Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

Where is the list of Windows XP vulnerabilities post April?

I did a bit of a search on the web and found *lots* of stuff about "what could happen after April 2014" to XP.
Obviously, this stuff was written in anticipation.

What's happened since?
Where's the list?
Is this another "Y2K"?  Well I doubt it.
But, how does one assess it?

I will upchuck if anyone says "don't use it".  That's a simplistic and non-responsive comment.
It's well known that there's a lot of XP remaining in use for a variety of compelling reasons.
And, Microsoft is helping some owners and not others.  
What state are the "others" in as a matter of observation and detection post April 2014?
0
Fred Marshall
Asked:
Fred Marshall
  • 6
  • 5
  • 4
  • +1
2 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
The market share of XP is dropping fast. By now only a small percentage of businesses are using it and the only reason for visible market share is consumers.

Of course it worked well in its time (which dates back over a decade and is over). There are no security updates at all for it.

So the only thing you can do is get a commercial, paid antivirus suite that still supports XP.

I do not know of any "list" because people who would create such a list have better things to do with current systems.

Sorry, but I do not know of any compelling reason to keep it. We all need to move on, including applications we use that date back a decade and a half. Most applications have new versions by now that permit an orderly upgrade.
0
 
David Johnson, CD, MVPOwnerCommented:
subscribe to the Microsoft Security Advisories, the crackers certainly do.  Every windows update they go to work trying to reverse engineer the patch and see if they can make an exploit available.

Windows Embedded customers and those companies willing to shell out (not sure whether it is 5K or 10K) will get some updates.
0
 
garycaseCommented:
"... So the only thing you can do is get a commercial, paid antivirus suite that still supports XP. " ==>  This is simply not true.    There are still several free antivirus programs that support XP ... AVG, Avira, Avast, etc.     For that matter, MSE actually still works -- it just shows an "always red" status, so you have to Open it to see if there's an actual problem or just the warning about XP being obsolete (but it still updates its definitions, and provides the same level of virus protection that it does for newer OS's).

I agree, however, that there's no compelling reason to keep using XP -- especially with the very significant decline in PC pricing over the past few years, where a basic system can now be had for under $300 that easily outperforms the high-end systems of a decade ago that are likely what folks have who are still using XP.

I am not, however, aware of any "gloom and doom" stories about adverse effects to those who are still using XP.    For a basic e-mail/internet system, it still works just fine.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Fred MarshallAuthor Commented:
The compelling reasons to continue to use XP are that there are large investments in software systems that will only run on XP.  Some companies are stuck with that situation and are paying Microsoft to continue support is my understanding.
But, I'm not interested in that argument.

My belief is that there are security experts who share vulnerability data publicly.
So I have asked this particular question.
David Johnson: Would the current Microsoft Security Advisories include XP issues these days?
0
 
John HurstBusiness Consultant (Owner)Commented:
The compelling reasons to continue to use XP are that there are large investments in software systems that will only run on XP.

Whoops!  You just fell into a black hole :)  Hopefully, you can get out.

Businesses that do not keep up find themselves in dire straights as competition whizzes by them.

ALL of my clients are making renewed investments in Servers and in Business Software. Some of these investments are expensive. But the world will change, and that is outside of your control or mine.

All of my clients are now off of XP entirely (none left). Servers are being upgraded everywhere. Once client is replacing 3 systems with one expensive integrated system that runs on newer platforms and serves more people.

The compelling reason is to move forward, not stand still. It has nothing to do with XP.
0
 
garycaseCommented:
I'd put continued XP use in 3 categories:

(1)  Businesses who have software they can't (or don't want to)  migrate to a newer OS.

(2)  Individuals who have a system they only use for e-mail and infrequent web browsing, and simply don't want to buy a new one.   [Kind of like having an old car that's still running -- if you only drive a few hundred miles a month locally and it's still running fine, why replace it ?]

(3)  Businesses that have embedded systems with proprietary hardware cards that won't work on newer hardware.   (There are a surprising number of these).   Most of the systems in this category are dedicated to manufacturing machinery;  are NOT on the internet; and thus have virtually no security risk.    They do, of course, have the problem that if the systems fail, it would be very difficult to find replacements.

I agree that those in case #1 should absolutely move forward.  

In case #2, there's no compelling reason to do so.   I know quite a few folks in this category ... most are elderly, rarely use the system;  the systems are running just fine; and they don't care about the speed (in fact most pay for minimal speed broadband connections).  

For case #3 there's no security risk; so it's simply a matter of planning for maintenance (perhaps stocking a few spare machines).    Some of these systems would cost tens of thousands to replace, so it's not nearly as simply as a business that just doesn't want to buy a new PC.
0
 
Fred MarshallAuthor Commented:
So, if you can't answer the question as posed, maybe it's just as good to address something you do know about??
This isn't good for EE.
Sorry if I appear to be unappreciative but frankly if you don't accept the premises clearly stated, one might well find that approach objectionable.
And arrogant.... as if you know better than I what situations *I* encounter in the real world.
There is a good reason for the original question.

UPCHUCK as promised.  :-)
0
 
John HurstBusiness Consultant (Owner)Commented:
First, what about David Johnson's suggestion to: subscribe to the Microsoft Security Advisories?

Second, there is no longer (to the best of my knowledge) a list of vulnerabilities for Windows 98 and it was the immediate widespread predecessor to XP.  

I have not seen a recent list of XP threats (does not mean there isn't one), but as XP dies out (machines wear out), I don't expect much a list to be kept.

So I think we have fairly answered your question:  Most probably no current or recent list - just old lists.
0
 
Fred MarshallAuthor Commented:
I have responded to David Johnson's suggestion with a follow up question.  Here it is again:
David Johnson: Would the current Microsoft Security Advisories include XP issues these days?

While I might agree that the population of XP systems has reduced rather considerably over the last few years and, particularly, over the last few months, there remains an important number of systems in operation.  I, for one, need to know the lay of the land for those situations.
0
 
garycaseCommented:
As I noted a couple of times, it's fine to keep using XP  ["... For a basic e-mail/internet system, it still works just fine "  and (referring to updating to a newer OS)  "... In case #2, there's no compelling reason to do so."

But for business usage, where there are likely other non-technical considerations -- e.g. compliance or policy issues -- there may simply not be a choice to stay with XP without legal risk.
0
 
Fred MarshallAuthor Commented:
There are two avenues in discussion here:
- One is philosophical and sometimes illusory.
- One is practical and real.

Indeed, there may not be a GOOD choice to stay with XP in view of compliance or policy issues.  HIPAA comes to mind.
But, I can tell you that some are making the "bad" choice in this regard.  One can but advise but when the decision is made then the support role has to deal with "what is" and not "what should be" in someone's opinion.

In other cases, already mentioned, application service providers are simply behind the curve.  So their software that's critical to operations may dictate the OS.  You want to criticize their decision then they're the ones who need to hear it.  Not that I haven't advised them.....

In other cases, already mentioned, hardware manufacturers *will not* develop new drivers - so if one is tied to expensive but old hardware, they may decide to continue on with XP or ... whichever.  Or they may decide to buy new peripherals.  Once more, it's a decision they make - even in the face of good advice.

I've had cases where printers caused old computers to stay in operation because there were no drivers available.  It wasn't what had been envisioned but it's what evolved.

I'm still supporting a DOS system because the company doesn't want to change to modern software and is doing just fine thank you.

These observations ARE NOT arguments for continuing with old stuff.
What they are are descriptions of real world situations that exist beyond our control.
I'm just trying to learn enough to be of support no matter how bad the owner's decisions may be.
0
 
David Johnson, CD, MVPOwnerCommented:
Actually the non-computer literate that only read email and browse lightly are the most at risk these are the people that say 'yes I agree' to almost any prompt without reading the fine print,  These users usually have every toolbar known to man installed

You also will not see windows 2000 updates or security items.  You seem to want proof that windows xp is still viable for most users and not to worry about the lack of security updates.  All it takes is one exploit that was patched in more recent versions of windows to make your arguments non-valid.  
Grab a copy of metasploit http://www.rapid7.com/products/metasploit/ or metapose
0
 
John HurstBusiness Consultant (Owner)Commented:
Your points are the antithesis of what I see at clients. Old systems and old printer dumped because the world moves on.

I'm just trying to learn enough to be of support no matter how bad the owner's decisions may be.

I use Virtual Machines for that and have old operating systems and office systems going back eons. But that is only for emergencies.

My XP system runs fine (and of course I used it) but I do not seen any vulnerabilities list that is in any way current. It is what is now with no changes to it any more.
0
 
garycaseCommented:
There ARE ways to keep old XP systems safe.     I have many elderly clients who simply don't want to spend more $$ on a newer system for systems they're completely happy with and don't want to replace.

I agree these can also be the most "lax" when it comes to simply "clicking" on things they shouldn't.    I solve this by setting up the system so every time it reboots, it restores itself to an image of a completely "clean" and up-to-date (as of EOL) XP system, with up-to-date virus definitions.    The user's data is maintained in a separate partition that's not impacted by this restore.     This works just fine -- and the system is always "pristine" after a reboot.
0
 
Fred MarshallAuthor Commented:
David Johnson:
You seem to want proof that windows xp is still viable for most users and not to worry about the lack of security updates.
Quite the opposite David.
All it takes is one exploit that was patched in more recent versions of windows to make your arguments non-valid.  
I'm not making such an argument.  I agree completely with the idea.
Grab a copy of metasploit http://www.rapid7.com/products/metasploit/ or metapose
Yes, I've used it and this seems a good idea as long as they are up-to-date re: vulnerabilities.  How about Microsoft Baseline Security Analyzer?  Any thoughts on that one?
0
 
David Johnson, CD, MVPOwnerCommented:
MBSA cannot check for what it doesn't get information from .. it may report fully patched but out of lifetime

they are up-to-date re: vulnerabilities
Who or what are 'They' ? Metasploit has a built in updater
0
 
Fred MarshallAuthor Commented:
"They" meaning Metasploit in this case.  Good to hear it's updated, etc.  Thanks
0
 
John HurstBusiness Consultant (Owner)Commented:
Here is my summary of the situation here:

1. XP worked well in its day. But a decade later, it is dead and gone. You can secure it somewhat, but new found security holes will not be documented by Microsoft and will not be secured.

2. XP is a 32-bit system and is dog slow compared to new 64-bit systems with ample memory that can run rings around XP.

3. To the best of my knowledge (and I have looked) there is no current list of vulnerabilities for XP, only dated lists. That situation is not going to change.  This is the direct answer to your post

4. Market share for XP is dropping fast.

5. Software is being written that no longer supports XP (even Vista is falling off the radar).

So, by all means use it. But businesses can no longer defend keeping it alive.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now