Windows Xp Update Hack

Perhaps the most popular story I've written for ZDNet was the one explaining how you can hack the registry in Windows XP and trick Windows Update into continuing to send you security updates. The basis of it is that Microsoft has an embedded variant of Windows XP and support doesn't end on that until April 2016. The hack makes XP look like the embedded version.

Hack the Windows XP registry and continue to receive updates! I’ll admit I was curious and what better way to satisfy my curiosity than try it for myself. Off I went to fire up a virtual machine and do a clean install of Windows XP. After installation I immediately went to Microsoft Updates to catch up on what seemed like ten thousand updates. Perhaps the most popular story I've written for ZDNet was the one explaining how you can hack the registry in Windows XP and trick Windows Update into continuing to send you security updates. Sep 28, 2015  I created a XP Home and XP Pro SP3 slipstream that contains all the official updates so I can perform a clean XP Home SP3 or XP Pro SP3 install and no other updates really required unless you do this registry hack to get others etc.

I have maintained a Hyper-V VM on a Windows 8.1 system running this configuration and it does indeed continue to get updates. In fact, it gets updates even when Microsoft doesn't list it as getting updates. In November, the marquee vulnerability fixed by Microsoft was the bug in Schannel, their SSL/TLS implementation. The bulletin and knowledge base article list every supported version of Windows, but not the embedded ones. Even so, it did receive the update:

So no problem, right? Keep running Windows XP, right? For reasons that Microsoft and we have explained repeatedly, Windows XP is not really securable by modern standards. It lacks features like ASLR that prevent many vulnerabilities or at least make them more difficult to exploit. Many steps have been taken in later Windows versions to harden the internals of the operating system against attack. XP, embedded or otherwise, has not gotten these improvements and won't be getting them. If you use Internet Explorer, version 8 is the latest you can run on Windows XP, and it's a pretty crummy browser.

Because of these differences, the fact that Microsoft is not supporting it and the availability of new features post-XP for them to use, many software vendors have ended their own support for XP:

Java 8 may well work on Windows XP, but Oracle won't support it. They aren't providing or updating older Java versions either.

VR and AR

Now and then, vulnerabilities come along that aren't fixed in XP, even in the embedded version. Cisco came across one recently in the vulnerability patched by Microsoft in November as MS14-063. This one did not show up in the list of vulnerabilities patched in embedded XP in November.

If you're still trying to get your money's worth out of Windows XP, you may think you're really clever and playing with house money. If you get away with it, good for you. Know that you are taking a big risk, one that is getting bigger every day.

Finally, I should repeat the statement Microsoft gave me when I first wrote about this earlier this year:

We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.

Related Topics:

Microsoft Security TV Data Management CXO Data Centers

A simple hack of Windows XP tricks Microsoft's update service into delivering patches intended for a close cousin of the aged OS, potentially extending support for some components until 2019, a security researcher confirmed today.

What's unclear is whether those patches actually protect a Windows XP PC against cyber criminals' exploits.

The hack, which has circulated since last week -- first on a German-language discussion forum, then elsewhere as word spread -- fools Microsoft's Windows Update service into believing that the PC is actually running a close relation of XP, called 'Windows Embedded POSReady 2009.'

Unlike Windows XP, which was retired from security support April 8 and no longer receives patches, Embedded POSReady 2009 is due patches until April 9, 2019.

As its name implies, POSReady 2009 is used as the OS for devices such as cash registers -- aka point-of-sale systems -- and ATMs. Because it's based on Windows XP Service Pack 3 (SP3), the last supported version of the 13-year-old OS, its security patches are a superset of those that would have been shipped to XP users if support was still in place. Many of POSReady 2009's patches are similar, if not identical, to those still offered to enterprises and governments that have paid Microsoft for post-retirement XP support.

Jerome Segura, a senior security researcher at Malwarebytes, an anti-malware software vendor, tried out the hack and came away impressed.

'The system is stable, no crashes, no blue screens,' Segura said in an interview, talking about the Windows XP virtual machine whose updates he resurrected with the hack. 'I saw no warnings or error messages when I applied patches for .Net and Internet Explorer 8.'

The Internet Explorer 8 (IE8) update Segura applied appeared to be the same one Microsoft released May 13 for other versions of Windows, including POSReady 2009, but did not deliver to Windows XP.

But although he has run the hacked XP for several days now without any noticeable problems, he wasn't willing to give the trick a passing grade.

'[POSReady 2009] is not Windows XP, so we don't know if its patches fully protect XP customers,' Segura said. 'From an exploit point of view, when those vulnerabilities are exploited in the wild, will this patch protect PCs or will they be infected? That would be the ultimate proof.'

Microsoft, not surprisingly, took a dim view of the hack.

'We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers,' a company spokesperson said in an email. 'The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP.'

That last sentence was puzzling. While Microsoft would almost certainly not test POSReady 2009's patches on a Windows XP system, it would have tested the XP patches it crafted for its post-retirement support clients. And from all the evidence, POSReady 2009 is, at its heart, Windows XP SP3.

'The core of [Embedded POSReady 2009] is pretty much the same as Windows XP,' said Segura.

Microsoft itself makes that plain on its own website. In one document, Microsoft stated that POSReady 2009 offers 'full Win32 compatibility' with Windows applications.

While Microsoft urged XP users to steer clear of the hack and instead ditch the old OS for 'a more modern operating system, like Windows 7 or Windows 8.1' -- Segura pointed out that wasn't always possible, often for financial reasons. 'If someone is going to stick with XP [the hack] is better than doing nothing, better than not having any patches,' Segura said.

'But there are better alternatives,' he continued. 'Don't use IE for one thing. Use an alternate browser -- Chrome are Firefox are going to still support XP -- and there are security products, including our anti-exploit products, that still run on XP. Those would be much better than the hack.'

Download All Windows Xp Updates

Windows xp embedded updates hack

The POSReady 2009 hack wasn't the first end-around Windows XP users have found for patching their PCs. In August 2010, after Microsoft required customers to upgrade from XP SP2 to SP3 to continue to receive security updates, a security adviser with antivirus vendor F-Secure revealed a Windows registry hack that tricked Windows Update into 'seeing' an XP SP2 PC as an XP SP3 system.

Windows Xp Hack Activation

Segura was curious how Microsoft would deal with the hack. 'It's so easy to get the patches,' he said. 'Did Microsoft miss something? Will they do additional validation [to block the hack]? Can they?'

Windows Xp Update Download

Instructions on how to apply the hack can be found on the Web, including this piece by Martin Brinkman on his Ghacks blog last Saturday.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

Microsoft Windows Xp Update Sp3

See more by Gregg Keizer on Computerworld.com.