Windows XP is officially one year from being an unsupported OS. It’s already an insecure operating system even if you are staying patched, but once patches end it’s quite hopeless. If you are an XP user and you have delusions that you’ll somehow be “secure” just because you’ve managed thus far to avoid run-of-the-mill aimed-at-grandpa malware, you are very wrong – upgrade.
What does end of support mean? It doesn’t mean you can call up Microsoft and ask for help with your problems… it means that Microsoft is no longer going to patch your system. So your system that is already insecure will now no longer get the critically necessary patches for the holes constantly found – when attackers find a hole, they get to know that they can keep on breaking systems with that hole and no patch will stop them.
Known holes will grow over time, giving attackers everything they need to take out systems. You can sandbox (useless on XP), or use AE (useless anywhere, but especially on XP), or AV (lol), but once an attacker gains any kind of remote code execution your fight is lost. Local security doesn’t exist on XP now, and it certainly won’t in a year.
Now you’re probably looking at your badass XP setup going “Hey, no one’s hacked me yet, I must be doing something right.” You are currently a somewhat slow gazelle in a sea of gazelles with sprained ankles. In a year you’ll all be running through mud, and the lions will take notice.
Rely on obscurity if you want, but anyone who cares about their security will move to Linux or upgrade their systems to another Windows version.
Let’s cover some programs that you might think will save you if you’re unconvinced.
NoScript blocks malicious content within the browser – so if you don’t whitelist attacker-controlled sites, the attacker needs a very specific set of exploits to get into the system. Is it impossible? No. If they get font parsing vulnerabilities, or if they find a NoScript bypass you’re still screwed. And if you whitelist the website you lose significant security. But NoScript is still worthwhile, probably the most worthwhile item on this list – though it only covers browsers and their plugins.
Chrome has a powerful sandbox, but on XP it’s much weaker compared to other versions. Without patches all an attacker has to do is get remote code execution and pop the kernel to get full system control and bypass all sandboxes. Again, all sandboxes. Think Sandboxie will save you? Comodo’s virtualization? Avast? They won’t – a kernel exploit is all that’s necessary to bypass all of that. So try to come to terms with that, because I know a lot of people like to believe that their sandbox software is unbreakable. XP’s kernel was written pre-SDL, and before many modern mitigation techniques even existed, on top of which it came at a time before (mainstream) researchers had really taken a look at kernel security.
Attackers know how to break kernels now. XP has massive attack surface in its kernel (some people think that XP has lower attack surface because it’s smaller… it doesn’t in a lot of places, like the kernel) and no defense.
Only useful in very specific systems on other platforms, an AE will be almost entirely useless on XP. Attackers do not need to drop payloads, and even if they did, they could just get privilege escalation before they drop it, unhook the AE software (no, self protection isn’t a thing, stop), and then go ahead and launch their payload. Or like… do any of the other things that make AE less-than-useful.
There are too many ways to bypass AE to list without even talking about how many doors XP opens up.
Well, much like AE, all an attacker has to do is get remote execution and then privilege escalation without touching the disk. Once they do that they can kill the AV, or unhook it, or hijack it, or do whatever they like. And then they continue on their merry way.
5) Outbound Firewalls
It should be clear at this point that local security is useless. Especially isolation of applications, because sandboxes are useless, and XP’s attempt at separating users is… not impressive. So an outbound firewall wont’ help either – again, with minor changes to an attack, a full bypass is possible. Local privilege escalation, or simply hop to another user, and get outbound access (trivial and attack agnostic).
HIPS in this case is referring to ‘pop-up’ HIPS that ask you questions that you will never be able to understand. They’ll ask you about calls to other programs, APIs, the kernel, etc – you can’t understand this. I don’t care who you are. There are undocumented API calls all over Windows, and if you think you can handle that, I don’t know what to tell you – seek help? Any HIPS that’s powerful enough to stop an attacker on XP is also a HIPS that is way too annoying and complex.
Note that I’m talking about that specific tips of HIPS, as the term Host Intrusion Prevention System has been somewhat bastardized.
One of my favorite programs, EMET won’t be of much help here. While it now includes some Anti-ROP mitigation techniques, critical for a system like XP, when the entire OS doesn’t support ASLR it’s entirely useless. And do not think that some other product offering ASLR is going to help – it isn’t, that shit is nonsense that barely randomizes a tiny amount of address space, or, other times, it’s a NOP slide.
No ASLR is a massive issue. EMET brings SEHOP to XP, and a few other mitigations that are interesting, but they’re not nearly enough, and they rely largely on a proper ASLR implementation.
8) Did I miss anything?
Honestly, just assume that whatever it is, it’s broken. A sandbox on Windows 8 is powerful, and the kernel gets patched, and the system can be secure. On previous versions less so, but at least there are patches. On XP, it was never secure, and patches are bandaids to provide disincentive to attackers – without them, it’s easy pickings.
And, again, before you go “b-b-but I tested it against real live malware!” – no – in the wild malware is pansy shit aimed at the lowest denominator. If every kid in the class gets a 0 and you get a 5 you’re not a genius, you’re just not a complete idiot. In the wild malware is crafted to target people with only an antivirus installed, with out of date software, etc – it is not hard to stay ahead of it. You can generically attack an XP system and bypass *all* of the security software above (except NoScript potentially) without having to target specific setups.
So let’s simply end any and all ‘debate’ about whether you can stay secure on XP. You can stay lucky, you can even keep the system clean just by being different enough, but you can’t stay secure.
If you don’t get that just slap yourself in the face until it sinks in.