Discussion of security concerns for EOL or near EOL Windows versions

[lexluthermiester]

At the request of staff this thread was created to discuss security concerns of Windows Versions which have be retired. The discussion started as follows.

Windows XP never magically became an insecure OS and interestingly still isn't. Windows 7 is unlikely to become such either. Still being EOL will trigger software and hardware devs to being phasing out support. As irritating and sad as it is, it's the future..

None of that is true. Would love to further discuss security in a thread meant for it.

So lets discuss? What do you find untrue?

 

[newtekie1]

If you don't think XP is insecure, then give it a public IP and see what happens.

 

[FinneousPJ]

I mean windows in general is no paragon of security.

 

[lexluthermiester]

If you don't think XP is insecure, then give it a public IP and see what happens.

Not without proper security in place. However, with a solid firewall and AntiMalware suite I have.

 

[Dinnercore]

The context for this question is relevant too, are we talking home use or professional application like a workstation in a big open network or even a public server? For home use I would agree that there is not much concern.

If you don't think XP is insecure, then give it a public IP and see what happens.

Well do the same for Win7 which is still in support and the outcome will be very similar.

 

[64K]

I don't think it's a good idea to go online while running XP anymore and the OS is 18 years old. For gods sake let it rest in peace and move on. I'm not sure if Win 7 is safe for going online or not. I've still got a backup rig with Win 7 on it and I go online sometimes but definitely not to any bad neighborhoods.

 

[newtekie1]

Not without a proper security in place. However, with a solid firewall and AntiMalware suite I have.

If you need all of that just to keep an idle OS from getting infected, then the OS isn't secure.

Well do the same for Win7 which is still in support and the outcome will be very similar.

No it won't.

 

[Dinnercore]

The only real way to settle this discussion would be a proper scientific experiment.

 

[lexluthermiester]

The context for this question is relevant too, are we talking home use or professional application like a workstation in a big open network or even a public server?

I think in general we're talking about home use.

For home use I would agree that there is not much concern.

Agreed.

I don't think it's a good idea to go online while running XP anymore

I know many who do.

the OS is 18 years old. For gods sake let it rest in peace and move on.

Some people can't upgrade for various reasons.

The reality is XP didn't and hasn't fallen apart. Same with Vista. Windows 7 is unlike to either.

 

[newtekie1]

I know many who do.

I know plenty of people that smoke, that doesn't make it a good idea.

The reality is XP didn't and hasn't fallen apart. Same with Vista. Windows 7 is unlike to either.

It hasn't fallen apart, it's been picked apart. Every worm knows how to exploit all the security holes that exist in XP. Over the years since it has stopped receiving security patches, many vulnerabilities have been found and exploited in the wild.

 

[dorsetknob]

For Any Build or reinstall of ANY O/S i always install suitable AV solution and Firewall
""BEFORE I LET IT GO ONLINE""

PS i have working laptops with win98 / XP-Pro /Vista / win7 and Win 10 all go online Occasionally
None are affected with malware apart from the Win 10 ( and that is by Microsoft Design )

 

[64K]

The reality is XP didn't and hasn't fallen apart.

But when they need to replace hardware can they even find drivers for it?

 

[Athlonite]

If your machine is that old it won't allow you to upgrade it to Window 8.1 or 10 then it's probably a better candidate for Linux if you are unable to purchase newer hardware or buy a newer machine then Linux

 

[dorsetknob]

But when they need to replace hardware can they even find drivers for it?

I Regularly aquire / buy Old used Hardware.......Drivers are not a problem
finding Drivers for a piece of win 98 era hardware for say the win7 is on occasion Difficult.
The Average jo Pubic cannot and gives up ....more knowledgeable people can usually find workarounds

 

[Vario]

Once EOL is reached in several months, I plan to move my present Win 7 disk's image to a back up drive that will not see internet, and switch to Win 10 long term service or a tweaked consumer 10 with annoying features removed.

The hassle of running 7 will eventually outweigh the hassle of 10. I love everything about 7, it is sad to see it end. I have thought about running 8.1 instead as the EOL is a bit later.
As this machine is predominantly for gaming, 10 will be eventual.

 

[lexluthermiester]

But when they need to replace hardware can they even find drivers for it?

Sure, drivers are easy to find presuming older hardware is used.

 

[Bill_Bright]

I think this is a silly debate.

It is a simple fact that XP has unpatched vulnerabilities. It is reasonable to assume W7 does too - or that newly discovered vulnerabilities will be discovered in the future. And it is a simple fact any such vulnerabilities will NOT be patched or fixed by Microsoft.

Not without proper security in place. However, with a solid firewall and AntiMalware suite I have.

Therein lies the problem and why suggesting XP is still safe, and that W7 is unlikely to become unsafe is totally flawed logic. And frankly, I think suggesting XP is still safe and W7 will remain safe is reckless - at least in an open and public forum where gullible novices are likely to see it.

Many security applications no longer support XP. As time goes on, that surely will be the case with W7. Why? Because as time goes by, fewer and fewer users will be using these operating systems. So why should or would any security app company continue to throw resources ($$$$) into research and support for them? There would be zero incentive (read: profits) for them to do so.

So even if a new vulnerability is discovered, neither Microsoft nor the security app developers are developing methods to protect against exploitation.

What does that mean? It means a zero-day exploit could surface today with no chance any security organization will discover it, and protect against it, before your system is compromised by a bad guy.

Most, if not all the major testing labs no longer test anti-malware programs with XP, and in fact, some already don't test for W7. So how do you know your antimalware truly is protecting you from all the XP malware currently out there? You don't. You may have just been lucky and the bad guys have not found you - yet. Same will soon be true of W7. At least with W10, we know Microsoft and all the security app developers are actively looking for vulnerabilities and the malware designed to exploit them. And if discovered, we know Microsoft and/or the security app developers then address those issues in upcoming updates.

So yes, today, as in this minute, it may still be possible to protect obsolete and superseded operating systems from exploits. But all bets are off for tomorrow. And that's why XP should stay off any network that has Internet access, and the same will soon be true for W7.

And for sure, home use is a concern. Most home users are not security experts, nor do they have a security expert watching over their networks.

 

[biffzinker]

If you don't think XP is insecure, then give it a public IP and see what happens.

I did that once by mistake after a clean install, and guess what happened? Didn't have enough time to install the updates. This was before XP went out of support. I learned to leave the Ethernet cable unplugged.

 

[moproblems99]

I think this is a silly debate.

It is a silly debate because all OS have unpatched vulnerabilities. The question is how many, and who knows about them.

Plugging any PC into the internet with out some form of decent security posture is akin to hitting the brothels without being wrapped up. You're gambling with your digital appendage.

 

[Yukikaze]

Update your shit. Update your drivers, update your micro-code, update your BIOS. Update your software. Update your OS. Update your router firmware. Keep it up to date and stay diligent.

Windows XP is NOT a safe operating system. Windows 7 will NOT be a safe operating system once it is no longer supported. While 0-days are always a possibility for software, they get patched. While unknown vulnerabilities are present in all environments, most attacks occur on well known vulnerabilities that are unpatched by vendors and users, because attackers, aside of small highly resourceful groups, want to have a maximum bang-for-their-buck, and using a proven exploit is easier than discovering one on their own.

Just this year we've seen BlueKeep and DejaBlue on Windows systems, and they got patched. If you end up with a BlueKeep equivalent on an unsupported OS without updates (or because you refuse to update your shit), you are a ticking time bomb: You are both in danger, and a danger to the safety of the internet overall (together with the millions of others who think the same as you, or lack the knowledge to protect themselves).

As for everyone saying: "This never happened to me" - You usually have no idea if it happened to you or not, especially not on something as old as Windows XP. Unless you are part of a small minority of people running (relatively) high-end security at the edge of your home and/or home-business network, you are a lot more vulnerable than you think.

 

[Bill_Bright]

It is a silly debate because all OS have unpatched vulnerabilities. The question is how many, and who knows about them.

That's not why. The reason why is because unsupported operating systems are not supported. So vulnerabilities will go unpatched. Supported operating systems will [eventually] be patched by the OS developer and/or protected by supporting anti-malware programs.

Plugging any PC into the internet with out some form of decent security posture is akin to hitting the brothels without being wrapped up. You're gambling with your digital appendage.

True - but again, supported operating systems will get "wrapped" - hopefully very soon after the vulnerability is discovered, or new malware is discovered (typically found in honey-pots) but before it spreads out into the wild.

 

[R-T-B]

I mean windows in general is no paragon of security.

My main router runs Window Server. It can be, if properly configured. That said, I'd never pay for it (old Academic License).

It has a firewall, naturally, the built in one. That's really all it needs if all it runs is a static web server and some internal routing shit. I've yet to be hijacked, and yes, you've seen my IP on these forums. I host my bios mods with it... lol.

 

[moproblems99]

My main router runs Window Server. It can be, if properly configured. That said, I'd never pay for it (old Academic License).

It has a firewall, naturally, the built in one. That's really all it needs if all it runs is a static web server and some internal routing shit. I've yet to be hijacked, and yes, you've seen my IP on these forums. I host my bios mods with it... lol.

Is that implicit permission?

 

[lexluthermiester]

Due to recent shenanigans in another thread, I'm going to refrain from directly responding to anyone as to avoid the idea of disrespect toward any user as none is intended.

With regards to XP, any competent firewall other than the one it came with(even Tiny Personal Firewall) will be enough to keep the OS safe from the vast majority(99.99%) of attacks, even worms as every firewall I would recommend will drop malformed packets by default. Additionally, almost all ISP's modems have at least some form of basic firewall built into them and have NAT enabled by default. This makes direct attack almost impossible anyway. So if anyone one is crazy enough to use XP to directly connect to the internet without a some form of protection is a fool to themselves and deserves to be attacked. Even then, it's unlikely.

That said, I don't recommend anyone using XP as their daily internet driver. XP should only be used if no other option remains or if a specific need exists. Should such a need exist though, a few simple precautions taken will be enough to protect even the average user.

 

[delshay]

WIN 7 will still be supported for another two years, but you have to pay for it & it's not open to all end users.