How is Windows XP a security risk?

Topic

New Reply

How is Windows XP a security risk with my set up?

I am using Windows XP online and I am not having any issues. I am wondering if I am missing something.

I have antivirus running. I have firewall turn on both on XP and my router. All my ports are off, which I check every few months. I visit the same sites (IE news sites, tech sites, etc)

I do not install any programs unless I know what they are. I do not install the pop ups ads since I have adblocker turn on( even those that use to show up on askwoody before Woody turn them off since they had viruses). I have noscript turn on. I have host file with thousands and thousands of sites marked as bad and update the list every 4 months or so.

From my view, there risk of me is almost 0.00001% of using Windows XP online.

Thanks for any info that someone can provide that shows that Windows XP is not safe to be online.

Please let me know how my setup could be consider a risk from hackers or a security point.

Reply | Quote

Replies

Reinstalling XP is a pain in the rear.

I’m surprised you have a working browser on that XP, as many no longer work or if they do, they throw off errors on many web sites and are not functional.

You can’t buy new hardware that will run it well, so if it dies, you’ll be buying parts off of ebay.

Are you familiar with metasploit? Hack Like a Pro: How to Exploit and Gain Remote Access to PCs Running Windows XP « Null Byte :: WonderHowTo there are several xp modules that can gain access to that XP operating system.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

No need to reinstall. Have a clone drive than can easily restore.

User agent switch is your friend. Most websites will work by switching agent. You can tell it that you are on Windows 10 and site will work fine mostly. Otherwise, use a mobile browser for it to work. Most website hard code to block using using older browsers. There are very few new feature that are in new browsers that are missing in the old browsers.

I have 2 Windows XP towers ready to go. If my main XP fails, I have 2 spare and 1 partial that failed about 5 years ago to use as parts. I always buy in bulk once I find a system that I like.

Nope. But reading it over, the hacker needs to know my IP address and have no firewall run. I have both XP firewall running and Router firewall running. Router is set up to bock all incoming connection. This exploit will not work. Unless did I miss something in my quick read over the article??? Also I turn off my router and Windows XP after I am done. I am using it most may be 3-4 hours per a day max.

Reply | Quote

That’s just one of many.  Metasploit has many modules to go after XP. You are still using an insecure browser and I’m assuming that your antivirus no longer gets def files updated on a regular basis?  Do you review your outbound Internet traffic to review if there is any unusual traffic from your machine?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

No popular browsers compatible with XP are patched, so many exploits exist (all the published ones after the end of support for your browser) which could infect your computer if you went to a bad website and your antivirus did not catch it.  Almost all antivirus ended XP support, so to help other users you could mention which antivirus you use.

But, based on your use of noscript and hosts files, perhaps your personal computer use is not a big risk.  The problem is that viruses, like human viruses, prefer to spread when there are more infectible hosts.  If your promotion of using XP convinced a user who was not as protected or as skilled to keep using it, then the viruses they get harm everyone by the emails they send and the DDOS attacks their computer performs.

Instead of thinking about security, there are other benefits you could get by not using XP.  One is website compatibility.  Many websites will not work right on the browsers that XP supports.  Another is better support for SSDs – installing an SSD on an XP computer will not have proper TRIM support so eventually your data could be lost.

Reply | Quote

Energy Saver wrote:

if you went to a bad website and your antivirus did not catch it.

I only go to about 20 sites that I have gone for over 20 years now. I rarely got to other sites. I just when to the new one the Susan post but I was sure that would be fine. I had noscript turn on. I cleared and close the browser after that just in case. I am going to shut down my router soon just in case the website record my IP address. This way will get a new IP address soon.

Reply | Quote

You probably won’t get a new IP address even with turning off the router.

“but I was sure that would be fine.”  I wouldn’t be that sure.

What are those twenty sites? Just because you go to the same sites doesn’t mean that they keep being secure 100% of the time.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

Do you review your outbound Internet traffic to review if there is any unusual traffic from your machine?

Sometimes. i look at them. Nothing strange that I noticed.

I do get a new IP address every time I turn off my router.

Susan Bradley wrote:

What are those twenty sites? Just because you go to the same sites doesn’t mean that they keep being secure 100% of the time.

