Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Windows XP Zero-Day Under Attack

Soulskill posted about a year ago | from the escalation-of-stale-operating-system-attack dept.

Windows 241

wiredmikey writes "A new Windows kernel zero-day vulnerability is being exploited in targeted attacks against Windows XP users. Microsoft confirmed the issue and published a security advisory to acknowledge the flaw after anti-malware vendor FireEye warned that the Windows bug is being used in conjunction with an Adobe Reader exploit to infect Windows machines with malware. Microsoft described the issue as an elevation of privilege vulnerability that allows an attacker to run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

cancel ×

241 comments

Sorry! There are no comments related to the filter you selected.

Upate to the most current (3, Informative)

Ken Valderrama (2899927) | about a year ago | (#45557613)

Adobe Reader - problem solved

Re:Upate to the most current (5, Funny)

Anonymous Coward | about a year ago | (#45557617)

Uninstall Adobe Reader - 2 problems solved!

Re:Upate to the most current (5, Insightful)

Anonymous Coward | about a year ago | (#45557651)

Never have an adobe product installed in the first place - solved.

Re:Upate to the most current (2)

Ken Valderrama (2899927) | about a year ago | (#45557689)

genius !

Re:Upate to the most current (0, Informative)

Anonymous Coward | about a year ago | (#45557701)

I use Foxit on my windows box.

Re: Upate to the most current (5, Insightful)

Anonymous Coward | about a year ago | (#45557919)

Foxit is just as bloated as Adobe Reader.
Sumatra PDF is what Foxit was before becoming bloatware.

Re: Upate to the most current (1)

unixisc (2429386) | about a year ago | (#45558021)

Was it written in Java? Or Sumatra?

Re: Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558047)

lol a software hipster.

Re: Upate to the most current (1)

Black LED (1957016) | about a year ago | (#45558061)

I have a problem where Sumatra PDF opens certain PDFs very slowly, perhaps taking 30 seconds or more. It doesn't seem to be dependant upon the file size either, as some large PDFs open quickly while some small ones take forever and vice versa.

Re: Upate to the most current (2)

jones_supa (887896) | about a year ago | (#45558259)

Please do the responsible thing and file a bug report [google.com] .

Re: Upate to the most current (1)

Black LED (1957016) | about a year ago | (#45558389)

I would, but I have already switched to a different reader.

Alternatives to Flash? (2)

tepples (727027) | about a year ago | (#45557779)

Never have an adobe product installed in the first place - solved.

So other than Flash or Edge Animate, what's a good program for creating vector animations?

Re:Alternatives to Flash? (4, Funny)

Anonymous Coward | about a year ago | (#45557839)

notepad

Re:Alternatives to Flash? (0)

Anonymous Coward | about a year ago | (#45558407)

burma shave

Re:Alternatives to Flash? (1)

ArbitraryName (3391191) | about a year ago | (#45558063)

Synfig [synfig.org] .

Re:Alternatives to Flash? (0)

Anonymous Coward | about a year ago | (#45558129)

Export to video and upload to YouTube

Bloat (1)

tepples (727027) | about a year ago | (#45558461)

Export

Export from what, if not Flash?

to video

I tried that. The encoded video was 10 times bigger than the SWF, which counts against the viewer's monthly download cap, and had no means for interactivity.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558075)

I used to hang on to Adobe Flash Player just in case I needed it, but ever since they started packaging some piece of McAfee bloatware with updates by default, I removed it from my system. It really hasn't impacted anything, since nobody uses Flash any more.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558171)

You can get avoid downloading the McAfee bundled versions if can change the user-agent of whatever browser you use to indicate it's running on a non-windows platform.

Re:Upate to the most current (5, Insightful)

dreamchaser (49529) | about a year ago | (#45557619)

Upgrading the OS would be wise as well, especially since we're fast coming to the point of end of support, April 8th 2014. Windows 7 and 8.x both improved security considerable, and there are other more secure options as well such as MacOS X and the other varies flavors of *nix such as Linux distributions.

Re:Upate to the most current (1, Insightful)

Joce640k (829181) | about a year ago | (#45557645)

Sure, Windows 7 fits on my EeePC. Not.

I'm not even sure it would fit on my old HP laptop - that's only got a 30Gb hard disk in it. Windows 7 would overflow that in no time.

(Yes, they're both used used almost every day...)

Or I can upgrade all my perfectly-good hardware, right? Do they even make pocketable little 9" PCs any more?

Re:Upate to the most current (1)

jones_supa (887896) | about a year ago | (#45557699)

Do they even make pocketable little 9" PCs any more?

I'm still a bit upset that they stopped making those nice 8.9" and 10.1" machines. Surely they were a bit low performance but they were fun to use. Well, at least there's still the 11.6" category.

Re:Upate to the most current (4, Informative)

twnth (575721) | about a year ago | (#45557805)

Re:Upate to the most current (1)

jones_supa (887896) | about a year ago | (#45557837)

Nice!

Re:Upate to the most current (2)

0123456 (636235) | about a year ago | (#45558223)

Except:

1. It seems to be about twice the price of my old EeePC.
2. It's a tablet with attached keyboard, so, with an Atom stuffed inside, is likely to be even more poorly balanced than my ARM Transformer.

Chromebooks seem to be the real successor to netbooks, but the OS is a pain to replace.

Re:Upate to the most current (1)

Luckyo (1726890) | about a year ago | (#45558331)

Let's just say that I hope you don't offer those things to people actually using current EEE PCs. They don't have too many people that liked them which is why they got canceled in the first place. They are imho extremely uncomfortable to use, but I've heard a second opinion from my mother who would be ranking pissed if her current little baby EEE PC died and she found out there was no replacement. But those that did like them tend to be pretty fanatical and phone/tablet OS in the same form factor for people who need those ultra small and light work PCs is about as useful as a brick.

It my mom's case it is useful and loved because it's an extremely small factor full fledged PC that could run x86 software that fit into a reasonably large purse. Apparently a perfect work companion for a woman in her 50s that has to travel a lot for work and do a lot of work on demo floors of exhibitions and business negotiations and doesn't want to carry any extra weight if she can help it. Any non windows on x86 offering is an automatic failure here, as it wouldn't run the necessary work related software.

Re:Upate to the most current (1)

PrimeNumber (136578) | about a year ago | (#45558471)

I still have mine and it still runs linux just fine.

Re:Upate to the most current (2)

twnth (575721) | about a year ago | (#45558693)

I'm not sure that you actually looked at the item I linked to.
Asus T100 "book" is a new product, only been on the market a couple weeks (local retailers here in Alberta got their first shipment last week). Its not the old android transformer that you may be thinking of.
-10" 1388x768. maybe a smidge bigger than the EEE
-full windows 8.1 32bit (not RT), comes with Office 2013 home and student. So it'll run just about anything
-quad core modern atom processor, 2 gig ram, Intel HD graphics. Office, netflix runs just fine. BF4 won't run, but a few games might be playable (look for demo's on youtube, decide for yourself what's playable).
-comes with the keyboard, MicroSD, mini-HDMI, USB3. Ya its a tiny keyboard, but tactile buttons make it quite usable for my small hands to touch type.
-supposed to have an 11 hour battery. Haven't clocked mine yet, but haven't had to recharge during the day yet either.

32gig model cost me $400 (Canadian), so its a bit more than the EEE was back in the day, but still half the money of a Surface Pro (which doesn't come with the keyboard). Home and student goes for $150 around here, so makes it a much easier pill to swallow.

I'm still getting all my tools loaded, but this is my new always handy laptop replacement. Very much what the EEE tried to be.

Re:Upate to the most current (2)

mlts (1038732) | about a year ago | (#45557841)

I'm in the same boat. I would love to have a full featured PC with a 7-8" screen that I can carry with me that I can use with a USB serial port for diagnosing router issues.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45557881)

Dell Venue Pro 8 is, well, 8 inches and $299 running full Windows.

Re:Upate to the most current (2)

dreamchaser (49529) | about a year ago | (#45558445)

I find that my Asus Transformer Prime 201 is just fine for the majority of tasks, and it works with my USB serial cable. Yes, I can console into firewalls, routers, switches, etc. with my tablet, and the fact that I have the optional keyboard dock makes it all the nicer.

Re:Upate to the most current (1)

Luckyo (1726890) | about a year ago | (#45558269)

Sadly they didn't sell all that well. I'm already dreading having to tell my mother that I won't be able to replace her beloved 10.1" EEE PC when it eventually dies. She loves the damn thing to death, and I have no idea why - it was so small and uncomfortable to use for me when I set it up but she actually get her company to pay for it and install all of her work software on it.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45557721)

I installed Windows 7 on my Eee 901 back in the day; it ran fine.

Re: Upate to the most current (-1)

Anonymous Coward | about a year ago | (#45557745)

Can't put win7 on an eee 901? Hand your card in on your way out

Re:Upate to the most current (5, Interesting)

mlts (1038732) | about a year ago | (#45557795)

For Web browsing in a VM, it is hard to beat XP for something that takes 512 MB of RAM, 16-24 gigs of disk space (partitioned into two disks, one for the system, one for scratch space for sandboxie's sandbox.) Its footprint is so light, the VM can stay resident on a box with 6-8 gigs of memory without issue, even with running fairly larger applications like Acrobat [1], Photoshop, Dreamweaver, and Flash.

I use Acrobat for producing PDFs for long term storage, FoxIt for viewing. So far, so good.

Re:Upate to the most current (1, Interesting)

Billly Gates (198444) | about a year ago | (#45558747)

Try installing XP brand new on a VM.

Hint ... it wont work. The cpu will hit 100% usage and updates wont work. MS knew about this since last July and a fix has yet to be seen. Hair pulling experience. That dinosaur takes more work than installing Solaris and FreeBSD and many many days and hours of patch after patch after fix and KB just to get it semi up to date to run IE 6 (oxymoron) to make my risk adverse customers afraid of change happy.

