A Somewhat Flawed Microsoft “Zero Day” Warning

October 14, 2014

ZDNet August 16, 2013: Microsoft warns Windows XP users risk 'zero day forever'

Microsoft has been beating increasingly louder the XP end-of-support drum. Earlier this summer, Microsoft gave its reseller partners marching orders to step up their warnings about the end of support for Windows XP on April 8, 2014. This week, Microsoft echoed that warning, adding a new twist, via an August 15 post on the Microsoft Security Blog.
…
Because a security update will never become available for XP after April 8, "Windows XP will essentially have a 'zero day' vulnerability forever," [Tim Rains, Microsoft's Director of Trustworthy Computing] said.

WaPo October 14, 2014: Russian hackers use ‘zero-day’ to hack NATO, Ukraine in cyber-spy campaign

A Russian hacking group probably working for the government has been exploiting a previously unknown flaw in Microsoft’s Windows operating system to spy on NATO, the Ukrainian government, a U.S. university researcher and other national security targets, according to a new report.
…
The firm began monitoring the hackers’ activity in late 2013 and discovered the vulnerability — known as a “zero-day” — in August, [iSight Senior Director Stephen Ward] said. The flaw is present in every Windows operating system from Vista to 8.1, he said, except Windows XP.

This post was written and edited on a laptop running Windows XP SP3 🙂

Posted by b on October 14, 2014 at 07:26 UTC | Permalink

Comments

Question : Why did IBM, the maker of the world’s biggest computers, the inventor of the ‘virtual machine’, turn to Bill Gates and his buggy, horseshit operating system for it’s PCs?
Answer : Because the NSA told them to. Gates – now Microsoft – has been working with the NSA since the PC’s ‘zero day’. Microsoft is the orignal and continuing ‘zero day exploit’. Purpose built to be so.

Posted by: jfl | Oct 14 2014 8:05 utc | 1

b, I’m proud of you for keeping some old machine running this long. That’s yeoman’s work.
@jfl, you have a seriously flawed understanding of how windows came about.

Posted by: Crest | Oct 14 2014 8:12 utc | 2

For someone somewhat beyond their three score and ten use by date, can someone please translate the post into something an antediluvian might comprehend? Zero-day wha’? 😉

Posted by: Formerly T-Bear | Oct 14 2014 8:20 utc | 3

@Formerly T-Bear #3:
Wikipedia: Zero-day virus

A zero-day virus (also known as zero-day malware or next-generation malware) is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available.

Of course, Windows itself is the most harmful computer virus that was ever created by man. I would never run Windows on an actual PC, as opposed to in a virtual machine. I run Windows XP SP3 inside VirtualBox on a Unix box.

Posted by: Demian | Oct 14 2014 8:41 utc | 4

Actually, I guess this is what was meant. Sorry.
Zero-day attack

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. It is called a “zero-day” because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a “zero-day exploit”.

Posted by: Demian | Oct 14 2014 9:02 utc | 5

I’m still running XP pro on my desk top and my laptop. The only thing I don’t like is the constant warning popping up:
You’re using a version of Windows no longer supported, upgrade your browser
Demian, I’ve thought about going to Linux, but I absoluting agree, Windows itself is the most harmful computer virus that was ever created by man. I hate Gates with a passion.

Posted by: okie farmer | Oct 14 2014 11:44 utc | 6

@ Demian #’s 4 and 5, 14 Oct 2014
Thanks, I think I understand all that. I once tried computer programming but that was when the memory was made of ferrite rings strung on wires, none of this modern stuff. I had not paid particular attention since. Thanks again.

Posted by: Formerly T-Bear | Oct 14 2014 11:57 utc | 7

So why do I get those damned “updates” whenever I shut down my XP Pro?
But I don’t get warnings.

Posted by: Don Bacon | Oct 14 2014 13:28 utc | 8

So what exactly is this post implying
– Windows XP SP3 is as secure as Windows 7 / 8 / 8.1?
– Every Windows OS is unsafe?
For general usage the newer versions of Windows are more secure. If you are being specifically targeted then housing your computer in a SCIF and permanently disconnecting from the Internet is your best bet.
Some simple steps you can take are to…
-get a router that is supported by Tomato (crowd sourced firmware) and flash that over the original BIOS (only try this if you know what you’re doing, you can wreck your router)
– use peer-block and possibly some additional firewall software
-run no-script and Adblock on your browser.
-get the Electronic Frontier Foundation’s Firefox plugin : HTTPS everywhere which basically uses encryption on every webpage that supports it.

