Slashdot Mirror
XP Systems Getting Emergency IE Zero Day Patch
msm1267 (2804139) writes "Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks specifically targeting XP users.
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
Windows 3.1 doesn't support Windows Update.
Actually, 3.1 doesn't include Internet Explorer either, so it's not vulnerable. I don't know if 16-bit IE (I have a VM with IE 5 on 3.11) is vulnerable.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
the problem is when they get hacked, they aren't going to get rid of their machines or go offline.
they will just become one more in the zombie army, and the REST of us end up suffering.
Microsoft is doing the right thing here.
(Floppy) discs will be sent out soon for registered users.
I know right, like recalling cars out of warranty.
XP is used in many commercial products which cannot easily be replaced by the end user. For example: http://rightfast.com/index.php...
Soo... apple is still releasing patches for OSX v10.1 "Puma", which came out the same time as XP originally... or is it that the OS X v10.5.8, the last supported OS by many of the machines from that time period (and came out between XP SP2 and SP3, to put things in perspective), is still getting security updates? Because the answer is no and no.
In fact, the oldest OSX which is still getting security updates (Lion) was released not quite three years ago. Great.
Yes, how dare they provide support for a large percentage of their userbase, rather than try to force their users to pay them more money for the latest version! Those bastards!
Seriously, I get that XP is old and there are real disadvantages to its continued use, but it's amazing to me that we've actually reached the point where MS is getting flack for not adhering strongly enough to planned obsolescence. Like, we want them to be greedier now and stop providing free updates? I'd like to believe that they'll continue supporting Win7 for quite some time. I don't particularly like the idea of forced paid upgrades, or the "subscription Windows" that everyone seems to think is coming.
I'd love it if people would start moving off of XP and onto modern OS'es, but that's not going to happen right away regardless of what MS does, and I'm not going to knock them for supporting their product long-term.
Car analogy: I told the used car dealer to stop selling that garbage and just send all his vehicles to the dump. I mean they were all from like 2007 or before! I mean seriously, who uses a car that old (except for all the retro ones that were sold up until 2012 - and those suck too. They aren't hip at all)? They don't have the latest rear view cameras and other safety equipment or anything. It is no secret if you buy the after market warranty you can get your crappy old car fixed, but if you don't it isn't my problem you can't get parts when you need them because you are a dumb poopy pants. I throw everything away because there is a newer model that surely must be better because new and shiny!
Get a web developer
Good luck getting a 15 year warranty on your car.
Or even come with a TCP/IP stack (though it's possible to add one)
That is just a merchant site, their site works regardless of what browser you are using, however, it requires Javascript since it is Ajax based. My point is there are many businesses who use products which are running on top of XP and cannot simply be replaced because Microsoft has stopped support for the OS.
It has nothing to do with intelligent IT workers, majority of times these purchase decisions are made outside the knowledge of IT, the IT department is simply tasked afterwards with the support. Even if IT is involved, a lot of times politics are involved to a point where the OS is not even considered as a topic. Also many of times you have very little choice when it comes to what OS the appliance supports, you may not have a choice.
XP updates are initiated via IE.
I agree with you. I don't know one XP user that would pay for a subscription. MS is a business and for some reason the expectation is that they should continue supporting the product at no charge. Yet we don't have that expectation of anything else in life. The software world always gets shafted.
I had customers contacting me regarding a 10 year old project with a bug recently discovered. I sent them a quote to fix the issue and they asked me why I was charging to fix the software. They also told me they expected the software to work on Windows 2012 Server which I never tested... Oh well!!!
Why should they continue to spend money to support an ancient OS that no one is buying any more? They're not receiving any new revenue for it, so why should they continue to support it? Who would expect any company to continue to support obsolete products a decade or more after they were sold, without some kind of service contract? In most places, a 1 or 2-year warranty is all you can expect.
I'd rather see them stop supporting XP at all, for anyone. If people don't like that, they should switch to something else. If this is a problem for them, they should have thought about that before assuming that XP would somehow be supported for the rest of their lives.
They should support it as long as they hold copyright on it. When the support ends, it should be put in the public domain.
“He’s not deformed, he’s just drunk!”
