Solved

Where is the list of Windows XP vulnerabilities post April?

Posted on 2014-09-25
18
216 Views
Last Modified: 2014-09-27
I did a bit of a search on the web and found *lots* of stuff about "what could happen after April 2014" to XP.
Obviously, this stuff was written in anticipation.

What's happened since?
Where's the list?
Is this another "Y2K"?  Well I doubt it.
But, how does one assess it?

I will upchuck if anyone says "don't use it".  That's a simplistic and non-responsive comment.
It's well known that there's a lot of XP remaining in use for a variety of compelling reasons.
And, Microsoft is helping some owners and not others.  
What state are the "others" in as a matter of observation and detection post April 2014?
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +1
18 Comments
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40345244
The market share of XP is dropping fast. By now only a small percentage of businesses are using it and the only reason for visible market share is consumers.

Of course it worked well in its time (which dates back over a decade and is over). There are no security updates at all for it.

So the only thing you can do is get a commercial, paid antivirus suite that still supports XP.

I do not know of any "list" because people who would create such a list have better things to do with current systems.

Sorry, but I do not know of any compelling reason to keep it. We all need to move on, including applications we use that date back a decade and a half. Most applications have new versions by now that permit an orderly upgrade.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40345353
subscribe to the Microsoft Security Advisories, the crackers certainly do.  Every windows update they go to work trying to reverse engineer the patch and see if they can make an exploit available.

Windows Embedded customers and those companies willing to shell out (not sure whether it is 5K or 10K) will get some updates.
0
 
LVL 70

Expert Comment

by:garycase
ID: 40345385
"... So the only thing you can do is get a commercial, paid antivirus suite that still supports XP. " ==>  This is simply not true.    There are still several free antivirus programs that support XP ... AVG, Avira, Avast, etc.     For that matter, MSE actually still works -- it just shows an "always red" status, so you have to Open it to see if there's an actual problem or just the warning about XP being obsolete (but it still updates its definitions, and provides the same level of virus protection that it does for newer OS's).

I agree, however, that there's no compelling reason to keep using XP -- especially with the very significant decline in PC pricing over the past few years, where a basic system can now be had for under $300 that easily outperforms the high-end systems of a decade ago that are likely what folks have who are still using XP.

I am not, however, aware of any "gloom and doom" stories about adverse effects to those who are still using XP.    For a basic e-mail/internet system, it still works just fine.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 26

Author Comment

by:Fred Marshall
ID: 40346428
The compelling reasons to continue to use XP are that there are large investments in software systems that will only run on XP.  Some companies are stuck with that situation and are paying Microsoft to continue support is my understanding.
But, I'm not interested in that argument.

My belief is that there are security experts who share vulnerability data publicly.
So I have asked this particular question.
David Johnson: Would the current Microsoft Security Advisories include XP issues these days?
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40346524
The compelling reasons to continue to use XP are that there are large investments in software systems that will only run on XP.

Whoops!  You just fell into a black hole :)  Hopefully, you can get out.

Businesses that do not keep up find themselves in dire straights as competition whizzes by them.

ALL of my clients are making renewed investments in Servers and in Business Software. Some of these investments are expensive. But the world will change, and that is outside of your control or mine.

All of my clients are now off of XP entirely (none left). Servers are being upgraded everywhere. Once client is replacing 3 systems with one expensive integrated system that runs on newer platforms and serves more people.

The compelling reason is to move forward, not stand still. It has nothing to do with XP.
0
 
LVL 70

Expert Comment

by:garycase
ID: 40346589
I'd put continued XP use in 3 categories:

(1)  Businesses who have software they can't (or don't want to)  migrate to a newer OS.

(2)  Individuals who have a system they only use for e-mail and infrequent web browsing, and simply don't want to buy a new one.   [Kind of like having an old car that's still running -- if you only drive a few hundred miles a month locally and it's still running fine, why replace it ?]

(3)  Businesses that have embedded systems with proprietary hardware cards that won't work on newer hardware.   (There are a surprising number of these).   Most of the systems in this category are dedicated to manufacturing machinery;  are NOT on the internet; and thus have virtually no security risk.    They do, of course, have the problem that if the systems fail, it would be very difficult to find replacements.

I agree that those in case #1 should absolutely move forward.  

In case #2, there's no compelling reason to do so.   I know quite a few folks in this category ... most are elderly, rarely use the system;  the systems are running just fine; and they don't care about the speed (in fact most pay for minimal speed broadband connections).  

For case #3 there's no security risk; so it's simply a matter of planning for maintenance (perhaps stocking a few spare machines).    Some of these systems would cost tens of thousands to replace, so it's not nearly as simply as a business that just doesn't want to buy a new PC.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 40346824
So, if you can't answer the question as posed, maybe it's just as good to address something you do know about??
This isn't good for EE.
Sorry if I appear to be unappreciative but frankly if you don't accept the premises clearly stated, one might well find that approach objectionable.
And arrogant.... as if you know better than I what situations *I* encounter in the real world.
There is a good reason for the original question.

UPCHUCK as promised.  :-)
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40346835
First, what about David Johnson's suggestion to: subscribe to the Microsoft Security Advisories?

Second, there is no longer (to the best of my knowledge) a list of vulnerabilities for Windows 98 and it was the immediate widespread predecessor to XP.  

I have not seen a recent list of XP threats (does not mean there isn't one), but as XP dies out (machines wear out), I don't expect much a list to be kept.

So I think we have fairly answered your question:  Most probably no current or recent list - just old lists.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 40346856
I have responded to David Johnson's suggestion with a follow up question.  Here it is again:
David Johnson: Would the current Microsoft Security Advisories include XP issues these days?

While I might agree that the population of XP systems has reduced rather considerably over the last few years and, particularly, over the last few months, there remains an important number of systems in operation.  I, for one, need to know the lay of the land for those situations.
0
 
LVL 70

Expert Comment

by:garycase
ID: 40346962
As I noted a couple of times, it's fine to keep using XP  ["... For a basic e-mail/internet system, it still works just fine "  and (referring to updating to a newer OS)  "... In case #2, there's no compelling reason to do so."

But for business usage, where there are likely other non-technical considerations -- e.g. compliance or policy issues -- there may simply not be a choice to stay with XP without legal risk.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 40347096
There are two avenues in discussion here:
- One is philosophical and sometimes illusory.
- One is practical and real.

Indeed, there may not be a GOOD choice to stay with XP in view of compliance or policy issues.  HIPAA comes to mind.
But, I can tell you that some are making the "bad" choice in this regard.  One can but advise but when the decision is made then the support role has to deal with "what is" and not "what should be" in someone's opinion.

In other cases, already mentioned, application service providers are simply behind the curve.  So their software that's critical to operations may dictate the OS.  You want to criticize their decision then they're the ones who need to hear it.  Not that I haven't advised them.....

In other cases, already mentioned, hardware manufacturers *will not* develop new drivers - so if one is tied to expensive but old hardware, they may decide to continue on with XP or ... whichever.  Or they may decide to buy new peripherals.  Once more, it's a decision they make - even in the face of good advice.

I've had cases where printers caused old computers to stay in operation because there were no drivers available.  It wasn't what had been envisioned but it's what evolved.

I'm still supporting a DOS system because the company doesn't want to change to modern software and is doing just fine thank you.

These observations ARE NOT arguments for continuing with old stuff.
What they are are descriptions of real world situations that exist beyond our control.
I'm just trying to learn enough to be of support no matter how bad the owner's decisions may be.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40347121
Actually the non-computer literate that only read email and browse lightly are the most at risk these are the people that say 'yes I agree' to almost any prompt without reading the fine print,  These users usually have every toolbar known to man installed

You also will not see windows 2000 updates or security items.  You seem to want proof that windows xp is still viable for most users and not to worry about the lack of security updates.  All it takes is one exploit that was patched in more recent versions of windows to make your arguments non-valid.  
Grab a copy of metasploit http://www.rapid7.com/products/metasploit/ or metapose
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40347131
Your points are the antithesis of what I see at clients. Old systems and old printer dumped because the world moves on.

I'm just trying to learn enough to be of support no matter how bad the owner's decisions may be.

I use Virtual Machines for that and have old operating systems and office systems going back eons. But that is only for emergencies.

My XP system runs fine (and of course I used it) but I do not seen any vulnerabilities list that is in any way current. It is what is now with no changes to it any more.
0
 
LVL 70

Assisted Solution

by:garycase
garycase earned 250 total points
ID: 40347139
There ARE ways to keep old XP systems safe.     I have many elderly clients who simply don't want to spend more $$ on a newer system for systems they're completely happy with and don't want to replace.

I agree these can also be the most "lax" when it comes to simply "clicking" on things they shouldn't.    I solve this by setting up the system so every time it reboots, it restores itself to an image of a completely "clean" and up-to-date (as of EOL) XP system, with up-to-date virus definitions.    The user's data is maintained in a separate partition that's not impacted by this restore.     This works just fine -- and the system is always "pristine" after a reboot.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 40347993
David Johnson:
You seem to want proof that windows xp is still viable for most users and not to worry about the lack of security updates.
Quite the opposite David.
All it takes is one exploit that was patched in more recent versions of windows to make your arguments non-valid.  
I'm not making such an argument.  I agree completely with the idea.
Grab a copy of metasploit http://www.rapid7.com/products/metasploit/ or metapose
Yes, I've used it and this seems a good idea as long as they are up-to-date re: vulnerabilities.  How about Microsoft Baseline Security Analyzer?  Any thoughts on that one?
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 40348043
MBSA cannot check for what it doesn't get information from .. it may report fully patched but out of lifetime

they are up-to-date re: vulnerabilities
Who or what are 'They' ? Metasploit has a built in updater
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 40348081
"They" meaning Metasploit in this case.  Good to hear it's updated, etc.  Thanks
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40348119
Here is my summary of the situation here:

1. XP worked well in its day. But a decade later, it is dead and gone. You can secure it somewhat, but new found security holes will not be documented by Microsoft and will not be secured.

2. XP is a 32-bit system and is dog slow compared to new 64-bit systems with ample memory that can run rings around XP.

3. To the best of my knowledge (and I have looked) there is no current list of vulnerabilities for XP, only dated lists. That situation is not going to change.  This is the direct answer to your post

4. Market share for XP is dropping fast.

5. Software is being written that no longer supports XP (even Vista is falling off the radar).

So, by all means use it. But businesses can no longer defend keeping it alive.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question