Posted by: WG | Oct 14 2014 14:45 utc | 9

As far as I knew, Microsoft stopped supporting XP years ago. No updates have been available for ages. But some us can’t afford their planned obsolescence program–buying piggier operating system, all new hardware and all new software. In fact, XP works just fine.
As far as the Microsoft/NSA alliance, I just assumed it was part of Microsoft’s anti-trust settlement, back in November, 2001. Microsoft got off easy. In the settlement, I assumed that Microsoft got to monopolize the OS market and NSA got access to everybody’s computers. Call me a conspiracy theorist.

Posted by: JohnH | Oct 14 2014 14:51 utc | 10

The two computers I use for audio and video capture are running Windows 2000 Professional SP4. This is particularly good for firewire video capture, because when I’m running the small DVIO utility, there’s absolutely nothing else running in the background that can interfere with the process.
I’m tired of western journalism’s broad assumption that every Russian hacker group must be working for the state, as if there can’t possibly be anyone motivated to act on their own, for any of a whole range of reasons.

Posted by: Jon Lester | Oct 14 2014 15:31 utc | 11

@9
I use DD-WRT for my relay routers from my house to my shop. Works great for me. I don’t have any experience with Tomato, though, so I don’t know if there’s any advantage of one over the other.

Posted by: Jon Lester | Oct 14 2014 15:34 utc | 12

@11 jon – the “working for the state” idea is funny considering how microsoft/google and etc are “working for the state”… just stick with the basic propaganda and never question any of it. i think that is what they are hoping for.

Posted by: james | Oct 14 2014 16:05 utc | 13

@jfl #1
Is your assertion a known fact, or just speculation?
My understanding is that Bill Gates was simply the one who was most quickly able to provide a sufficiently capable copy a proprietary operating system which IBM didn’t want to pay full price for – and he did it by buying it from a startup which didn’t have the same information.
Equally to say Microsoft is somehow more closely tied with the government than IBM – really? IBM has been providing systems and expertise to the Defense Department, CIA, and other agencies/departments for literally decades.

Posted by: c1ue | Oct 14 2014 16:28 utc | 14

Whaaaat? First of all, these hackers are targeting high profile dudes. Not us. Secondly, the cyber “security” industry depends on these kind of threats to pimp their wares, right? So its really in their interest to have just enough threats floating about in cyberspace to keep the industry alive… Just sayin… Use Linux. Or Free BSD… Or anything else that is open source and has so many variants that creating a virus becomes pointlesss…

Posted by: Dan | Oct 14 2014 17:01 utc | 15

A question to Damian or others, once you put XP in the virtual box of your linux machine, what is the latest Office/Word version you can run? (knowing you have only 4 Go RAM) ?

Posted by: Mina | Oct 14 2014 17:24 utc | 16

@mina
Word/Office are both MS… Use Open Office, its free and open…

Posted by: Dan | Oct 14 2014 18:51 utc | 17

@mina #16:
(1) What Dan said; (2) I run Unix, not Linux: Linux is a Unix clone; (3) I have 6 GB RAM. (I got more RAM specifically so I could run VMs.) Microsoft says Office 2013 requires 2GB RAM, and I can run VMs with that much RAM allocated to them. So I could run Office if I wanted to.
The idea of running Windows on anything other than a VM gives me a very icky feeling.

Posted by: Demian | Oct 14 2014 19:12 utc | 18

“For general usage the newer versions of Windows are more secure. If you are being specifically targeted then housing your computer in a SCIF and permanently disconnecting from the Internet is your best bet.”
Er,,,,no, not really. With the amount of DRM running from Vista on this is a very paranoid
and inefficient OS. The OS does not trust YOU…and wastes vast amount of CPU horsepower
polling your hardware because it thinks you are a thief. NSA involvement in backdooring
Microsoft is a historical matter and not open to debate. If you are running a Microsoft
product you must just assume you get backdoors with your OS. Typing this on
a Dell Laptop running LinuxMint 17 64bit

Posted by: SNNN | Oct 14 2014 20:14 utc | 19

@11
I’m using Tomato as a catch all for the various builds/mods based off of it. Check out a feature comparison chart on its wiki page. One of the mods latest build is only 4 days old and has decent feature support.
Might be worth looking into if your current routers getting old and you want capability for some of the newer wifi standards.
http://en.m.wikipedia.org/wiki/Tomato_(firmware)

Posted by: WG | Oct 14 2014 22:22 utc | 20

@19
Obviously running Linux is more secure. It’s all a question between trading off convenience and usability vs. Security. While the various distros have made great strides towards making Linux easier to use, for the average person Linux simply isn’t a good choice.