Ironically, my laptop cost a lot more than my car.
The analogy isn't really fair, though. Your car doesn't get pulled abut and poked and investigated by random wandering people throughout the entire day looking for a vulnerability. Even in a crime-ridden area. Your car isn't a guardian on the front line between all your financial, personal and secret information and the public Internet (whether you have a firewall or not, the OS is still the guardian of your data here).
And, still, cars get recalled, discontinued, or just taken off the road no matter their age. If it's not a "vintage" car, good luck as it gets older getting it to pass whatever your local roadworthiness test is, especially with shrinking emission limits and tightened safety requirements.
I speak as someone whose car is 15 years old - I wouldn't touch a PC over 4-years-old for my own use unless it was incredibly well-managed (and, yes, I manage networks for a living and have managed much older PC's adequately - I'm only two years past a XP->Windows 8, Office 2003->2013, Server 2003->Server 2012R2 upgrade, precisely because it worked and it was managed adequately, but we still couldn't carry it forever). I speak as someone who buys an "old banger" of a car every time my one won't pass the next test or starts edging out of roadworthiness, and never pays more than the cheapest of new laptops for the next one.
XP is dead. Kill it. Stop dragging it. It was good and fun while it lasted, but 7 or even 8 (with some tweaks) isn't that much of a loss at all. And I've yet to see a decent reason for a program you are using not to be updated to run on 7 (and, sorry, that matters more than anything else - the OS is irrespective if you're putting all your trust, money and maybe even life / business into an app that people can't be bothered to maintain once a decade or so).
I've put people on Ubuntu in the in-between. I've pulled Windows 8 into a system people can recognise and get along with. I've needed to support the most dumb, and the most eager, and the most knowledgeable users simultaneously.
But XP is dead. The fact that I acknowledge it is extremely telling. I never kill anything without a purpose. It's tricky to even install the fucking thing on anything approaching modern hardware (a lot of BIOS do not support legacy IDE any more, and SATA installs can be a minefield of AHCI drivers in XP).
You want to keep it? Install Linux and virtualise it. But, for fuck's sake, stop running it as the primary barrier between your personal files, local network and the Internet (no Internet firewall in the world can stop you getting infected and spewing your data OUT of the network, especially in the consumer/home use price ranges).
Apple isn't even releasing updates for Snow Leopard from 5 years ago. Which 20% of their user base is on...
Reality distortion field on.
At least switch to a non-Microsoft browser and email client - something that'll continue to get updated like Firefox, Chrome, Thunderbird, etc.
#DeleteChrome
They're not receiving any new revenue for it, so why should they continue to support it?
Because they're acting as a responsible corporate entity, maybe? It must be shocking to Apple users to see something like this, but Microsoft has actually been a relatively responsible, responsive company for a long time, now.
I don't respond to AC's.
The auto manufacturer is responsible for safety recalls for a very long time, if not forever. I've gotten safety recalls for cars that I haven't owned in years and that are way past the warranty period. I was the last known owner, so I got the letter.
This kind of thing is very much like a safety recall for cars, except it is for an operating system.
Proverbs 21:19
There are a lot of people out there who may not be able to afford better hardware, or a copy of Windows 7. Given a choice between a roof over the head versus an upgrade of Windows, I'm sure not many would choose homelessness.
Then there is the fact that a lot of XP systems cannot be upgraded, and are part of an embedded system. A friend of mine has a $9000.00 sewing machine that runs XP, and if one tries to stick W7 on it, it won't have the drivers to move the embroidery head.
Then there is software that requires XP to function. Another friend of mine has a CNC mill for 2D wood carving that he copies data to a full size PCMCIA card. The reader/writer on the computer will not work with Vista or newer, and it won't work in a VM, so it is XP or nothing.
People don't -want- to run XP... but a lot have to. Just like the guy who drives the 10 year old Honda Civic. It isn't because he is in love with the car, but that he can't afford a new car, or he has other priorities.
So whenever a company discontinues a product, they relinquish all rights they had to that product? I don't think that's how copyright or patent law works.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It is now safe to turn off your computer.
No, but that's how it should work. But the public interest is not what copyright is about.
“He’s not deformed, he’s just drunk!”
XP is used in many commercial products which cannot easily be replaced by the end user. For example: http://rightfast.com/index.php...
I'm going to go out on a limb here and say that there's nothing wrong with XP in an embedded environment (such as in a bank's ATM). Exploits in most operating systems are almost always related to application-level attack surfaces, such as IE and Flash (as was this particular vulnerability). In a point of sale unit, there is no one surfing the web with the browser. As long as the front-facing application and hardware are properly locked down, there should be no problems. Note that Target's POS data breach was NOT done through the machines themselves, but through the backend network itself. Granted, lack of address space randomization makes it an easier target, but note carefully that the exploit discussed in the article was available on ALL platforms and IE versions, not just XP/IE6.
Where a company or user will get into trouble is if they're using Windows XP + IE6 in a user-controlled, internet-facing computer. And let's be clear here, it's been IE6 and not really XP that was the problem since the latest patches and the firewall was turned on by default. If they rely on IE6, then there's a good bet that they also rely on Flash or a Java plugin as well, and that's just tripling your attack surface, especially if they're not kept up to date as well for reasons of compatibility or laziness.
There's sort of a media feeding frenzy about Windows XP and it's end-of-life. Yes, people should move on to a supported OS as soon as it's practical, but XP users can greatly reduce their risk simply by using up-to-date applications. Use Chrome or Firefox when browsing, and if possible remove Flash and Java (I actually removed Flash about half a year ago for security reasons, and found that, for the most part, I don't really need it anymore). Note that this exploit was performed with the help of Flash as well - nothing to do with XP.
Irony: Agile development has too much intertia to be abandoned now.
Why should they continue to spend money to support an ancient OS that no one is buying any more? They're not receiving any new revenue for it, so why should they continue to support it?
They are absolutely receiving revenue for it, just not directly. These users are part of the Windows total addressable market. Developers choosing to write applications and looking at which platform to choose look at this number. 30% of the Windows userbase comes from XP. If Microsoft upsets these users by letting rampant malware trash their systems, a chunk of these people may switch to e.g. Apple. Oops! Now we have more cross platform or Apple-native apps being developed because there are more users there. Microsoft does not want this to happen.
So you're saying that Dodge should be obligated to release all intellectual property associated with, say, the Magnum. Even though that same technology is used in their other vehicles. Or Sony should release everything associated with the Playstation 3 and before. I don't think you've thought this through. If a product is ultimately superceded by a different product, and thus discontinued, the manufacturer should not be obligated to release anything.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
And I want a pony.
Yes, if I own a Magnum, and Dodge refuses to support it, then I should be able to go to somebody who can and will. So, yes, Dodge should lose its exclusive privileges granted by copyright law, absolutely.
“He’s not deformed, he’s just drunk!”
After painstakingly upgrading the entire office to windows 7 over the last few years, recommending to all friends family and clients that they NEED to upgrade, I am somewhat conflicted.
Firstly, microsoft is making me look like a lying dick. When I heard about this IE vulnerability, I thought "awesome! now everyone that hummed hawed and complained at me for forcing upgrades will be apologizing!". So i am pretty pissed off that they now go back on their word and still support XP making me look like I didn't know what I was talking about.
On the other hand, I do like companies stepping up and patching bugs in legacy products. So I'm not terribly sure what to feel right now.
When in doubt, be pissed off at M$ I guess! Damned if you do and damned if you don't. I guess they did the "right" thing. But for how long? will they still be patching xp in 2025? I know a guy who still runs windows 98 with kernel extensions or something like that. He loves it!
As a potential lottery winner, I totally support tax cuts for the wealthy
I thought Slashdot was supposed to be a geek site. It's an "out-of-cycle" patch, not an "out-of-band" one, although I assume it could be delivered out-of-band if you really wanted to (USB stick, CD, whatever.) Most users will certainly be receiving the patch in-band.
Submitters are allowed to be ignorant and make stupid mistakes; it's the job of the editors to correct those mistakes before posting a story.
Proper embedded applications using XP should be on Windows XP Embedded/ "Windows Embedded Standard 2009". WES2009 is XP based and will get security updates until 2019.