I wont install XP again. I am done and I had to pirate another VM with it. After April I will just upgrade my ram in my host. Adobe CS 6 products already cancelled support, IE is no longer updated, Chrome will end support soon, Games coming out no longer work on DirectX 9, and the list goes on and on. Even Windows 7 is showing its age as it takes forever with updates on a fresh install and workarounds if you need to test older IE browsers.

If it were not for Metro I would have taken the $40 upgrade as Windows 7 is 5 years old since the first RCs came out! In the old days people would laugh at you for running a 5 year old OS and many here wont even move to that yet?!

Re:Upate to the most current (2)

lgw (121541) | about a year ago | (#45557801)

30GB is fine for Win 7, but you might have a lot of other stuff.

Keeping WinXP around for aging crufty hardware isn't that interesting - just throw that old worthless crap out already, this isn't the 90s where you have to hang on to the old box until you have $3000 for a new one.

OTOH, Windows is really hurting for a lightweight OS to replace XP in virtual machines. When you're trying to stack 200 virtual machines on a server, WinXP really hits a sweet spot. MS seems to have lost the ability to do "thin and lightweight" after the move to managed code.

Is WinPE good for anything here? Has anyone tried using it as a real OS?

Re:Upate to the most current (1)

mlts (1038732) | about a year ago | (#45557847)

There is always WinFLP (Windows Fundamentals for Legacy PCs), which Microsoft put out to compete with lightweight clients a few years back. Essentially it is a modified copy of XPe and doesn't have a number of features (no BlueTooth, etc.) that XP has. Another alternative is Windows Server 2003 which tends to be more lightweight than XP.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45557867)

I have a 32gb ssd. Windowds 7 would not install.

Re:Upate to the most current (1)

lgw (121541) | about a year ago | (#45557961)

Just checked my gaming box and it's 40GB, but I know I've used VM images that were 20GB: wonder what we stripped out? Of course, for any small install it's important to not have a pagefile, and to turn off volume snapshotting, but that's the case on my gaming rig and it's still using 40GB.

Re:Upate to the most current (5, Informative)

ArcadeMan (2766669) | about a year ago | (#45557873)

My CNC requires a parallel port which doesn't even exists anymore and my CNC software can't run on Windows versions above XP. Are you suggesting I throw away my perfectly good CNC setup just because it's "old worthless crap"? Send me a check for $15K and I'll think about it.

Re:Upate to the most current (1)

couchslug (175151) | about a year ago | (#45557953)

I agree as I support my buds CNC equipment.

Of course that XP machine never needs to connect to the internet.

BTW you can ditch the direct PC-to-parallel port connection if you ever wish to. These little units work a treat and tech support was outstanding. (A card in my buds Fanuc had malfunctioned and they helped him isolate that problem though it had nothing to do with their unit.)

http://www.highlanddnc.com/ [highlanddnc.com]

"parallel port which doesn't even exists anymore"

There are plenty of parallel and serial port cards to adapt later desktops.

You can run XP etc in a VM for security if you have a machine you want to connect to the internet, then copy the code to be transferred to a shared folder on the more secure OS for transfer however you wish.

If you have any CNC gear that still uses floppies, the cheap Gotek USB adapters are plug-and-play replacements. I fitted one to my buds EZ Trak and it works flawlessly.

Re:Upate to the most current (4, Interesting)

LoRdTAW (99712) | about a year ago | (#45558043)

It sounds like he might be running a PC based CNC system that uses a PC for control. You posted a DNC box that is for uploading programs via DNC which has always been serial. Some older PC based CNC controllers used the parallel port (especially common for stepper systems). Systems that used brushless servos typically used some type of dedicated hardware to close the servo loop and is commanded via the PC. Typically those were ISA cards with a DSP on board but also parallel based units were available.

I also support the PC based CNC systems at my place of work. The system is quite advanced and uses a real time subsystem which only supports Windows 2000/XP. One of the systems is XP and the others are Windows 2000. New software costs about 4k and depending on the drives used, may require new drives at a cost of $1700 per axis. We still have one DOS based CNC system left, an ISA/DSP card with proprietary vendor written software supported by one guy on planet earth. Since that system sees little use it is not worth to $30k+ to upgrade to a modern CNC system. And that price is just to keep the existing motors and stages, $60+k for a complete replacement.

Re:Upate to the most current (1)

tlhIngan (30335) | about a year ago | (#45558155)

There are plenty of parallel and serial port cards to adapt later desktops.

It's hard to believe, but yeah, there are tons of serial and parallel cards with PCIe interfaces on them. And if you have a laptop, ExpressCard serial and parallel ports exist too - and these aren't the chintzy USB ones (that use the USB port on the ExpressCard slot) - but use the real PCIe side of the slot and appear as a native port.

I'm just waiting for the Thunderbolt ones to come out as well - after all, it's also PCIe.

And I thought more modern CNCs have USB ports where you copy the file to a USB stick and then jam it into the USB port? Or floppy drives in the past?

(No, these CNCs don't hook to the PC via USB. They're standalone - you generate the file, copy it to a USB stick, and then plug the stick into the CNC's USB port and navigate to it.). I suppose the latest also support SD cards and the like.