1. askwoody.com
2. computerworld.com
3. pcworld.com
4. extremetech.com
5. zdnet.com
6. google.com
7. yahoo.com
8. ign.com
9. blizzard.com
10. techhive.com
11. pcmag.com
12. craigslist.org (look for free items there around the neighboorhood. DO NOT RESPOND TO and ads.)
13. abc.com
14. cbs.com
15. mashable.com
16. amazon.com (compare if price are cheaper than the instore or try to get store to match.never buy there since most products i got from it turn out to be fake or counterfit in the past)
17. gamespot.com
18. microcenter.com
19. newegg.com (same just check prices)
20. bestbuy.com

Susan Bradley wrote:

but I was sure that would be fine.” I wouldn’t be that sure.

Your say that site you gave is not save. I figure you would not post unsafe site. I am going to turn off computer and router now to get an new IP address. See you in about 5 hours if I have time today to come back or tomorrow if I have time.

https://null-byte.wonderhowto.com/how-to/hack-like-pro-exploit-and-gain-remote-access-pcs-running-windows-xp-0134709/

 

Reply | Quote

And you know what’s at that link by not going to that site (it’s not on the list of 20)?

Reply | Quote

I don’t run banner ads at all.  I have literally seen malicious content on all of these sites, some of which went after activeX which is/was still in XP and is not in the modern systems.

1. zdnet.com
2. google.com
3. yahoo.com
4. ign.com
5. blizzard.com
6. techhive.com
7. pcmag.com
8. craigslist.org

You forgot one more, what about email?  As there is malicious content in email all the time.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Energy Saver wrote:

Instead of thinking about security, there are other benefits you could get by not using XP. One is website compatibility.

No benefits I see. Windows 10 and 11 have too much spy-telemerty for my like. I would have to relearn new things and new ways to protect my self from MS spying eyes.

This was just a glance review of my setup to see if there is a something I am missing. But at the moment, it seems my setup of XP should be fine.

Reply | Quote

https://www.askwoody.com/forums/topic/xp-offline-activation-tool-xp_activate32-exe/#post-2562390

..A word of caution and restraint. Please don’t take this article as a recommendation to run Windows XP. It wasn’t the most secure of operating systems back in 2001, and you really should not be running it in 2023 — especially not on anything that is connected to the internet.

Reply | Quote

Given the content of your previous posts, you seem to have reasonably good tech knowledge. If telemetry and spying are a primary concern, have you considered trying Linux? Are there any particular programs you use that you consider indispensable that are unlikely to run under something like Wine ?

If you haven’t tried Linux in years, or ever, you may be pleasantly surprised. A Windows user friendly distribution like Linux Mint/Cinnamon in its current release should have a fairly familiar interface, and probably get you 90% of where you would like to be right from a fresh install.

I began exploring migration away from Windows in earnest a couple years ago and while I’ll be stuck with an up-to-date Windows machine for at least the next few years, I hope to be free of them by the end of support for Windows 10, largely for the same reasons you state in wishing to remain on XP.

The old hardware will eventually fail, and replacements will become too difficult or expensive to acquire. Developing an exit strategy seems prudent.

1 user thanked author for this post.

Cybertooth

Reply | Quote

I disagree.  You still didn’t list emails and the world is much more than 20 websites.  You are also missing out on a lot of great creative content because you are on a platform that won’t handle modern streaming well.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

You still didn’t list emails…

Ah, but @Curious did indeed mention emails in a post below a little over an hour ago…

Curious wrote:

…I do not use email for over 15 years now. There is only spam and junk there. This why i liked woody setup since it did not require email. Now I have to fill fake email to be able to post.

Reply | Quote

@Curious, I would suggest taking a look at the ideas listed in the first of the links provided on my signature line below, then seeing if versions of these programs are available for XP. I no longer have any active XP machines, but I do have a couple of Vista systems guarded by older versions of OSArmor and HitmanPro.Alert (among numerous other protective measures), and I use them with no worries.

What antivirus software do you use? One Vista box here uses Panda Dome, the other one eScan Internet Security. Last I heard, Norton had reversed their decision to cut off Vista (and maybe XP), opting to continue providing virus definitions (though not new program features) for these older systems.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

 

Susan Bradley wrote:

some of which went after activeX which is/was still in XP and is not in the modern systems.  You forgot one more, what about email? As there is malicious content in email all the time.

Since I have no$script and adblocker, I do not see any ads. This is how it prevent my computer from getting a virus when there were ads on askwoody site several years back.  I do not use email for over 15 years now. There is only spam and junk there. This why i liked woody setup since it did not require email. Now I have to fill fake email to be able to post.

PKCano wrote:

And you know what’s at that link by not going to that site (it’s not on the list of 20)?

I did go to it but since Susan gave the link,  I figure it was save but seem I should have avoid it since Susan is not sure if that site was safe. I had no$script and adblocker so i should be save. Shut down router has give me new IP address. If that site that Susan gave me record my IP, I have a new one now.  if it does not, i run a script with release and renew commands from command prompt a few times until it give me a new address.

GeeBeeDee wrote:

If telemetry and spying are a primary concern, have you considered trying Linux? Are there any particular programs you use that you consider indispensable that are unlikely to run under something like Wine ?

I tried live linux CD years ago but never got to like them. I might have to try them again but seems most are not 64 bit. There are small left now that work with 32bit.

 

Cybertooth wrote:

What antivirus software do you use? One Vista box here uses Panda Dome, the other one eScan Internet Security. Last I heard, Norton had reversed their decision to cut off Vista (and maybe XP), opting to continue providing virus definitions (though not new program features) for these older systems.

I had AVG as main but now have Clamwin as main since AVG was slowing computer down. I have F-Secure Live CD for scanning as well for backup. I might have to see if the old CD still works. I have not use it a few years or might have to burn a new CD.

I will take a look at your post and see what I can add to my own. Thanks for that.

 

Reply | Quote

@Curious-

As has been pointed out by others above, eventually you will very likely be nearly unable to surf the web. As of now, you’re most likely limited to Chrome 49 (if it will run without complaining about being VERY out of date), Firefox 49 (which might do the same as Chrome 49) and Internet Explorer 8. ALL of these browsers are inadequate for the majority of today’s websites.

At some point, you may very well see a sign or banner on several sites that are on your list of 20 sites that you visit saying that they will no longer work with your browser and OS combination, and they’ll refuse to display their content for you. SOME of them may even refuse to allow you to connect to them.

Reply | Quote

Even if you always visit the same handful of sites, and never go outside of that, there is no way to know when any one of those sites may be compromised by an attacker and used to distribute malware. DNS poisoning attacks would also work similarly, with a trusted URL pointing to a compromised server.

In terms of the ability to keep using older browsers… I was an enthusiastic user and supporter of Waterfox Classic after the landing of Firefox Quantum, but several years ago I had to give up on it. So many sites were failing to load or behave correctly, and spoofing the useragent didn’t make any difference. These sites were using features that Classic (based on Firefox 56) did not and would not ever have, and they were not degrading gracefully.

I am not happy that the web has transformed from being about delivering the content in a way that suited the site visitor to being about delivering it exactly as the site owner demands, but that’s how it is now, and if the site owner demands the use of a given technology to use their site properly, you can either get on board or get left behind.

At first, it was rare to find a site that Waterfox Classic did not work with that could not be fixed with a quick useragent string change. When I did find such a site, I’d just go use another. Few sites are singularly indispensable.

Over time, though, I was finding more and more sites that did not work. It got to be too tiresome, and I reluctantly moved on. I didn’t want to give up the classic addons, but the browser they worked in was becoming irrelevant, and what good are powerful addons in a browser that grows weaker and less useful by the day?

As an exercise in security or a thought experiment, trying to figure out how to secure XP while using the web in a limited way may be fun, but as a tool for enabling hardware to serve the interests of the owner, XP is no longer really an operating system. It’s an antique, and while you can use antiques for modern purposes, doing so with tech items is more about the challenge, nostalgia, or the statement it makes than anything practical.

I really liked XP. I ran it from 2001 or 2002 until 2013 or so on my main PC, and another year or so on my laptop of that time. I always turned off the theming service, returning its UI to that of Win2k (the icons and animations being an exception), which I consider even now to be the pinnacle of Microsoft UI design. Even so, I have not used XP in nearly a decade. It’s just not a serious candidate for an OS anymore.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

1 user thanked author for this post.

GeeBeeDee

Reply | Quote

Hi Curious,

Based on your need for a 32 bit OS, consider LMDE, Linux Mint Debian Edition. the most recent version I found in a quick search is only about one year old, and still supported.

