
Updates for older platforms to protect against potential nation-state activity - my123
https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-update-release/
======
DuskStar
I can't help but feel that Microsoft providing these security updates long
past XP's stated EOL date will only decrease security in the long run. After
all, if any "big enough" vulnerability results in getting a patch anyways, why
upgrade/firewall that old XP system running your equipment? And I'd bet that
people will expect the same treatment for Windows 7, too.

People never learn when disaster is narrowly averted. People learn when their
decisions mean everything is on fire.

~~~
ch4s3
Imagine if you will a hospital system say, the VA, which owns a number of MRI
machines, x-ray equipment, or similar which runs Windows XP. Now imagine that
these machines were built by a company that was acquired and dismantled and
therefore can no longer provide updates. Now imagine that these machines are
connected to the local network behind the firewall, but can not be air
gapped... for reasons. These machines work just fine, other than having an old
OS. Should they get scrapped?

~~~
mrweasel
>Should they get scrapped?

Of cause not, but the hospital knew that the Windows XP running their multi-
million dollar scanners would be end-of-life before the scanner it self. They
should have required that the software be placed in escrow for the life time
of the scanner, so that other parties could do any needed updates, if the
supplier failed to do so.

I'm sorry, I get that you can't throw away expensive hardware, just because
Microsoft no longer patch that version of Windows required to run the software
but: EVERYONE knew that the hardware would be in use beyond end of life date
for the operating system. So why isn't that included in contracts and support
plans? Do banks and hospitals even care enough to ask how the supplier plans
to deal with an EOL operating system?

~~~
thehardsphere
> They should have required that the software be placed in escrow for the life
> time of the scanner, so that other parties could do any needed updates, if
> the supplier failed to do so.

People do that?

~~~
ethbro
If you're big enough, you can negotiate any contract you want.

And "if company ceases to maintain and release updates to product, we will
receive the source code for our use" doesn't sound like too poison of a pill
for Sales to push through.

------
gaius
Kudos to Microsoft for doing this. Who else in the world is patching 16-year-
old code well past it's EOL, for free?

~~~
AnimalMuppet
I don't remember their name. They're a small RTOS vendor based in San Diego.
Maybe 8 years ago, we were using their previous (i.e., not under current
development) RTOS, and we hit a bug. We called them up, asking for them to
create a fix. My boss mentioned that our support agreement had lapsed
(expecting that he would have to send them a check to get them to work on it).
They said, "Doesn't matter. We wrote it; we'll fix it."

I would gladly give them credit by name, if I could just remember who they
are...

~~~
mrpippy
Express Logic? (makers of ThreadX)

~~~
AnimalMuppet
Yes, that sounds right.

------
weinzierl
Could be related to the _The Shadow Brokers_ threatening to release a new
stash of exploits in June, this time targeting Windows 10.

From their announcement on 2017-05-15 [1]:

> _In February Microsoft is missing patch Tuesday. TheShadowBrokers is
> knowing, Microsoft is missing to be making patches for Eternal exploits.

[..]

In March Microsoft is releasing patch for SMB vulnerabilities.
TheShadowBrokers is knowing this is being for Eternal exploits.
TheShadowBrokers is still waiting and not releasing.

[..]

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft
patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks.

[..]

Eternal exploits is not being ZeroDays. [..] patch was being available for 30
days before theshadowbrokers is releasing dump to public.

[..]

TheShadowBrokers Monthly Data Dump could be being:

web browser, router, handset exploits and tools

select items from newer Ops Disks, including newer exploits for Windows 10

compromised network data from more SWIFT providers and Central banks

compromised network data from Russian, Chinese, Iranian, or North Korean nukes
and missile programs

More details in June._

Their latest message is from 2017-05-29 [2]:

> _Q: What is going to be in the next dump?

> TheShadowBrokers is not deciding yet. Something of value to someone. See
> theshadowbrokers’ previous posts. The time for “I’ll show you mine if you
> show me yours first” is being over. Peoples is seeing what happenings when
> theshadowbrokers is showing theshadowbrokers’ first. This is being wrong
> question. Question to be asking “Can my organization afford not to be first
> to get access to theshadowbrokers dumps?”_

[1] [https://steemit.com/shadowbrokers/@theshadowbrokers/oh-
lordy...](https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-
wanna-cry-edition)

[2]
[https://steemit.com/shadowbrokers/@theshadowbrokers/theshado...](https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-
monthly-dump-service-june-2017)

~~~
throwanem
What the hell is with all those present progressive forms?

~~~
weinzierl
Has been discussed on HN at length in the respective threads. Some people
believe it's to make language analysis harder.

------
EdSharkey
I imagine Microsoft gets a dump truck full of cash to open support up on XP
like this. I wonder who paid?

~~~
ocdtrekkie
Well, the US government's already paying them to maintain XP to begin with. So
the patches already exist internally at Microsoft, and it costs them nothing
if they just decide "Hey, this patch is such a big deal, we also want to let
everyone else have it". Isn't really gonna change the fact that the US
government's still paying them for the work.

And computer security benefits from herd immunity tactics, so it's best to get
virus updates in as many hands as possible. It's why Microsoft has never
really prevented pirated copies of Windows from getting security updates. They
benefit from not having old machines potentially causing problems for newer
ones, and even just avoiding the bad PR from massive malware attacks.

~~~
daxfohl
For that matter the government may well be dictating the patch release
schedule too. And certainly the skeptical among us can wonder what else may be
in these patches.

------
0x0
I keep a winxp vm around for some old games. Many of the download links at
[https://support.microsoft.com/en-
us/help/4025687/microsoft-s...](https://support.microsoft.com/en-
us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-
platforms) , especially in table parts 2 and 3 for winxp go to 404 pages.
Also, ie for winxp does not seem to be able to even open the windows update
website any more. Any tips?

~~~
sp332
Have you tried manually installing SP3 first? I remember an old PC I had to
troubleshoot wouldn't install anything else until I had that.

~~~
mrighele
I tried to install Xp in a VM a few weeks ago to see if I could run a few old
games. The iso I had was for XP Sp2, and I couldn't find a download link for
the Sp3 installer on the whole Microsoft site. Links from search engines
become "the file is no longer available" or something similar

------
news_to_me
How the fuck are some government orgs still on Windows XP?? Seriously, we need
government-wide standards in place so this sort of thing doesn't happen.

~~~
zanny
We have government wide standards, they standardize on Microsoft's proprietary
non-standard products.

Microsoft built this mess for profit, and continue to profit off of taxpayers
indefinitely as hobbled state institutions are forced to pay permanent support
contracts for old OSes because the states themselves _mandated they use this
shit_ by law. I'd love to see how many campaign contributions MS made to
representatives pushing laws standardizing on Word or other bullshit MS only
tech in state institutions and even worse, in schools.

Public education is infested with Microsoft giving away / heavily subsidizing
their locked in products so children are hooked on them for life, and nobody
is outraged about it.

Hell, the whole war for the classroom _from all parties involved_ is
disgusting. Microsoft, Apple, _and_ Google all push free access to their
proprietary services and products to lock kids into their ecosystems. And
while Google's platform, Chromebooks, are much more open than their
competitors, they offset that by also having the ulterior motive of farming
these kids for their big data research (not to say MS and Apple aren't doing
it too, just saying Google is far from innocent here).

The whole intersection of state and software globally is a giant mess of
corruption. There is way too much profit to be made off taxpayers money for
anything close to good intentions to win the day.

~~~
gaius
_I 'd love to see how many campaign contributions MS made to representatives
pushing laws standardizing on Word or other bullshit MS only tech in state
institutions and even worse, in schools._

I keep hearing it will be the Year Of The Linux Desktop and it keeps never
happening. That's why. No need for any wacky conspiracy theories, for the
average user who just wants their computer to be a tool to get work done, the
choices are Windows or Mac, and for large organisations who want to centrally
manage machines, the choice is... Windows.

~~~
knz
> for the average user who just wants their computer to be a tool to get work
> done, the choices are Windows or Mac

And yet Chromebook and iPad sales are booming at the expense of the PC. My
sample size is ~20 family members. Those with Chromebooks love them and those
with Windows 8/10 despise them. From a support perspective, it's considerably
less for Chromebooks vs multiple issues with malware on the Windows devices.

Caveat emptor, YMMV etc.

------
Kenji
Why is nobody punishing the responsible nation states? I think the nation
states who have such irresponsible intelligence agencies should pay every last
dime of Microsoft's patching efforts and the damages the hacks and leaks
cause.

~~~
empath75
Well it's a combination of the us and Russia in this case.

~~~
qb45
If we are talking malware being leaked or escaping to the wild, it's more like
the US, Israel and maybe some not-yet-caught European states cooperating with
them.

------
toredash
Sad part is that there will still be owners of WinXP who won't patch their
systems.

~~~
Angostura
Because the manufacturer of their embedded system went bust, for example.

~~~
toredash
Or they just don't patch their systems.

------
norswap
What the heck does "nation-state activity" means?

~~~
cityhall
Russia

~~~
Alupis
> Russia

Is that a new way of saying "NSA"?

All joking aside... this is likely the tail-end result of the Shadow Brokers
leak coupled with the recently-used exploits in the failed crypto-locker
variant "Wanna Cry".

