Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003 (krebsonsecurity.com)
151 points by akeck 4 days ago | hide | past | web | favorite | 79 comments





Its especially unfortunate since KB4474419, the sha2 update for Windows Seven, defacto disabled updates for quite a few people with dualboot or encrypted system partitions in mid March.

>encrypted system partitions

Does this include bitlocker? Or is this an issue with third party boot loaders so bitlocker is fine but truecrypt is not?


Disables updates? How?

The update fails and gets automatically reverted. I dont think you can get the monthly security updates without it, at least that was the case with the April rollout. Since its not immediately clear why the update fails, you can even now find quite a few people looking for help to diagnose the error online.

edit:

Here some context

https://answers.microsoft.com/en-us/windows/forum/all/kb4474...

its an easy fix for for dualboot if you can just replace grub with mbr again, but people with disc encryption are rather screwed it seems.


Not even a wormable flaw could convince them to patch Vista, apparently (assuming it's not somehow magically invulnerable when the versions before and after it weren't).

"Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually." https://borncity.com/win/2019/05/15/critical-update-for-wind...

But this is definitely confusing. MS explicitly offers patches for Win 7, Server 2008, Server 2003, and XP, but there's no "Vista" link visible.

https://portal.msrc.microsoft.com/en-US/security-guidance/ad... https://support.microsoft.com/en-us/help/4500705/customer-gu...


It makes sense not to mention Vista in a headline consider the very low usage rates.

If anyone should not expect security update news via popular news outlets its Window's Vista users. There are plenty of niche channels for niche product releases.


On a side note, I think that Vista wasn't necessarily unpopular, it just had a good upgrade path/incentive for users (unlike XP to Vista).

My perception for a long time has been that Vista, from a technical perspective, was leaps and bounds above XP, but the end user experience was sometimes lacking; 7 didn't provide drastic technical improvements so much as offering a much-polished Vista.

Windows 7 should have been called Vista SP7. That is what I called 7's hasty premier after Vista's lackluster debut.

It was one of the least popular versions of Windows, no? Certainly its market share never exceeded XP's.

I think Vista was the least popular as you say, but I think that was because the upgrade path/incentive wasn't there.

The upgrade from XP to Vista meant a lot of software stopped working, especially from a driver perspective. If you're using some niche software that "just works (tm)", why change? Especially if it costs a lot of money to upgrade or your system isn't networked. The UK tried to upgrade its XP running backbone years ago, failed - and still got billet £10+ billion.


No, it was quite unpopular, period. See: https://xkcd.com/528/

There was the popular perception at the time that every other version of Windows was good, while the in-betweens sucked. Vista followed that expectation perfectly, as did Windows 8.


> No, it was quite unpopular, period. See: https://xkcd.com/528/

I've always read this comic as making fun of people for having unjustifiably low opinions of Vista.


Not surprised the 2008 patch is intended to work on Vista, I was more bemused that they had an otherwise exhaustive list of versions and how to patch them, and just...left it off, not only in the headlines, but in a number of the enumerations.

Maybe the market share of Vista is so small, that Microsoft doesn't bother releasing a patch for it. There's no patch for Windows 8, either.

8 and 10 aren't vulnerable, according to their writeup about it.

As someone commented above, there's a footnote about how Vista users can use the Server 2008 patch, I was more amused that in an apparently-complete enumeration of versions in a table, they just...left it off.


From netmarketshare.com:

- XP market share: 3.57%

- Vista market share: 0.23%

- Mac OS 10.10 market share: 0.51%

(10.10 went out of support the same year as Vista)


RDP is not on by default, so I don't see how that's a big deal.

[flagged]


That crosses into personal attack and you can't do that here, regardless of how strongly you feel about someone or their employer. Please don't do that here.

https://news.ycombinator.com/newsguidelines.html


Reader is a discontinued product that nobody can use. Patching it makes no sense.