Posted by: WG | Oct 14 2014 22:29 utc | 21

@SNNN #19:
Interesting. Yes, the new Windows versions are worse, because they treat the user as the enemy. Not that I much experience with Windows: I went from a Mac to OS/2 to Linux to a commercial Unix and an open source fork thereof. On my Thinkpad, I run Arch.
@WG #21:
That is an eternal question. I’m not up on the latest Gnome version etc., but I don’t think Linux is significantly harder to use than Windows. A common observation is that Linux’s main drawbacks are that there are many more apps for professionals that run on Windows than run on Linux, which is also true of games.
In any case, I recently ran across a comment by a blogger suggesting that non-Western countries will gradually get off Windows. That is all part of America’s falling relevance.

Posted by: Demian | Oct 14 2014 23:02 utc | 22

Sorry but the motto “use libreoffice it is free and it works” should always be joined to a “learn english or die” addition
Have you ever tried on ooo or libreoffice to type in different languages? use accents or phonetic characters (from the unicode chart) and make shortcuts because you need to type them often? to paste a snapshot from a pdf in your document? to make tables and footnotes involving different languages including right-to-left script (like Arabic).
Well… try and then call me back. I start to LOVE office and windows, literally, now that I have installed ubuntu on a machine. The only plus is that windows programmes run faster even through the virtual machine. But that’s why I ask about the proper version of office. I’ll try with 2007 (which fixed some problems with arabic in 2003)
And for the backdoors, I really don’t care. You perfectly know that as well as you are a regular at MoA your IP and everything that comes with it is fully registered. I even tend to think that my puter is regularly fully scanned (difficulty turning it off or realizing there is a second hidden connection behind the one i have just turned off, the best being to vote directly “2” in the “likes and dislikes” sections). But unless you are American or Chinese, this usually makes no problem for your career and/or friends and family.
So my question is, should XP in the virtual box manage to run office 2007 smoothly (mainly word)?

Posted by: Mina | Oct 15 2014 6:40 utc | 23

‘probably working for the [russian] government’?

Posted by: brian | Oct 15 2014 10:10 utc | 24

@ 1 and 14
From Wikipedia:
(Mary Maxwell) Gates (Bill Gates’ mother) was appointed to the board of directors of the national United Way in 1980, becoming the first woman to lead it in 1983. Her tenure on the national board’s executive committee is believed to have helped Microsoft, based in Seattle, at a crucial time. In 1980, she discussed with John Opel, a fellow committee member who was the chairman of the International Business Machines Corporation, her son’s company. Mr. Opel, by some accounts, mentioned Mrs. Gates to other I.B.M. executives.

Posted by: Ken Nari | Oct 15 2014 14:12 utc | 25

1. On Computer security: If you’re targeted, they’re in. Period.
2. On running particular software on XP in a virtual environment: Try it.
3. On the security of XP in a virtual environment: You’re just as secure as your virtual machine software. If it can be hacked you’ve gained nothing. See Number 1.
4. On the safety of Linux etc. If you’re targeted, they’re in. Linux just protects you against the garden-variety malware designed for Windows.
5. Read Schneier on Security blog.

Posted by: dumbo | Oct 15 2014 16:08 utc | 26

@Mina #23:
It’s been years since I’ve installed M$ Word on anything, but I do use Adobe Acrobat, and it works fine. From discussions I’ve had with geeks on various forums, I get the impression that the only Windows software that does not work well in a VM is games. I recall one guy saying that some professional specialty software of his doesn’t work well in a VM either. But nobody ever mentions any problems with using Word in a VM.

Posted by: Demian | Oct 16 2014 23:15 utc | 27

Back to Main