Windows XP and the dire predictions of its fate at EOS.

[aztony]

There is an ongoing and running debate about the fate that awaits XP when M$ pulls the plug on its support come April next year. Many voices are raised in a clamor as to how the OS is doomed to the host of exploits that await, and the pernicious horde of would be exploiters drooling with anticipation. They say that only the foolhardy would continue use the OS after support ends. Some going so far as to say 'resistance is futile' because nothing can be done to make XP safe for use.

Then there are those who believe that with the right mix of common sense precautions, fortifications, and security measures, XP can still continue on as it has since, well, since forever it seems. So I am posing this query to the forum. An XP OS fortified with DEP, EMET, SRP rules, LUA, along with a properly layered defense, to include respected AV renowned for its Malware blocking ability, equally well respected HIPS firewall, and sandboxed browser when browsing. Could this OS survive EOS? What more would be necessary to further fortify this OS?

 

[Gnosis]

I promise you; my XP will be one of the safest OS's in the world. Besides that, even if I do get infected, I will know, and not via some one year license.

 

[aztony]

I promise you; my XP will be one of the safest OS's in the world. Besides that, even if I do get infected, I will know, and not via some one year license.

I heard that!

 

[MalwareVirus]

IMO
If you have good knowledge of computer security,and you care what you are going to do then it is very rare,you got infected.Reseacher and hackers can show you or prove you that they can but it is going to be hard to deploy their tecties to specific computer or laptop...so wait and watch!!!

 

[Ink]

Gnosis, you may say that for a personal computer. But how effective would your set-up be, if on a much larger network (ie. 1000 PCs), 1000 people with different level of expertise or none. Windows XP is more vulnerable as it stands, than a newer OS. So when MS drop support AND security updates. Windows XP is basically DOOMED. No matter how many layers of protection, there will be unpatched / zero-day threats.

Example:
Windows XP SP3 in 2016
20 zero-day exploits ITW
0 security patches

 

[aztony]

IMO
If you have good knowledge of computer security,and you care what you are going to do then it is very rare,you got infected.Reseacher and hackers can show you or prove you that they can but it is going to be hard to deploy their tecties to specific computer or laptop...so wait and watch!!!

I am of a similar opinion.

 

[MalwareVirus]

"I am of a similar opinion."
So now we both are in a same gang

 

[aztony]

Earth wrote:

But how effective would your set-up be, if on a much larger network (ie. 1000 PCs), 1000 people with different level of expertise or none.

I agree that scenario is going to be the real challenge to business and organizations. And there is primarily where any targeted attacks will likely occur.

 

[Gnosis]

Gnosis, you may say that for a personal computer. But how effective would your set-up be, if on a much larger network (ie. 1000 PCs), 1000 people with different level of expertise or none. Windows XP is more vulnerable as it stands, than a newer OS. So when MS drop support AND security updates. Windows XP is basically DOOMED. No matter how many layers of protection, there will be unpatched / zero-day threats.

No doubt that a bunch of XP users are at risk, but their inexperience related to security set-ups causes that a lot more than 30-day late Windows patches not being available. I disabled XP updates around 7 months ago, so it matters not to me what MSFT does or does not do.

 

[aztony]

Fabian Wosar wrote:
OA Developer

Well, I wouldn't put it that way to be honest. Your test is perfectly fine and valid. I just disagree with the conclusion you draw from your results. Since every HIPS will fail to some degree in your current setup, the result is not that all HIPS are bad and should be avoided. The result should be that you will lose if you don't keep high risk applications up-to-date, no matter what HIPS you use.

This is not solely a HIPS problem either. Sandboxie has to allow applications running inside the sandbox to communicate with services outside the sandbox for example. If it doesn't, the application simply won't run at all. However, this also means that if that service is somehow vulnerable due to a coding error or bug, the application will be able to escape the sandbox by exploiting said vulnerability. Every system is only as secure as its weakest link, which is why it is crucial to harden every aspect of your system, and not just put all your eggs in one basket.

For example: Updates would have kept you safe in your scenario. EMET would have kept you safe as well. Using a browser that is aware of its high risk status, like Internet Explorer on Vista and later OSes or Chrome, would have kept you safe. An AV software, scanning the network stream, would have likely picked up the exploit code before it reached your vulnerable browser, keeping you safe. Setting up your own custom HIPS rules for your high risk processes, would have helped mitigate the attack. There are dozens of things you can do to improve overall security by hardening the weak links in your overall equation.

They are. Which is why I always cringe when people ask me how they can stay secure once Windows XP support runs out. The only answer is by updating to Windows 7/8 or by switching to an up-to-date Linux distribution, because there is no way you will be able to keep your system safe after April 2014.

http://www.wilderssecurity.com/showthread.php?t=355629&page=2

Perspective of an Online Armor developer.