That was a joke, but it's why the OP was so ironic.

Google has absolutely terrible support. You can't even use their products when they discontinue them, and they discontinue them all the time. Maybe I should have used Nest for my example, which people actually paid for, put in their houses, and now can't use any more.

Last release of XP was 11 years ago. Extended support ended 5 years ago. Yet people who want to use it still can, and even still get occasional security patches. Even Vista is still usable and gets updated, as mentioned in a sibling comment.


The difference is probably in part caused by the markets for Google vs. Microsoft products that we are discussing.

If Google shafts a private person they might get angry and buy Apple next time, and Google loses a few hundred bucks. But if Microsoft shafts the XP machine in a hospital that runs their old MRI machine or whatever, that's a potential PR crisis and possibly a million-dollar lawsuit.


[flagged]


How could he doxx you just by reading an article on his site?

Care to elaborate?

Wow! Good for Microsoft. You don’t see Apple releasing patches for 15+ year old operating systems.

Apple makes all their OS releases free to their users, so there's much lower numbers of 15+ year old Apple OS's existing in the wild to begin with. If you'd said you don't see Apple releasing patches for 15+ year old computers, I'd be more inclined to agree.

Heh, because Apple prefers to arbitrarily leave out support for their older systems on newer OS releases.

Neither did Microsoft, as far as I can tell:

https://portal.msrc.microsoft.com/en-US/security-guidance/ad...


There are XP patches. I wonder if that CVE page is autogenerated and doesn't include out-of-support operating systems.

https://support.microsoft.com/en-us/help/4500705/customer-gu...


I don't understand why they would do this. If I was a microsoft manager I would be glad something like this happened because it would force people off of old OSs without having the bad rep of doing it through nag popups.

Now everyone on XP will feel safe because its still getting updates.


At this stage, anyone still using XP is doing so because they have no other choice: either it's intrinsically tied to low-end hardware, or to some piece of critical software, and it's too expensive or time-consuming to replace. Often this includes "embedded" PCs in scientific equipment and the like.

We said this about IE6, but once major sites started dropping support, usage dropped to almost nothing fairly quickly.

or they dont know or care. "it runs my spreadsheet fine"

Microsofts rather friendly attitude to downwards compatibility & longterm support, is IMO one of their strongest competitive advantages for Windows and Office. Not following this philosophy for their mobile platforms has also lead to their downfall there.

In the real world, there understaffed IT departments, insufficient budgets, time-consuming logistics, and complex systems which are not easily upgraded. Microsoft's options here are either "to hell with it, not my problem, just let the world burn" or taking responsibility and fixing problems which will affect people.

In addition to those reasons generally a computer system is a business tool. If a machine is doing what a company needs then why spend valuable time and money upgrading it to something else that will do exactly the same job.

I do appreciate the problem of security patches, but XP is pretty rock solid as a platform so for many businesses their tool does what they need.


Budgets will find room for an update when an out of date OS starts causing damage to the business.

Patching an ancient OS is enabling the delay of updates with the excuse "Whats the point, it still works"


There are reasons there is no budget. A budget doesn't magically appear. Take health care, education, or police services for example. Do you really want to take away resources from providing the stuff that's actually needed just for some artificial easily preventable crisis?

The entire situation is ridiculous really. So what that XP is "ancient"? For many purposes it works just fine. The only reason this situation exists is because people can't fix their own computers. The entire thing is a massive waste of resources.


Those areas are so important that it makes even more sense to get things upgraded. I don't want my health info running on a networked windows xp machine.

Just because a computer is involved in health care means it has access to your "health info".

And look, of course it would be better if they upgraded. But "facts on the ground" can make it hard. It's easy to comment on HN, but not everyone involved is a complete idiot. I suspect that it's probably one of those 90/10% things: 90% has already been upgraded year ago, but getting the last 10% upgraded to something newer is 90% of the effort.


Programs mode for windows XP does not work on Windows 10, not even in compatibility mode, so that's probably one reason why many wont upgrade. They would have to replace all equipment, which probably cost millions, just because the software is old, (but still working).

This. There are embedded systems running XP including sonograms, dental xray units, and the like. Not to mention dedicated patient scheduling systems. Many turn key systems that have no easy upgrade path.

It is possible to isolate those legacy systems with additional rules in network equipment. Then those systems can operate until they physically breaks down with no possibility of repair. In my opinion, getting rid of an MRI just because it happens to be running on Windows XP is inconceivable.

Is it really Microsoft's responsibility to keep patching XP forever?

Hot take: but yes, it is. They sold the software and they are preventing anyone else from patching XP. I think that by doing so they have responsibility. If they don't want it then that's okay: just allow other people to patch XP.

The situation where I'm not able (or even legally allowed!) to patch my own computer system is pretty ridiculous. I'm not massively in to "Free Software" or the "four essential freedoms", but I do think people should have the freedom to fix software they bought ("right to repair").

I know how it works, I don't "buy" Windows, I buy a license to allow using it. I think is legal shenanigans and doesn't (or rather, shouldn't) really matter.

The entire thing is just a colossal waste of resources. Many organisations would be perfectly happy with XP, because a basic stable OS without too much fancy stuff is all they need, and XP offers that. It's not an "upgrade", it's just "replacing a working system with another working system".


Well, you almost had a point, but then you lost me. You are conflating two things, they sold you "a license" not "a license with free unlimited labour".

It sounds like what you're saying is that a company has no "right" to determine whether they wish to distribute a product of their labor using a copyright license of their choice. Under your system, they would be forced to give up this right and open source the product, or provide free unlimited updates. Sounds rather harsh on smaller software companies that don't make billions of dollars!

> but I do think people should have the freedom to fix software they bought ("right to repair").

People have been patching binaries themselves for the past several decades. AFAIK they haven't sued a user. But yes, it would be nice if this was codified in law that an end-user can patch a binary on their machine.


There's another way of saying it: the software has a defect, and not only does the vendor refuse to fix the defect, it also prevents me from fixing it.

With physical hardware people would be up in arms about it, but for software it's considered "normal". I don't think it should.

I'm not asking for "free unlimited labour", I just want software that 1) works and 2) doesn't need replacing at the cost of millions of dollars every few years. I don't think that's an especially ridiculous thing to ask for.

You don't need to "open source" the code in the sense of "put it on GitHub"; you can give people more limited access to the code (or just parts of the code).

Microsoft also sells maintenance contracts for Windows XP, but also to large bulk customers to the tune of millions of dollars. It could choose to sell it to anyone for $2/month or whatever price is realistic.

Either way, there are more options than "free unlimited labour" and "open source it".


>I'm not asking for "free unlimited labour", I just want software that 1) works and 2) doesn't need replacing at the cost of millions of dollars every few years. I don't think that's an especially ridiculous thing to ask for. You don't need to "open source" the code in the sense of "put it on GitHub"; you can give people more limited access to the code (or just parts of the code).

The problem is equating "you can" with "must be forced to".

>There's another way of saying it: the software has a defect, and not only does the vendor refuse to fix the defect, it also prevents me from fixing it.

>With physical hardware people would be up in arms about it, but for software it's considered "normal". I don't think it should.

That's quite an exaggeration. You can't realistically fix bugs in CPU chips, or USB micro-controllers or bluetooth radios or cellphone antenna radio chips. "So then Intel should open up their CPU design" and/or "But I should be able to" is not really an argument, because anyone could say the opposite and be on equal grounds.

So now, the only principal argument that I can see us having is "should freedoms have limits" or "what freedoms are essential", and we would probably agree on most things, but it seems to me that we just come out at different positions on a spectrum.

>Microsoft also sells maintenance contracts for Windows XP, but also to large bulk customers to the tune of millions of dollars. It could choose to sell it to anyone for $2/month or whatever price is realistic.

Okay, but that is a business decision that was made because a lucrative customer demanded it as a requirement before purchase. I don't see the connection. Both parties entered into a voluntary contract... well for the most part.

On the other extreme, you are free to hire a software developer, and get software made which you can choose to release under an open source license.

Personally I happen to think that data interoperability is more crucial than the software itself. All software does in the end is just manipulate data. Its possible to have a rich variety of software when the data interchange format is standardized and protected from monopolistic abuse. The foremost example being the internet packet protocols.


> I'm not massively in to "Free Software" or the "four essential freedoms", but I do think people should have the freedom to fix software they bought ("right to repair").

Doesn't the first part of your sentence contradict the second? The only way it would be possible to patch software yourself is if you had the source code.

(I suppose you could reverse engineer the binary, but that's not practical, and besides, you could do that today if you wanted to.)


The four freedoms go far beyond just the ability to fix stuff. It also includes the ability to redistribute copies and modified versions.

I think there are more options than just "open source it all" and "keep it all proprietary". You could, for example, only provide the source code (or parts of the source) under a NDA contract when requested and merge "community fixes" upstream, or something. I don't know what would work well in practice (not many businesses have experimented with it) but I'm fairly confident a model can be though of that works well yet isn't "open source" in the sense that we understand it today.


It's allowed by Microsoft Limited Reciprocal License.

Except part of an OS is security. Just like you wouldn't keep an old skeleton key on the front door of your business because of the risk of someone breaking in, you may feel it isn't worth the risk to use an old OS that has an obsolete security model.

The flip side of this is that there has to be an acceptable newer replacement with a better security model. For a lot of Windows 7 users, Microsoft have yet to offer that. (I imagine this is going to cause quite a stir if Microsoft try to stick to their published EOL date for Windows 7 next year, given that still nearly half of Windows users are using it.)

They could create a premium, telemetry-free version of LTSB/LTSC for the several hundred million Windows 7 users who are waiting for the market to provide an upgrade path which supports modern hardware.

If they made Windows 10 Pro more like the Pro edition of earlier versions, i.e., targeted at smaller businesses or power users who want a professional OS but not all the enterprise hassle, I would think they could do very well. But a professional OS doesn't do things like taking control of your computer to update or reboot whenever it feels like it or forcing you to upload any data you don't want to.

I have a suspicion that at some point Microsoft are going to back down on the big deal-breakers. They don't try to push their luck with those kinds of games in their enterprise products, because the big customers simply won't accept them. The frequent failures are just proving the critics right, and there have already been tentative moves to moderate the problems with mandatory updates. If changes in that sort of direction go far enough, they will appeal to smaller but serious customers who aren't running enterprise editions but have similar concerns.

If Microsoft really don't take the hint and back down when it comes to the crunch, I suspect Windows 7 will make the immortality of XP look like an amateurish trial run. I know my businesses all stocked up on Windows 7 machines a couple of years back while we still could, and since then we've been actively investigating multiple possible alternatives to Windows desktops for future use. Looking for alternatives seems to be the general trend across the other small tech businesses within my network as well, so if Microsoft think they're going to call everyone's bluff and get the whole world to migrate to 10 next year by shutting off updates for 7, I suspect they have seriously misjudged their market.


They have backed down on the Store/UWP, which is progress.

The security as new functionality is not really an issue to keep PCs running relatively safe. The argument that ECC is a new functionality and not a security patch comes to mind. That was a fair argument and people still had RSA. The underlying security breaking is not really an issue today as far as I see it.

The actual deal breaker are bugs who can be exploited and need to be fixed. And while its unfair to expect bug free software, fixing them is not new functionality.


It may not be their responsibility, so to speak, but if they choose to do it to help maintain their “we’re the best solution for enterprise customers, look we still release security patches years after EOL, that’s how much we care about reliability, blah blah blah” stance, who’s to say they shouldn’t do it?

By law, I suppose not. Morally, it depends on whom you ask.

If it were open source, other people could pick it up (gratis or for a fee). Right now, nobody can (except for Microsoft), because it is proprietary software. Microsoft brought it upon themselves to release the software as such.


If they want to stop being responsible they can release the source code so others can write patches.

If they did this how long before Windows XP Mint was released?

More seriously, how much of their code could they release without giving away much of their next operating system. Certainly by the fact that this bug effects versions of the OS going back 15 years we can be relatively certain that the code contained between them has a lot of identical parts.


"Release the source code" does not necessarily equal "allowing people to make derivative products from it". You could release it under a strict "only to be used to fix defects"-license.

It wouldn't be "open source" or "free software" as we understand it today, but I don't mind, and it's a lot better than what we have now.


The lack of budget is easily fixed when mature financial planning (which is completely normal for non-IT resources) and internalization of externalities is applied by requiring a working and budgeted lifecycle for every newly established IT system.

Forced internalization of externalities and transparency of risk (by vendors establishing both a firm lifecycle and a patching regime) provide the right incentives to make that happen.

In other words, the world of networked devices is a world of constant change. It must rid itself of those not fit for that change. People can run XP until the sun burns out, they just can't connect it to anything that's not theirs.


I've worked at a company where the build server was full of viruses, because devs kept spinning up unpatched XP VMs, who would inevitably get Conficker, and whatever other shit was hanging around on our intranet.

Nobody gave a shit about it. And this wasn't some crazy seat-of-the pants startup. It was a mature software company, employing >40 engineers (in that division alone), that had been building, and selling software for many, many years.


I have had a VM server like that. About a dozen Windows images each launched from a known good snapshot for the test suite to run. Afterwards VM is killed and reverted back to the snapshot. Viruses? Couldn't care less. The whole lifecycle of the VM was like 40 minutes.

40 minutes of an unpatched computer on that network was 35 minutes too long.

We'd also develop inside VMs. That is, we'd install Visual Studio, our product, Seapine source control...


What you create today creates a liability for tomorrow. Maybe they wouldn’t have to do this if Windows 7/10 were free updates with a smooth upgrade experience?

> "Whats the point, it still works"

And you're claiming that, it working, is not a legitimate reason to keep using it?


Many institutions and hospitals still use XP. And they pay Microsoft a lot to support it.

Do they really still pay for XP? I thought it went completely EOL some years ago.

Yep, NHS for example.

We had extended support for a couple of years but now it's dead dead deadski.

Like any other large industrial org, there's some bits of million-pound kit with integrated, essential XP. Likewise old essential software where the support has literally retired, running on 2003. We've got roadmaps for replacing it, but they're not instant.

We manage it as best we can. But broadly we're just about to go to 10 on desktops, so we're not as bad as the police!


Glad to hear it. When I worked for a NHS software vendor a couple years ago there were still XP workstations about. I guess it probably varies by the trust as well.

NHS Employee here, not seen XP on a NHS machine in a very long time - including in hospital environments.

It's Windows 7 now, I'm now seeing some staff get Windows 10 machines deployed to them.


Those still using XP should have networking and USB features disabled.

I would not be shocked if Windows XP had less vulnerabilities than Windows 10. Also, who cares? How would your behavior change if you learned one was more or less vulnerable than the other?

If I was managing systems that were EOL many years ago and an active risk of being exploited my behavior change would be either to update them or disconnect them from the outside world.

What if you managed a non-EOL OS, like Windows 10, but you had inside information that there were multiple active ongoing exploits? You might say you would disconnect them from the internet. But I think it comes down to blame. No one would blame you if Win10 computers were connected to the internet and were exploited. But people _would_ blame you if they were XP. I think this pretty much explains how people think about these choices.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: