, people should move on to a supported OS as soon as it's practical, but XP users can greatly reduce their risk simply by using up-to-date applications. Use Chrome or Firefox when browsing, and if possible remove Flash and Java (I actually removed Flash about half a year ago for security reasons, and found that, for the most part, I don't really need it anymore). Note that this exploit was performed with the help of Flash as well - nothing to do with XP.
Irony: Agile development has too much intertia to be abandoned now.
Why should they continue to spend money to support an ancient OS that no one is buying any more? They're not receiving any new revenue for it, so why should they continue to support it?
They are absolutely receiving revenue for it, just not directly. These users are part of the Windows total addressable market. Developers choosing to write applications and looking at which platform to choose look at this number. 30% of the Windows userbase comes from XP. If Microsoft upsets these users by letting rampant malware trash their systems, a chunk of these people may switch to e.g. Apple. Oops! Now we have more cross platform or Apple-native apps being developed because there are more users there. Microsoft does not want this to happen.
Their XP end of life article read like an advertisement for their silly security software. I refuse to read their articles anymore, and so should you. I can't believe their little two-bit operation even made it into Slashdot headlines.
I thought Slashdot was supposed to be a geek site. It's an "out-of-cycle" patch, not an "out-of-band" one, although I assume it could be delivered out-of-band if you really wanted to (USB stick, CD, whatever.) Most users will certainly be receiving the patch in-band.
Submitters are allowed to be ignorant and make stupid mistakes; it's the job of the editors to correct those mistakes before posting a story.
the problem is when they get hacked, they aren't going to get rid of their machines or go offline.
they will just become one more in the zombie army, and the REST of us end up suffering.
Microsoft is doing the right thing here.
The next patch should just remove network support.
Yeah, that. And nobody sensible uses IE anyway.
They've had 12+ years to secure it. If they had done that there would be no need for emergency security updates. Everyone would be happy. MS wouldn't have to create security updates and customers would be able to use it as long as they want without having to live in fear of being compromised.
Support is not over, I believe I read that the UK government is paying in excess of 55million or more for XP support and then the Dutch government is doing the same. If Microsoft is being paid by multiple government entities to continue to provide patches and updates for XP why not give the general public the benefit of those patches as well? I realize that the most likely answer to that is why should they when what they want is everyone still using XP to go out and buy a shiny new Windows 8/8.1 PC. But at the very least, a case could be made that the citizens of those governments paying for extended support should be able to download and install those patches since their tax dollars are paying for them. I also doubt very much that the patch Microsoft is releasing was made solely for the benefit of all users, they probably already had it done for the UK and Dutch governments (who as I said paid for it) and just decided to release it to the general public.
Speaking as someone who drives a 10-year-old Honda Civic, I'll have to disagree. You keep driving it because it Just Works.
(Seriously. 10 years, and the most expensive repair I've had was a set of new tires.)
The exploit has been known -- to SOMEONE -- for a while. So why did it come out of inventory all the sudden right now? Afraid that too many valuable targets would switch off XP or install new protection? Hardly likely that XP users will really switch this year. And where did it come from anyway? Transmitted from secret MS operatives to the bad guys? NSA wants to scare people into switching? Stupid bad guys just decided to use it while it was still fresh? There are many conspiracy theory variants on this episode.
Microsoft had to issue the patch for XP, otherwise the timing might look too suspicious (whether they were involved in promulgating the exploit, or not). Regardless, MS has mitigated the impact and can now say with a straight face, "See! We told you this could happen!" Next time, regardless of who may or may not be behind the exploit du jour, they really really won't be patching XP. Microsoft is now in the position they wanted. They have tried to help as much as possible, everyone has had not only a warning but a credible scare, and needs to upgrade to a new version of WIndows.
(People who are running XP or DOS on embedded systems that can't be upgraded have worse problems; that's a whole other discussion.)
Proper embedded applications using XP should be on Windows XP Embedded/ "Windows Embedded Standard 2009". WES2009 is XP based and will get security updates until 2019.
Wow, that's an utterly stupid analogy. No one is still selling Windows XP, and I doubt anyone cares if someone resells their old computer with XP on it
My company paid a quarter grand for a test system that came with XP. Last year or suppliers purchased additional equipment with XP. XP was still available for new computers just a few months ago.
Wow, that's an utterly stupid analogy. No one is still selling Windows XP, and I doubt anyone cares if someone resells their old computer with XP on it.
My company paid a quarter million 6 months ago for a test system that came with XP. Our suppliers purchased other equipment with XP just last year. I bet you can find "new" XP licenses still going out the door.
Can firewalls block nodes based on what OS the sender is internally running?
It is theoretically possible, but not terribly practical. Basically, it would involve doing a port scan when you first receive a packet from a given IP, and it is possible to determine (or make an educated guess) from the results what OS a person has (or what OS they are simulating). As I said, not terribly practical.
That's not required for the ISP, however... the ISP can certainly disconnect somebody who is creating problems for their network, regardless of the OS that is being run. I've seen an ISP do this to somebody I know when their machine was turned into a zombie without their knowledge. They disconnected him, and made an attempt to contact him by telephone, leaving a message for him to call them. Once he called back, they reconnected him provisionally as long as he promised to have the issue fixed within one day, which he did, by downloading an antimalware program that was recommended by his ISP. Fortunately, in his case, it was fixable by such a program, and running the malware removal program purged the unwanted software from his computer.
But theoretically, a vulnerability could exist in XP itself that third-party software will not be able to fix, and if Microsoft were to not address it, then the aforementioned situation of people getting disconnected from their ISP's is all but certain to happen to potentially very large numbers of people.
File under 'M' for 'Manic ranting'
Use Chrome or Firefox when browsing, and if possible remove Flash and Java (I actually removed Flash about half a year ago for security reasons, and found that, for the most part, I don't really need it anymore). Note that this exploit was performed with the help of Flash as well - nothing to do with XP.
For those whose flash lockin is Youtube content (Let's Play videos), I finally found an answer to questions I'd explored months ago. We are forced to allow flash before seeing some monetized content. It's annoying how Google refuses to give you flash-less webm and mp4 streams and even lies that Flash is a must --until you force the right browser identification strings.
The Video without flash extension for firefox is a welcome solution for Youtube and some other mainstream sites known to have HTML5 video content.
The extension gets around the problem and you can use content such as mid-quality Webm. Though there are a few bad videos still, it's 100 times more effective than the rigged HTML5 "trial" youtube offers. I enjoy longer battery life. I also enjoy skipping like in olden times *without* a crippled default flash player that insists on DISCARDING the full video's past and future on *every* click.
I guess people would object less to giving up Windows XP if the plain old simple GUI was still an option. Not just "Classic" UI in Windows 7 : that one is crippled with the colour themes removed, it is absent from Windows 8.x, the task bar has to be tweaked and feels maybe not 100% the same (I want "show desktop" on the left, not the right). Most of all, if you go that way you have that ugly ass file manager. It's ugly and wastes space.
I used a 3rd party file manager, but it was not integrated (start menu, desktop icons or win+r will still open Windows's file manager)
If you're on XP and need internet access, you might put your browser into a Linux VM.
http://www.sirrix.com/content/pages/BitBox_en.htm
Microsoft no longer supports XP
Why do people keep saying this? It's simply untrue.
Microsoft do still support XP. The real change that has happened is that Microsoft have gone from providing free support to charging a lot of money for the same support. That's all.
but why would your friend use ie on his sewing machine? imo, xp is perfectly fine for such embedded uses, but please move on when it comes to your personal general purpose computer.
Wealth is the gift that keeps on giving.
For me this is like giving candy to a diabetic because they want it. Knowing full well its not good for them. Its not like Microsoft has not given ample opportunity and notice for XP users and their is alternative browsers that would be much more secure on XP the IE. In the end Microsoft can be titled a enabler and has as much problem moving from XP as some of its users. Yea, its more of a PR thing then anything else.
Of course people are still selling XP. If you go to computer shows, you can find people selling Windows 98.
What is reasonable for people to expect generally only tangentially has anything to do with what they actually DO expect. Sometimes you need to punch people in the face to get their attention, then kick them in the balls to get them to do the right thing.
Never underestimate the power of stupid people in large groups.
I drive my 13 year old Honda Civic because I'm in love with the car. :-(
Just remove MSIE and it's underlying rendering engine, that's where most exploits live these days.
Netscape Navigator 4.08 actually.