Hacker News new | comments | show | ask | jobs | submitlogin
Microsoft Patches ‘Wormable’ Flaw in Windows XP, 7 and Windows 2003 (krebsonsecurity.com)
151 points by akeck 9 days ago | hide | past | web | 79 comments | favorite

Its especially unfortunate since KB4474419, the sha2 update for Windows Seven, defacto disabled updates for quite a few people with dualboot or encrypted system partitions in mid March.

>encrypted system partitions

Does this include bitlocker? Or is this an issue with third party boot loaders so bitlocker is fine but truecrypt is not?

Disables updates? How?

The update fails and gets automatically reverted. I dont think you can get the monthly security updates without it, at least that was the case with the April rollout. Since its not immediately clear why the update fails, you can even now find quite a few people looking for help to diagnose the error online.


Here some context


its an easy fix for for dualboot if you can just replace grub with mbr again, but people with disc encryption are rather screwed it seems.

Not even a wormable flaw could convince them to patch Vista, apparently (assuming it's not somehow magically invulnerable when the versions before and after it weren't).

"Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually." https://borncity.com/win/2019/05/15/critical-update-for-wind...

But this is definitely confusing. MS explicitly offers patches for Win 7, Server 2008, Server 2003, and XP, but there's no "Vista" link visible.

https://portal.msrc.microsoft.com/en-US/security-guidance/ad... https://support.microsoft.com/en-us/help/4500705/customer-gu...

It makes sense not to mention Vista in a headline consider the very low usage rates.

If anyone should not expect security update news via popular news outlets its Window's Vista users. There are plenty of niche channels for niche product releases.

On a side note, I think that Vista wasn't necessarily unpopular, it just had a good upgrade path/incentive for users (unlike XP to Vista).

My perception for a long time has been that Vista, from a technical perspective, was leaps and bounds above XP, but the end user experience was sometimes lacking; 7 didn't provide drastic technical improvements so much as offering a much-polished Vista.

Windows 7 should have been called Vista SP7. That is what I called 7's hasty premier after Vista's lackluster debut.

It was one of the least popular versions of Windows, no? Certainly its market share never exceeded XP's.

I think Vista was the least popular as you say, but I think that was because the upgrade path/incentive wasn't there.

The upgrade from XP to Vista meant a lot of software stopped working, especially from a driver perspective. If you're using some niche software that "just works (tm)", why change? Especially if it costs a lot of money to upgrade or your system isn't networked. The UK tried to upgrade its XP running backbone years ago, failed - and still got billet £10+ billion.

No, it was quite unpopular, period. See: https://xkcd.com/528/

There was the popular perception at the time that every other version of Windows was good, while the in-betweens sucked. Vista followed that expectation perfectly, as did Windows 8.

> No, it was quite unpopular, period. See: https://xkcd.com/528/

I've always read this comic as making fun of people for having unjustifiably low opinions of Vista.

Not surprised the 2008 patch is intended to work on Vista, I was more bemused that they had an otherwise exhaustive list of versions and how to patch them, and just...left it off, not only in the headlines, but in a number of the enumerations.

From netmarketshare.com:

- XP market share: 3.57%

- Vista market share: 0.23%

- Mac OS 10.10 market share: 0.51%

(10.10 went out of support the same year as Vista)

Maybe the market share of Vista is so small, that Microsoft doesn't bother releasing a patch for it. There's no patch for Windows 8, either.

8 and 10 aren't vulnerable, according to their writeup about it.

As someone commented above, there's a footnote about how Vista users can use the Server 2008 patch, I was more amused that in an apparently-complete enumeration of versions in a table, they just...left it off.

RDP is not on by default, so I don't see how that's a big deal.

Wow! Good for Microsoft. You don’t see Apple releasing patches for 15+ year old operating systems.

Apple makes all their OS releases free to their users, so there's much lower numbers of 15+ year old Apple OS's existing in the wild to begin with. If you'd said you don't see Apple releasing patches for 15+ year old computers, I'd be more inclined to agree.

Heh, because Apple prefers to arbitrarily leave out support for their older systems on newer OS releases.

There are XP patches. I wonder if that CVE page is autogenerated and doesn't include out-of-support operating systems.


I don't understand why they would do this. If I was a microsoft manager I would be glad something like this happened because it would force people off of old OSs without having the bad rep of doing it through nag popups.

Now everyone on XP will feel safe because its still getting updates.

At this stage, anyone still using XP is doing so because they have no other choice: either it's intrinsically tied to low-end hardware, or to some piece of critical software, and it's too expensive or time-consuming to replace. Often this includes "embedded" PCs in scientific equipment and the like.

We said this about IE6, but once major sites started dropping support, usage dropped to almost nothing fairly quickly.

or they dont know or care. "it runs my spreadsheet fine"

Microsofts rather friendly attitude to downwards compatibility & longterm support, is IMO one of their strongest competitive advantages for Windows and Office. Not following this philosophy for their mobile platforms has also lead to their downfall there.

In the real world, there understaffed IT departments, insufficient budgets, time-consuming logistics, and complex systems which are not easily upgraded. Microsoft's options here are either "to hell with it, not my problem, just let the world burn" or taking responsibility and fixing problems which will affect people.

In addition to those reasons generally a computer system is a business tool. If a machine is doing what a company needs then why spend valuable time and money upgrading it to something else that will do exactly the same job.

I do appreciate the problem of security patches, but XP is pretty rock solid as a platform so for many businesses their tool does what they need.

Budgets will find room for an update when an out of date OS starts causing damage to the business.

Patching an ancient OS is enabling the delay of updates with the excuse "Whats the point, it still works"

There are reasons there is no budget. A budget doesn't magically appear. Take health care, education, or police services for example. Do you really want to take away resources from providing the stuff that's actually needed just for some artificial easily preventable crisis?

The entire situation is ridiculous really. So what that XP is "ancient"? For many purposes it works just fine. The only reason this situation exists is because people can't fix their own computers. The entire thing is a massive waste of resources.

Those areas are so important that it makes even more sense to get things upgraded. I don't want my health info running on a networked windows xp machine.

Just because a computer is involved in health care means it has access to your "health info".

And look, of course it would be better if they upgraded. But "facts on the ground" can make it hard. It's easy to comment on HN, but not everyone involved is a complete idiot. I suspect that it's probably one of those 90/10% things: 90% has already been upgraded year ago, but getting the last 10% upgraded to something newer is 90% of the effort.

It is possible to isolate those legacy systems with additional rules in network equipment. Then those systems can operate until they physically breaks down with no possibility of repair. In my opinion, getting rid of an MRI just because it happens to be running on Windows XP is inconceivable.

Is it really Microsoft's responsibility to keep patching XP forever?

Hot take: but yes, it is. They sold the software and they are preventing anyone else from patching XP. I think that by doing so they have responsibility. If they don't want it then that's okay: just allow other people to patch XP.

The situation where I'm not able (or even legally allowed!) to patch my own computer system is pretty ridiculous. I'm not massively in to "Free Software" or the "four essential freedoms", but I do think people should have the freedom to fix software they bought ("right to repair").

I know how it works, I don't "buy" Windows, I buy a license to allow using it. I think is legal shenanigans and doesn't (or rather, shouldn't) really matter.

The entire thing is just a colossal waste of resources. Many organisations would be perfectly happy with XP, because a basic stable OS without too much fancy stuff is all they need, and XP offers that. It's not an "upgrade", it's just "replacing a working system with another working system".

It may not be their responsibility, so to speak, but if they choose to do it to help maintain their “we’re the best solution for enterprise customers, look we still release security patches years after EOL, that’s how much we care about reliability, blah blah blah” stance, who’s to say they shouldn’t do it?

By law, I suppose not. Morally, it depends on whom you ask.

If it were open source, other people could pick it up (gratis or for a fee). Right now, nobody can (except for Microsoft), because it is proprietary software. Microsoft brought it upon themselves to release the software as such.

If they want to stop being responsible they can release the source code so others can write patches.

The lack of budget is easily fixed when mature financial planning (which is completely normal for non-IT resources) and internalization of externalities is applied by requiring a working and budgeted lifecycle for every newly established IT system.

Forced internalization of externalities and transparency of risk (by vendors establishing both a firm lifecycle and a patching regime) provide the right incentives to make that happen.

In other words, the world of networked devices is a world of constant change. It must rid itself of those not fit for that change. People can run XP until the sun burns out, they just can't connect it to anything that's not theirs.

I've worked at a company where the build server was full of viruses, because devs kept spinning up unpatched XP VMs, who would inevitably get Conficker, and whatever other shit was hanging around on our intranet.

Nobody gave a shit about it. And this wasn't some crazy seat-of-the pants startup. It was a mature software company, employing >40 engineers (in that division alone), that had been building, and selling software for many, many years.

I have had a VM server like that. About a dozen Windows images each launched from a known good snapshot for the test suite to run. Afterwards VM is killed and reverted back to the snapshot. Viruses? Couldn't care less. The whole lifecycle of the VM was like 40 minutes.

40 minutes of an unpatched computer on that network was 35 minutes too long.

We'd also develop inside VMs. That is, we'd install Visual Studio, our product, Seapine source control...

What you create today creates a liability for tomorrow. Maybe they wouldn’t have to do this if Windows 7/10 were free updates with a smooth upgrade experience?

> "Whats the point, it still works"

And you're claiming that, it working, is not a legitimate reason to keep using it?

Many institutions and hospitals still use XP. And they pay Microsoft a lot to support it.

Do they really still pay for XP? I thought it went completely EOL some years ago.

Yep, NHS for example.

We had extended support for a couple of years but now it's dead dead deadski.

Like any other large industrial org, there's some bits of million-pound kit with integrated, essential XP. Likewise old essential software where the support has literally retired, running on 2003. We've got roadmaps for replacing it, but they're not instant.

We manage it as best we can. But broadly we're just about to go to 10 on desktops, so we're not as bad as the police!

Glad to hear it. When I worked for a NHS software vendor a couple years ago there were still XP workstations about. I guess it probably varies by the trust as well.

NHS Employee here, not seen XP on a NHS machine in a very long time - including in hospital environments.

It's Windows 7 now, I'm now seeing some staff get Windows 10 machines deployed to them.

Those still using XP should have networking and USB features disabled.

I would not be shocked if Windows XP had less vulnerabilities than Windows 10. Also, who cares? How would your behavior change if you learned one was more or less vulnerable than the other?

If I was managing systems that were EOL many years ago and an active risk of being exploited my behavior change would be either to update them or disconnect them from the outside world.

What if you managed a non-EOL OS, like Windows 10, but you had inside information that there were multiple active ongoing exploits? You might say you would disconnect them from the internet. But I think it comes down to blame. No one would blame you if Win10 computers were connected to the internet and were exploited. But people _would_ blame you if they were XP. I think this pretty much explains how people think about these choices.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact