Windows XP – Abandon Ship

Windows XP is officially one year from being an unsupported OS. It’s already an insecure operating system even if you are staying patched, but once patches end it’s quite hopeless. If you are an XP user and you have delusions that you’ll somehow be “secure” just because you’ve managed thus far to avoid run-of-the-mill aimed-at-grandpa malware, you are very wrong – upgrade.

What does end of support mean? It doesn’t mean you can call up Microsoft and ask for help with your problems… it means that Microsoft is no longer going to patch your system. So your system that is already insecure will now no longer get the critically necessary patches for the holes constantly found – when attackers find a hole, they get to know that they can keep on breaking systems with that hole and no patch will stop them.

Known holes will grow over time, giving attackers everything they need to take out systems. You can sandbox (useless on XP), or use AE (useless anywhere, but especially on XP), or AV (lol), but once an attacker gains any kind of remote code execution your fight is lost. Local security doesn’t exist on XP now, and it certainly won’t in a year.

Now you’re probably looking at your badass XP setup going “Hey, no one’s hacked me yet, I must be doing something right.” You are currently a somewhat slow gazelle in a sea of gazelles with sprained ankles. In a year you’ll all be running through mud, and the lions will take notice.

Rely on obscurity if you want, but anyone who cares about their security will move to Linux or upgrade their systems to another Windows version.

Let’s cover some programs that you might think will save you if you’re unconvinced.

1) NoScript.

NoScript blocks malicious content within the browser – so if you don’t whitelist attacker-controlled sites, the attacker needs a very specific set of exploits to get into the system. Is it impossible? No. If they get font parsing vulnerabilities, or if they find a NoScript bypass you’re still screwed. And if you whitelist the website you lose significant security. But NoScript is still worthwhile, probably the most worthwhile item on this list – though it only covers browsers and their plugins.

 

2) Chrome

Chrome has a powerful sandbox, but on XP it’s much weaker compared to other versions. Without patches all an attacker has to do is get remote code execution and pop the kernel to get full system control and bypass all sandboxes. Again, all sandboxes. Think Sandboxie will save you? Comodo’s virtualization? Avast? They won’t – a kernel exploit is all that’s necessary to bypass all of that. So try to come to terms with that, because I know a lot of people like to believe that their sandbox software is unbreakable. XP’s kernel was written pre-SDL, and before many modern mitigation techniques even existed, on top of which it came at a time before (mainstream) researchers had really taken a look at kernel security.

Attackers know how to break kernels now. XP has massive attack surface in its kernel (some people think that XP has lower attack surface because it’s smaller… it doesn’t in a lot of places, like the kernel) and no defense.

3) AntiExecutable

Only useful in very specific systems on other platforms, an AE will be almost entirely useless on XP. Attackers do not need to drop payloads, and even if they did, they could just get privilege escalation before they drop it, unhook the AE software (no, self protection isn’t a thing, stop), and then go ahead and launch their payload. Or like… do any of the other things that make AE less-than-useful. 

There are too many ways to bypass AE to list without even talking about how many doors XP opens up.

4) AntiVirus

Well, much like AE, all an attacker has to do is get remote execution and then privilege escalation without touching the disk. Once they do that they can kill the AV, or unhook it, or hijack it, or do whatever they like. And then they continue on their merry way.

 

5) Outbound Firewalls

It should be clear at this point that local security is useless. Especially isolation of applications, because sandboxes are useless, and XP’s attempt at separating users is… not impressive. So an outbound firewall wont’ help either – again, with minor changes to an attack, a full bypass is possible. Local privilege escalation, or simply hop to another user, and get outbound access (trivial and attack agnostic).

 

6) HIPS

HIPS in this case is referring to ‘pop-up’ HIPS that ask you questions that you will never be able to understand. They’ll ask you about calls to other programs, APIs, the kernel, etc – you can’t understand this. I don’t care who you are. There are undocumented API calls all over Windows, and if you think you can handle that, I don’t know what to tell you – seek help? Any HIPS that’s powerful enough to stop an attacker on XP is also a HIPS that is way too annoying and complex.

Note that I’m talking about that specific tips of HIPS, as the term Host Intrusion Prevention System has been somewhat bastardized.

7) EMET

One of my favorite programs, EMET won’t be of much help here. While it now includes some Anti-ROP mitigation techniques, critical for a system like XP, when the entire OS doesn’t support ASLR it’s entirely useless. And do not think that some other product offering ASLR is going to help – it isn’t, that shit is nonsense that barely randomizes a tiny amount of address space, or, other times, it’s a NOP slide.

No ASLR is a massive issue. EMET brings SEHOP to XP, and a few other mitigations that are interesting, but they’re not nearly enough, and they rely largely on a proper ASLR implementation.

8) Did I miss anything?

Honestly, just assume that whatever it is, it’s broken. A sandbox on Windows 8 is powerful, and the kernel gets patched, and the system can be secure. On previous versions less so, but at least there are patches. On XP, it was never secure, and patches are bandaids  to provide disincentive to attackers – without them, it’s easy pickings.

And, again, before you go “b-b-but I tested it against real live malware!” – no – in the wild malware is pansy shit aimed at the lowest denominator. If every kid in the class gets a 0 and you get a 5 you’re not a genius, you’re just not a complete idiot. In the wild malware is crafted to target people with only an antivirus installed, with out of date software, etc – it is not hard to stay ahead of it. You can generically attack an XP system and bypass *all* of the security software above (except NoScript potentially) without having to target specific setups.

So let’s simply end any and all ‘debate’ about whether you can stay secure on XP. You can stay lucky, you can even keep the system clean just by being different enough, but you can’t stay secure.

If you don’t get that just slap yourself in the face until it sinks in.

7 thoughts on “Windows XP – Abandon Ship

  1. Pretty excellent summary there. One thing though:

    … in the wild malware is pansy shit aimed at the lowest denominator.

    This is very true IMO, and what almost every halfway-working example of security software relies on. My question is, how likely is it that this will ever change? Most software, including most malware, is buggy rubbish. And the mechanisms of typical malware infection haven’t changed much over the years.

    Sure, relying on that is not real security, and is stupid and harmful in the long run. It would be better if we actually built secure desktop OSes. OTOH, how likely is it that Joe Enduser will ever encounter a skilled blackhat on a vendetta against him?

    tl;dr I agree with you, this is not smart. The problem is it still works for end users, and will probably work for a while, even if it isn’t security by any sane definition.

    • Hey, sorry for taking so long to reply. Apparently I don’t get shown comments from people who have already commented. Lame.

      Anyways, in the last year alone we’ve seen new malware and it’s affecting *regular users*. Run of the mill John and Jane are being subjected to very advanced malware released by governments. Are they the intended targets? No, but they’re being used as a means to attack other systems.

      I’ll be doing a post soon about exactly the question you raised. It’s been a draft for too long.

  2. Not to mention that XP is ridiculously slow by comparison.

    Did I mention that XP was slow?

    Well, XP is slow. It’s almost IE6 all over again.

    Beyond that, great article, and I’ve got to agree with GJones’ post. Only unplugging from the web altogether will help you at this point. And even then…

    • Yeah, lacking modern features definitely slows XP down. You can strip 7 down to be nearly the same size install, but you’ll end up still getting modern NTFS, drivers, and features like Superfetch.

    • It’s “slow” compared to Windows 7 on newer computers because it’s poorly optimized for high end hardware. Newer versions of Windows cache stuff in RAM much more aggressively, and have compile time optimizations for newer CPUs. Thus they perform better on new machines with lots of RAM, and much worse on old ones.

      Also, have you ever used XP on a laptop with < 512 MB of RAM? Because that is invariably a painful experience. (And such laptops usually run Linux quite well, if you turn of the desktop compositing rubbish).

  3. Pingback: Windows XP Support Has Ended - InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *