Solved

Where is the list of Windows XP vulnerabilities post April?

Posted on 2014-09-25
18
208 Views
Last Modified: 2014-09-27
I did a bit of a search on the web and found *lots* of stuff about "what could happen after April 2014" to XP.
Obviously, this stuff was written in anticipation.

What's happened since?
Where's the list?
Is this another "Y2K"?  Well I doubt it.
But, how does one assess it?

I will upchuck if anyone says "don't use it".  That's a simplistic and non-responsive comment.
It's well known that there's a lot of XP remaining in use for a variety of compelling reasons.
And, Microsoft is helping some owners and not others.  
What state are the "others" in as a matter of observation and detection post April 2014?
0
Comment
Question by:Fred Marshall
  • 6
  • 5
  • 4
  • +1
18 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 40345244
The market share of XP is dropping fast. By now only a small percentage of businesses are using it and the only reason for visible market share is consumers.

Of course it worked well in its time (which dates back over a decade and is over). There are no security updates at all for it.

So the only thing you can do is get a commercial, paid antivirus suite that still supports XP.

I do not know of any "list" because people who would create such a list have better things to do with current systems.

Sorry, but I do not know of any compelling reason to keep it. We all need to move on, including applications we use that date back a decade and a half. Most applications have new versions by now that permit an orderly upgrade.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40345353
subscribe to the Microsoft Security Advisories, the crackers certainly do.  Every windows update they go to work trying to reverse engineer the patch and see if they can make an exploit available.

Windows Embedded customers and those companies willing to shell out (not sure whether it is 5K or 10K) will get some updates.
0
 
LVL 70

Expert Comment

by:garycase
ID: 40345385
"... So the only thing you can do is get a commercial, paid antivirus suite that still supports XP. " ==>  This is simply not true.    There are still several free antivirus programs that support XP ... AVG, Avira, Avast, etc.     For that matter, MSE actually still works -- it just shows an "always red" status, so you have to Open it to see if there's an actual problem or just the warning about XP being obsolete (but it still updates its definitions, and provides the same level of virus protection that it does for newer OS's).

I agree, however, that there's no compelling reason to keep using XP -- especially with the very significant decline in PC pricing over the past few years, where a basic system can now be had for under $300 that easily outperforms the high-end systems of a decade ago that are likely what folks have who are still using XP.

I am not, however, aware of any "gloom and doom" stories about adverse effects to those who are still using XP.    For a basic e-mail/internet system, it still works just fine.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40346428
The compelling reasons to continue to use XP are that there are large investments in software systems that will only run on XP.  Some companies are stuck with that situation and are paying Microsoft to continue support is my understanding.
But, I'm not interested in that argument.

My belief is that there are security experts who share vulnerability data publicly.
So I have asked this particular question.
David Johnson: Would the current Microsoft Security Advisories include XP issues these days?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40346524
The compelling reasons to continue to use XP are that there are large investments in software systems that will only run on XP.

Whoops!  You just fell into a black hole :)  Hopefully, you can get out.

Businesses that do not keep up find themselves in dire straights as competition whizzes by them.

ALL of my clients are making renewed investments in Servers and in Business Software. Some of these investments are expensive. But the world will change, and that is outside of your control or mine.

All of my clients are now off of XP entirely (none left). Servers are being upgraded everywhere. Once client is replacing 3 systems with one expensive integrated system that runs on newer platforms and serves more people.

The compelling reason is to move forward, not stand still. It has nothing to do with XP.
0
 
LVL 70

Expert Comment

by:garycase
ID: 40346589
I'd put continued XP use in 3 categories:

(1)  Businesses who have software they can't (or don't want to)  migrate to a newer OS.

(2)  Individuals who have a system they only use for e-mail and infrequent web browsing, and simply don't want to buy a new one.   [Kind of like having an old car that's still running -- if you only drive a few hundred miles a month locally and it's still running fine, why replace it ?]

(3)  Businesses that have embedded systems with proprietary hardware cards that won't work on newer hardware.   (There are a surprising number of these).   Most of the systems in this category are dedicated to manufacturing machinery;  are NOT on the internet; and thus have virtually no security risk.    They do, of course, have the problem that if the systems fail, it would be very difficult to find replacements.

I agree that those in case #1 should absolutely move forward.  

In case #2, there's no compelling reason to do so.   I know quite a few folks in this category ... most are elderly, rarely use the system;  the systems are running just fine; and they don't care about the speed (in fact most pay for minimal speed broadband connections).  

For case #3 there's no security risk; so it's simply a matter of planning for maintenance (perhaps stocking a few spare machines).    Some of these systems would cost tens of thousands to replace, so it's not nearly as simply as a business that just doesn't want to buy a new PC.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40346824
So, if you can't answer the question as posed, maybe it's just as good to address something you do know about??
This isn't good for EE.
Sorry if I appear to be unappreciative but frankly if you don't accept the premises clearly stated, one might well find that approach objectionable.
And arrogant.... as if you know better than I what situations *I* encounter in the real world.
There is a good reason for the original question.

UPCHUCK as promised.  :-)
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40346835
First, what about David Johnson's suggestion to: subscribe to the Microsoft Security Advisories?

Second, there is no longer (to the best of my knowledge) a list of vulnerabilities for Windows 98 and it was the immediate widespread predecessor to XP.  

I have not seen a recent list of XP threats (does not mean there isn't one), but as XP dies out (machines wear out), I don't expect much a list to be kept.

So I think we have fairly answered your question:  Most probably no current or recent list - just old lists.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40346856
I have responded to David Johnson's suggestion with a follow up question.  Here it is again:
David Johnson: Would the current Microsoft Security Advisories include XP issues these days?

While I might agree that the population of XP systems has reduced rather considerably over the last few years and, particularly, over the last few months, there remains an important number of systems in operation.  I, for one, need to know the lay of the land for those situations.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 70

Expert Comment

by:garycase
ID: 40346962
As I noted a couple of times, it's fine to keep using XP  ["... For a basic e-mail/internet system, it still works just fine "  and (referring to updating to a newer OS)  "... In case #2, there's no compelling reason to do so."

But for business usage, where there are likely other non-technical considerations -- e.g. compliance or policy issues -- there may simply not be a choice to stay with XP without legal risk.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40347096
There are two avenues in discussion here:
- One is philosophical and sometimes illusory.
- One is practical and real.

Indeed, there may not be a GOOD choice to stay with XP in view of compliance or policy issues.  HIPAA comes to mind.
But, I can tell you that some are making the "bad" choice in this regard.  One can but advise but when the decision is made then the support role has to deal with "what is" and not "what should be" in someone's opinion.

In other cases, already mentioned, application service providers are simply behind the curve.  So their software that's critical to operations may dictate the OS.  You want to criticize their decision then they're the ones who need to hear it.  Not that I haven't advised them.....

In other cases, already mentioned, hardware manufacturers *will not* develop new drivers - so if one is tied to expensive but old hardware, they may decide to continue on with XP or ... whichever.  Or they may decide to buy new peripherals.  Once more, it's a decision they make - even in the face of good advice.

I've had cases where printers caused old computers to stay in operation because there were no drivers available.  It wasn't what had been envisioned but it's what evolved.

I'm still supporting a DOS system because the company doesn't want to change to modern software and is doing just fine thank you.

These observations ARE NOT arguments for continuing with old stuff.
What they are are descriptions of real world situations that exist beyond our control.
I'm just trying to learn enough to be of support no matter how bad the owner's decisions may be.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40347121
Actually the non-computer literate that only read email and browse lightly are the most at risk these are the people that say 'yes I agree' to almost any prompt without reading the fine print,  These users usually have every toolbar known to man installed

You also will not see windows 2000 updates or security items.  You seem to want proof that windows xp is still viable for most users and not to worry about the lack of security updates.  All it takes is one exploit that was patched in more recent versions of windows to make your arguments non-valid.  
Grab a copy of metasploit http://www.rapid7.com/products/metasploit/ or metapose
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40347131
Your points are the antithesis of what I see at clients. Old systems and old printer dumped because the world moves on.

I'm just trying to learn enough to be of support no matter how bad the owner's decisions may be.

I use Virtual Machines for that and have old operating systems and office systems going back eons. But that is only for emergencies.

My XP system runs fine (and of course I used it) but I do not seen any vulnerabilities list that is in any way current. It is what is now with no changes to it any more.
0
 
LVL 70

Assisted Solution

by:garycase
garycase earned 250 total points
ID: 40347139
There ARE ways to keep old XP systems safe.     I have many elderly clients who simply don't want to spend more $$ on a newer system for systems they're completely happy with and don't want to replace.

I agree these can also be the most "lax" when it comes to simply "clicking" on things they shouldn't.    I solve this by setting up the system so every time it reboots, it restores itself to an image of a completely "clean" and up-to-date (as of EOL) XP system, with up-to-date virus definitions.    The user's data is maintained in a separate partition that's not impacted by this restore.     This works just fine -- and the system is always "pristine" after a reboot.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40347993
David Johnson:
You seem to want proof that windows xp is still viable for most users and not to worry about the lack of security updates.
Quite the opposite David.
All it takes is one exploit that was patched in more recent versions of windows to make your arguments non-valid.  
I'm not making such an argument.  I agree completely with the idea.
Grab a copy of metasploit http://www.rapid7.com/products/metasploit/ or metapose
Yes, I've used it and this seems a good idea as long as they are up-to-date re: vulnerabilities.  How about Microsoft Baseline Security Analyzer?  Any thoughts on that one?
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 40348043
MBSA cannot check for what it doesn't get information from .. it may report fully patched but out of lifetime

they are up-to-date re: vulnerabilities
Who or what are 'They' ? Metasploit has a built in updater
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40348081
"They" meaning Metasploit in this case.  Good to hear it's updated, etc.  Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40348119
Here is my summary of the situation here:

1. XP worked well in its day. But a decade later, it is dead and gone. You can secure it somewhat, but new found security holes will not be documented by Microsoft and will not be secured.

2. XP is a 32-bit system and is dog slow compared to new 64-bit systems with ample memory that can run rings around XP.

3. To the best of my knowledge (and I have looked) there is no current list of vulnerabilities for XP, only dated lists. That situation is not going to change.  This is the direct answer to your post

4. Market share for XP is dropping fast.

5. Software is being written that no longer supports XP (even Vista is falling off the radar).

So, by all means use it. But businesses can no longer defend keeping it alive.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now