Link here: Linux Mint Debian Edition (LMDE) 5 ‘Elsie’ now available for 32-bit and 64-bit PCs

https://betanews.com/2022/03/20/linux-mint-debian-lmde-five-elsie-5/

Edit because forums are being mean.

Good luck, whatever you choose. I suggest buying a cheap, used 64 bit computer to test Linux on. If you are unwilling to do even that, good luck to you with XP, I have no more answers for you.

 

Reply | Quote

It sounds like you have some good security layers (defense in depth) in place to secure the system and most importantly you are aware of the dangers and take precautions in how you operate the computer which is one of the MOST important layers of security.

First, since the computer is behind the firewall of your router it’s secure from being compromised remotely. In addition the software firewall on the OS also protects it from compromise in the event a bad guy somehow gets past the router’s firewall (very unlikely) or the computer is connected to a different network without any kind of firewall (ex. laptop used away from home). Second, the use of a custom hosts file that blocks known malicious websites and ad networks is a very important security layer that protects the system when using the web browser, not to mention the additional layer of security in using noscript.

IMHO these layers alone will protect a system well regardless of the operating system version being used. Experience has proven this over the last 20+ years where I’ve used various old outdated operating systems (including Windows XP for well over two years after support ended), even old outdated web browsers (including IE) for extended periods of time and never had a single instance of malware or any kind of compromise.

Now with all that said, I would not recommend the average user do that as they are not going to be aware of or use many of these important security layers (beyond a router firewall most likely) so it would only increase the likelihood that they would compromise their system. Many even do so when using the most recent, supported and fully patched/updated OS version!

In the end, security is NOT just about the operating system version. Just because you are using an old outdated OS does not equal, “OMG, the sky is falling and you are going to be compromised at any moment!”.

2 users thanked author for this post.

Charlie, Cybertooth

Reply | Quote

It sounds like you and your setup falls in the third category of people that existing currently in the world. My percent breakdown is listed below. Meaning you are medium level tech savvy and are not willing to click on things just because there it is. I would say you are some what save with using Windows XP.  If it fits your needs, keep using it. But as mentioned, it will get hard to use some websites.

1. White/Red/Gray/Black hackers- top level tech savvy may be 1%
2. IT people – bottom of the top to high level tech savvy 3%
3. General people – medium tech savvy 2%
4. Low users- low tech savvy -2%
5. The rest of the world—no tech savvy skills 92%

 

Reply | Quote

Susan Bradley wrote:

I disagree. You still didn’t list emails and the world is much more than 20 websites. You are also missing out on a lot of great creative content because you are on a platform that won’t handle modern streaming well.

I had a gmail but lost access to it and can not log in. I have my password and username but gmail says that my device is same device as before and will not let me log in. I know it is the same device. Gmail security is awkward with me. Like I said, I have not use email for years now. I am fine with missing out. All my contacts know my home address and landline to contact me. There is nothing more than I need. I am fine stream on abc and cbs to watch my news.

Ascaris wrote:

Over time, though, I was finding more and more sites that did not work.

It might happen to me as well. I will have to determine how much I need that site.

GeeBeeDee wrote:

Good luck, whatever you choose. I suggest buying a cheap, used 64 bit computer to test Linux on. If you are unwilling to do even that, good luck to you with XP, I have no more answers for you.

Thanks. I will have to save up to get it since I would need to buy at least 4 computers or hope to find one when someone throw it out.

WRYB Hank wrote:

It sounds like you and your setup falls in the third category of people that existing currently in the world.

I would think I am more closer to fourth but closer to the third. Thanks for that.

Thanks everyone as well. I will think about it. I take long time to make a decision which might be around the time Windows 12 comes out. Hopefully it is better than current OS. Otherwise, will need to move to linux.

 

Reply | Quote

“I don’t have email”

This is the foundation of authentication.  Without that you cannot function in society. I had a neighbor who had no credit cards.  When they went on vacation they couldn’t rent a car.   In order to get pensions and distributions, one has to have an email address.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

This is the foundation of authentication. Without that you cannot function in society. I had a neighbor who had no credit cards. When they went on vacation they couldn’t rent a car. In order to get pensions and distributions, one has to have an email address.

Email is not authentication. Cell phone is authentication. I do not have that either.  Gmail will not let me sign in because of that. I function in society as well as I can. I do not go on vacation. I do not have the funds for it.

Reply | Quote