Re:Upate to the most current (-1)

Anonymous Coward | about a year ago | (#45557967)

Systems need maintenance, throughout their lifetime. If you didn't bother to keep your CNC software up to date it can only mean it's not very valuable to you. If it is, you're an idiot.

None of that is Microsoft's fault.

Re:Upate to the most current (2)

epyT-R (613989) | about a year ago | (#45558085)

The most irrational bullshit ever. If the equipment works fine, leave it be. Changing software around just to bump the OS revision on high uptime equipment is a fool's game. THAT is idiocy.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558409)

Baloney. You can choose two paths with critical systems for which you wish to preserve availability and utility:
1. Build it once and never touch it. This is fine if you keep it isolated from external change and threat (it's not on a network, for instance), and if you maintain a spare or backup configuration (hardware and software) - two is one and one is none. You have to do this, not the vendor, because the vendor has no obligation or economic incentive to sustain your point-int-time solution - their's will be progressing and responding to changes in hardware and software environments.
2. Keep it maintained and test updates - yes, you will need a spare PC or at least spare heard disk, and effort during downtime will be needed. (I'm assuming this isn't "always on" critical).

Even though I'm delighted to see people extending the lifespans of equipment, everything has a lifespan and prudent business management means you have to plan a replacement eventually, and pay the cost of maintaining it while it's in use.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558425)

"hard" disk. Doh.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558055)

I perfectly understand about old hardware. You should know, though, that parallel port cards for desktops at least still exist for PCI, and even PCI Express slots - and they are true, full parallel ports. (If someone suggests a USB/parallel adapter, run away!) I just got one to keep an old but bullet-proof printer running on Windows 7.

As for old software, you could try a virtual machine to keep Windows XP "running" on more current hardware and avoid the hassle of keeping an ancient desktop on life-support forever. (I've found that computers that sit in the same room as CNC machines tend to need constant cleaning to keep material shavings out of the inner workings.) I know some virtual machine software can provide access to PCI hardware, although it's usually not simple to set up. I haven't tried that with a PCI parallel card. Still, if you haven't checked for alternative solutions lately, check again: some options might have opened up. The biggest problem with sticking with an ancient desktop is that if the hardware dies, you might not be able to get a replacement, and then you're stuck!

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558213)

Newer CNC machines automate alot of functions saving labor costs, which give better yieldsof products to the business! Paying a newbie 15 bucks hour is lot of money!

Re:Upate to the most current (1)

fabioalcor (1663783) | about a year ago | (#45558381)

You'd rather create a virtual machine, map your physical parallel port to the VM (it's easy in VMWare at least), turn off the VM's network adapter and install your legacy CNC software in there. Turn it on only when you need to use the CNC. Use a secure/modern OS in the physical machine.

Re:Upate to the most current (1)

NJRoadfan (1254248) | about a year ago | (#45558525)

If you are looking at desktop machines, there are motherboards being sold that still have the good old serial and parallel port headers. Laptops on the other hand...

Re:Upate to the most current (2)

The Grim Reefer (1162755) | about a year ago | (#45558205)

Keeping WinXP around for aging crufty hardware isn't that interesting - just throw that old worthless crap out already, this isn't the 90s where you have to hang on to the old box until you have $3000 for a new one.

On one hand I agree. On the other it's a little annoying that just about any system from the last 10 years, or more, has enough power to surf the web and check email. So it would be nice to keep perfectly adequate hardware out of landfills and not piss away a couple hundred bucks on a replacement.

Re:Upate to the most current (2)

Billly Gates (198444) | about a year ago | (#45558571)

Have you tried to install XP in the last 6 months in VMware

It has the SVCHost.exe taking 100% cpu utilization bug, updates do not work, this is what happens [neowin.net] . It took a week to install XP with my host machine running very hot.

I finally found a fix of looking for a KB randomly for an IE update. MS support and googling had no answer to this but someone in a forum mentioned this fix after many many patches and fixits.

100% of all XP versions are impacted regardless of source as I assumed I had a bad .iso. The thing is the hardest OS to install compared to FreeBSD and other harder oses due to the amount of patches, steps, and other workarounds to get IE 6 working for myself.

I accidently lost my iso folder and I wont miss re-installing XP. I have an XP image still backed up and will gladly just upgrade my ram to use Windows 7 images instead when that nasty outdated dinosaur dies off.
 

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558715)

google WSUS... fast, easy, bullet proof

Re:Upate to the most current (1)

Billly Gates (198444) | about a year ago | (#45558723)

It wont work if you have a fresh VM. It will go under as well.

The trick is to find a recent IE 6 security patch. The cause is 1000+ bug fixes buffer overflowing the database.

Re:Upate to the most current (5, Insightful)

tepples (727027) | about a year ago | (#45557807)

Sure, Windows 7 fits on my EeePC. Not.

Then do like I did: install an Xfce-based Linux distribution and run Windows applications in Wine. Should Microsoft follow through on the rumored complete deprecation of the desktop in Windows 9, you'll be ready. Or you can install a larger SSD in your Eee PC and max its RAM.

Do they even make pocketable little 9" PCs any more?

I too mourned the end of netbooks [slashdot.org] . Tablets sold with a keyboard, such as the ASUS Transformer Book, are probably the closest successor.

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45557951)

Re:Upate to the most current (1)

epyT-R (613989) | about a year ago | (#45558095)

Deprecation is not always an indicator of progress, especially when 'progress' is defined subjectively.

Re:Upate to the most current (1)

DMJC (682799) | about a year ago | (#45558773)

Wine is not actually a replacement for windows yet. It still cannot emulate DirectX 1-6 which is crucial for a lot of games and applications. Wine devs need to finish fixing the older parts of wine before trying to run a race against DirectX 10/11/12 The way it stands now wine is only good for a few DirectX 7-9 games.

Linux (0)

Anonymous Coward | about a year ago | (#45557927)

of course Linux will fit in there...

Re:Upate to the most current (0)

Anonymous Coward | about a year ago | (#45558233)

Do they even make pocketable little 9" PCs any more?

yes, they're just marketed as "cell phones" these days.

Re:Upate to the most current (1)

NJRoadfan (1254248) | about a year ago | (#45558505)

Windows 7 and 8 will fit on a 30GB drive without a problem.

Re: Upate to the most current (0)

DigiShaman (671371) | about a year ago | (#45557691)

Bigger problems: At least here in the US, business are in a mode of self-preservation due to both debt and a massive restructuring of our healthcare industry. As such, being on the cusp of going out of business, I'm finding the SMB market choosing to roll the dice on being reactive vs. proactive. If the companies lose data and productivity from malware outbreak, they were soon to go under anyways. So ya, "fuck 'it'" is right.

Re: Upate to the most current (0, Insightful)

Anonymous Coward | about a year ago | (#45557773)

Or, they don't just want to spend the money...? These corporations are sitting on wads of cash.

Remember, MBAs run these places. EVERYTHING is a "cost", the exception being their bonuses and "shareholder returns".

Re: Upate to the most current (-1)

Anonymous Coward | about a year ago | (#45557935)

No, the sky isn't falling. You are just butthurt that you didn't get the sales and support contract you wanted. Windows XP runs fine for their desired purpose and in their eyes you are the one who is attempting to rip them off by selling them a new system when they are perfectly happy with the existing system. The goal of a business is to make money, not lose money by sending more of it to pissant know it all IT neckbeard nerds

Re:Upate to the most current (3, Interesting)

cant_get_a_good_nick (172131) | about a year ago | (#45557705)

Service Pack 2, a.k.a. when XP really became stable, was way back in 2004. SP3 was back in 2008, still 5 years ago. If you think about XP being NT2000 with a nicer GUI, then the design was set way back in 1997 or so, back when dialup was king and an AOL disk was not yet a running joke.

To those that say "well my computer works fine".. umm, no it doesn't. Your OS was designed in 1997-2001, in a relatively much safer Internet environment, and is not designed for always on persistent attacks with billions of dollars available by hacking. As much as I think Microsoft keeps people out to dry, at some point you need to update.

For good and bad (and Mavericks has some things that piss me off) the Apple model of forced upgrades has some reasoning to it.

Ummm, why should it not? (0)

Anonymous Coward | about a year ago | (#45557751)

It's not like bugs are unheard of and are impossible to fix in software.

The OS still works fine.

Microsoft needs to decide whether they are going to let XP go public domain, as per contract on copyright, or to continue to support it.

After all, if they stop supporting it, can I get my money back? No? Why? "Because you've had use of the software"? Well, they've had use of my money, so we're all square on that count.

Re:Ummm, why should it not? (2, Insightful)

Anonymous Coward | about a year ago | (#45557785)

Microsoft needs to decide whether they are going to let XP go public domain, as per contract on copyright, or to continue to support it.

You have a hilariously mistaken idea of how copyrights work.

Re:Ummm, why should it not? (1)

cant_get_a_good_nick (172131) | about a year ago | (#45558081)

How many bugs are in Windows XP? You don't know, no one knows. Someone needs to do work to figure that out. Some geek needs to spend time to figure out the attack surface and see what breaks. How do you fix it? A harder question, how do you fix it without causing more problems? I've got nearly 15 years of code and machines that support XP. If you don't test, and this breaks, i'm going to be angry at Microsoft. Oh, and this is a Zero day. So I need to be FAST and RIGHT. That doesn't come cheap.

Are you going to pay for that? Are you going to pay for the geeks to fix the holes? If they don't get money, they can get money by selling these exploits to others. Are you going to pay for the matrix of testing? Think of the millions of different PCs there are. Any code change costs hundreds of thousands of dollars to test. You don't get that for free.

A bug by definition is a problem. If you admit there are bugs, you are, in effect, admitting that the OS does not work fine. You just have expectations that they will be fixed before they bite you. Either that, or maybe there's some acceptable level of infestation you're good with on your computer. That may be fine, but don't expect all other users to have the same level of comfort with it.

I don't get that last comment. If you have an old car, and the engine wears out after 10 years, you don't get the money back from GM. You either pay for the repair, or you ride the bus.

Re:Upate to the most current (1)

epyT-R (613989) | about a year ago | (#45558193)

Service Pack 2, a.k.a. when XP really became stable, was way back in 2004. SP3 was back in 2008, still 5 years ago. If you think about XP being NT2000 with a nicer GUI, then the design was set way back in 1997 or so, back when dialup was king and an AOL disk was not yet a running joke.

Argument from antiquity fallacy. Older designs are not necessarily inferior. Using your logic, I could make the same claims about bsd and linux, since their design tenets date back even earlier than windows NT. You also conflate GUI design with security. AOL was a joke from the beginning.. Where have you been?

To those that say "well my computer works fine".. umm, no it doesn't. Your OS was designed in 1997-2001, in a relatively much safer Internet environment, and is not designed for always on persistent attacks with billions of dollars available by hacking. As much as I think Microsoft keeps people out to dry, at some point you need to update.

So as of the last patch tuesday, do you think you're now secure? You'd be a fool to think so. The proof is in the next batch of patches due out next tuesday. It's your behavior and process that has the greatest impact on your security and not whether you're running $LATEST_VERSION. Assume you're compromised from the start, and you're more apt to back up your data regularly, and simply reimage every month or so. It sure beats depending on snake oil AV, which, like vendor patches, may or may not protect you.

The threats just manifested differently back then. It's still the same concept of a payloader and a drop. The only difference is that now payloaders are also written in javascript. If anything, it's today's up to date scriptable browsers that have caused security to get worse. If you care about security, you'll vouch for the death of javascript and similar technologies. This will do a lot more for security than making users think they're safer just because they've got the latest version of something.

Re:Upate to the most current (1)

Billly Gates (198444) | about a year ago | (#45558589)

I think you should learn about exploits as your rant on javascript is an IE 6 issue. Modern browsers have sandboxing to prevent things from just running. You need to exploit the language, then the sandbox, and DSLR or DEP in Windows 7/8 to gain an exploit. Not impossible but much more difficult than in XP which does not have the later security defenses as it was designed in a world of AOL in a trusted network and security meant a good password.

Change can be hard and the only reason to use XP is the fear of change because you are familiar and then find a reason why not to upgrade. XP has been shown to be 600% more likely to be infected than Windows 8.

Re:Upate to the most current (1)

Anonymous Coward | about a year ago | (#45558759)

I think you should learn about exploits as your rant on javascript is an IE 6 issue. Modern browsers have sandboxing to prevent things from just running.

And yet exploits are still common.

You need to exploit the language, then the sandbox, and DSLR or DEP in Windows 7/8 to gain an exploit. Not impossible but much more difficult than in XP which does not have the later security defenses as it was designed in a world of AOL in a trusted network and security meant a good password.

XP SP2+ has ASLR and DEP. Further, a long standing point of IE was that after fixing the directly exploitable bugs was using multiple bugs together to reach an exploit. And as stated above, exploits that bypass the sandbox and ASLR/DEP are in the wild. As much as it's "more work" to bypass more layers, the fundamental fact is that those layers can be bypassed pretty regularly so the barrier raised isn't nearly that much as stated. Besides that, who uses IE 6 again? And what protects you in Windows 8 if you try to run IE 6? No, you're in the same boat if you run legacy user software.

Change can be hard and the only reason to use XP is the fear of change because you are familiar and then find a reason why not to upgrade. XP has been shown to be 600% more likely to be infected than Windows 8.

Or you have a working Windows XP system that is malware free* and you don't want to (1) spend money to "fix" something that isn't broken, (2) deal with all the hassle of an upgrade (you have to plan for the worst and the worst can be very time consuming), and (3) you can be left with a system that's noticeably slower in just about operation (a clean install may fix that(*, but that's even more time consuming). As for the "600% more likely to be infected"....is that on a comparative collection of up-to-date systems or one of those things where they compare 10 year old XP systems that were infected 7 years ago and still no one has bothered to take them offline? Because I think you can get similar skewed results with Linux.

Now, there will be a time when you won't receive updates and people should prepare for that day. But, that leaves months to decide on when to do the upgrade or to switch to another platform. Personally, I'd suggest a version of *nix or *BSD that does rolling upgrades to avoid the hassle of big, bulk changes. It introduces more risk to have rolling upgrades of various packages, but then it's usually easier to deal with regular minor crises than one massive one that can leave you with weeks trying to get software packages sorted out. :( MS seems to want to go that route, actually, but then that turns in to regular upgrade fees which are unacceptable to most people. After all, it's not that most people want the new features or changes. It's that they're part and parcel of the security fixes. And addressing that point on its face looks really ugly--it almost looks like a Dilbert comic about being paid to fix bugs intentional inserted.

*Believe it or not, plenty of XP systems are malware free. It just doesn't look that way when you have millions of systems with millions of users who aren't proactive enough in updating or are just unlucky enough to be hit by a zero day exploit. If tomorrow Windows 8 was the dominant OS, you'd see the same thing in a years time on Windows 8 systems.

**Odds are good, it won't. More precisely, a clean install Windows XP SP3 system (with the latest security updates) is almost certainly faster than a clean install Windows 8.x sytem (with the latest security updates). But an upgrade usually isn't a clean install--reinstalling all your apps, getting all your settings right, making sure all the required drivers/system libs are installed, etc is a time consuming hassle. Even without all the leg work, it still takes a lot of time which people aren't very happy about--having to leave their computer on for half a day untouched just so it can "fix" itself is vexing for a lot of people. Not that I've seen any way to avoid all the leg work, outside of some corporate environment--but then, that's the admin's job.

It's such a hassle, btw, that I rarely see people in tech magazines going through the hassle of actually doing clean benchmarks over the above or charting the steps for importing stuff and how much time/effort is involved. When even the people paid to do such things can't show the value and effectiveness of backups and a new version of the OS...well, there you go.

Re:Upate to the most current (1)

Anonymous Coward | about a year ago | (#45558551)

To those that say "well my computer works fine".. umm, no it doesn't. Your OS was designed in 1997-2001, in a relatively much safer Internet environment, and is not designed for always on persistent attacks with billions of dollars available by hacking. As much as I think Microsoft keeps people out to dry, at some point you need to update.

Uh, Windows NT is, in a lot of ways, designed off of VMS at its core. And there's nothing wrong with the core design, per se. The fundamental issue is the same as in *nix or any other platform: you get attacked at the surface and the surface is user apps on user libraries. No matter how much you sandbox those apps and secure the core, all you're doing is guaranteeing that the core system won't go down or be liable to being destroyed. If anything, that's a big plus for a malware writer who can instead of fearing their bots will go down can be well assured that a system that stays up will function will indefinitely.

The only real reason then to upgrade is if the user land apps and libraries aren't being security fixed for XP. At its core, an old Windows 9x machine would be just as secure*--but it'd be unstable because Windows 9x is unstable. Well, XP isn't unstable. So, the only compelling reason to move really is that Microsoft won't keep updating XP indefinitely. I can understand their reasoning--or more precisely, the desire of the engineers not to just maintain an old code base indefinitely. But, there's plenty of mainframe programmers in that boat on systems that are decades old and they're insanely secure.

So, uh, yea, upgrade but upgrade for the right reasons.

*Barring some newly discovered Win9x TCP/IP stack vulnerability or an old one that never got patched because Windows 9x was EOL or a common network driver bug (although, really, the problem is lack of WiFi support). And if those exist, most (all?) of them can be fixed just like they or similar ones were fixed int WinNT, so... Still, I wouldn't run Win9x because, again, it's unstable. And that is a design defect.

Re:Upate to the most current (1)

AC-x (735297) | about a year ago | (#45558515)

The elevation of privilege vulnerability isn't Adobe's fault, any program running under a limited user could get full admininstrator rights with that.

Remember kids. (0, Informative)

Anonymous Coward | about a year ago | (#45557629)

Remember kids, use a free software PDF reader.

Re: Remember kids. (0)

Anonymous Coward | about a year ago | (#45557763)

Drop your pdf into a browser woth in built pdf reader? Too simple?

They Didn't save this? (3, Insightful)

cant_get_a_good_nick (172131) | about a year ago | (#45557643)

Hmm, a bug that gets admin rights.... If I were sufficiently evil I would have saved this until April when there's no chance of it being patched ever.

Re:They Didn't save this? (-1)

Anonymous Coward | about a year ago | (#45557749)

XP will still be patched after that date, but only for paying customers. End of life only applies to free updates. Also, right now XP Windows Update is experiencing a massive bug that pegs the CPU at 100% and takes hours to update.

Since Win7 has been out for four years now, maybe people should stop bitching and just update, or switch.

Re-buying peripherals (2)

tepples (727027) | about a year ago | (#45558049)

A lot of companies own multi-thousand-dollar PC peripherals with no NT 6 (Windows Vista/7/8) driver, and the peripheral's manufacturer has either gone out of business or deliberately chosen not to make new drivers for old but still working hardware. When companies have to re-buy expensive peripherals, the manufacturer makes more money.

Funded by Microsoft Marketing? (1)

Anonymous Coward | about a year ago | (#45557647)

Windows 8.x best Marketing tools, XP EOL and new exploits.

Of course it has the side effect of delivering some to Apple, Google, Linux and BSD as well. Not to mention the largest effect being to increases in technical jobs related to the switchovers for all that software and hardware.

Too Bad (2, Funny)

Oysterville (2944937) | about a year ago | (#45557649)

Too bad Windows XP won't be supported much longer. Once that happens, it would be a...shame if something were to happen to that PC. If you upgrade to Windows 8, Microsoft will surely protect you.

Re:Too Bad (2, Interesting)

Anonymous Coward | about a year ago | (#45557757)

Because your cellphone, tablet, or Macintosh enjoyed 13 years of support from initial release (and 7 years after being replaced by the next version).

Re:Too Bad (0)

Billly Gates (198444) | about a year ago | (#45558601)

Too bad my Ford XT won't be supported much longer with modern airbags and security fixes from cars a century later. It would be a shame if something were to happen to my car ... greedy FORD

Wait until May 2014 (0)

Anonymous Coward | about a year ago | (#45557755)

I'm quite surprised they didn't wait until May 2014 to start exploiting this, i imagine there will be a flood of zero days the very next day after microsoft stops supporting XP.
I just hope the multi-billion euro company i work for finally gets round to upgrading by then.
Windows xp, adobe acrobat 5 & 8, IE 8 and the oldest (barely) working laser printers left in britain...great place.

Upgrade would be unwise (0)

Anonymous Coward | about a year ago | (#45557853)

Upgrading or patching XP would be unwise at this stage because any update would probably be accompanied by subtle cripple-ware.
Simple solution: uninstall Adobe fatgware and install SumatraPDF instead. Also results in a much improved PDF experience.

Gosh.... (5, Insightful)

hazeii (5702) | about a year ago | (#45557855)

Oh, I see, a ramping-up of press releases about 'exploits' against XP prior to the cut-off date.

Didn't see that coming.

Re:Gosh.... (0)

Anonymous Coward | about a year ago | (#45558379)

Oh, I see, a ramping-up of press releases about 'exploits' against XP prior to the cut-off date.

Didn't see that coming.

Yes. We have a winner.
Headline = XP is totally insecure now! Scare! XP ZERO DAY!!!

Actual problem = Adobe Reader has a zero day.

Thank you slashdot, your shill status is affirmed.
: (

Re:Gosh.... (1)

Billly Gates (198444) | about a year ago | (#45558605)

Yeah it is the press releases THATS IT.

XP never had any security issues and I do not want to change and I am familiar with it so it must be the press releases.

Useless exploit, just gives admin to a local user. (5, Insightful)

ReekRend (843787) | about a year ago | (#45557905)

Per TFA, this exploit is dumb and unconcerning. It just lets a standard user perform admin operations, no remote exploit of any kind. There have always been many ways for a standard user to get admin on any OS, the most trivial being physical access.

Re:Useless exploit, just gives admin to a local us (2)

Joe_Dragon (2206452) | about a year ago | (#45558067)

so all you need to due is use this to install that remote exploit app.

Re:Useless exploit, just gives admin to a local us (1)

phantomfive (622387) | about a year ago | (#45558543)

Truly remote exploits are getting rarer and rarer. These days it usually takes two (or more) exploits, an exploit to become a local user, and a permission escalation exploit to become admin.

Re:Useless exploit, just gives admin to a local us (4, Informative)

Anonymous Coward | about a year ago | (#45558745)

I don't know if you're joking, I suspect you are, but for the benefit of the following readers I'll explain.

Here's how it works. User is tricked into accessing an infected pdf which contains code to elevate the user's privileges. the infected document's code downloads further exploits to root-kit the box. Right now the exploit is in a pdf, but infected websites are sure to follow.
If it's out there, and it has a picture of a puppy (or, in the USA, the word "free"), some user will click on it.

If you read the TFA, then you know it also is a Server 2003 bug as well.
Privilege elevation exploits are a nightmare for Terminal Server and Citrix boxes because it is a conduit for installing tools (using the admin rights) to grab other users' credentials and to continue from there to own the entire environment.

Would be funny if the attacker could (3, Funny)

future assassin (639396) | about a year ago | (#45558177)

wipe windows and install Linux on the machine.

Re:Would be funny if the attacker could (2)

DMJC (682799) | about a year ago | (#45558777)

All they need to do to make this happen is find a memory point in windows, where Linux can be injected so it overwrites the kernel and boots linux after enough of the root filesystem has been written to disk. I'm surprised noone has tried to do this before.

Headline: Be afraid (0)

Anonymous Coward | about a year ago | (#45558365)

Article: Yea if you have this combination of software and are running a 12 year old OS...

beta.slashdot.org (1)

BringsApples (3418089) | about a year ago | (#45558413)

Man, I guess they were testing or something, but for a while, "slashdot.org" was redirecting to "beta.slashdot.org". All I could really make out was this "New Windows XP Zero-Day Under Attack" Headline and thought that something was wrong with either my PC or the site.

But maan that new layout [slashdot.org] sucks balls. I hope they don't go through with it.

Re:beta.slashdot.org (1)

BringsApples (3418089) | about a year ago | (#45558633)

That link isn't what I meant to link to. It was supposed to go to http://beta.slashdot.org./ [beta.slashdot.org]

M$ evil plan? (1)

Anonymous Coward | about a year ago | (#45558719)

Has anyone else considered that M$, in their desire to get all the XP users to buy a new version of Windows, may continue the illegal and immoral tactics they started with oh so many years ago? I remember when they encrypted the part of Windows that caused false message to disparage competing software. It wouldn't surprise me in the slightest if they expose (or even plant) some exploits and then release them to the wild after they drop support, and follow it up by more relentless FUD. They are, in my opinion, an evil company.

Server 2003 as well (5, Informative)

Anonymous Coward | about a year ago | (#45558775)

Did the submitter RTFA, or just submit as soon as (s)he saw the words "XP exploit" somewhere?

It's not mentioned, in the Slashdot article, but it's also a Server 2003 bug.
https://technet.microsoft.com/en-us/security/advisory/2914486
This means Server 2003 Terminal Servers and Citrix boxes.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?