New Windows XP Zero-Day Under Attack

wiredmikey writes "A new Windows kernel zero-day vulnerability is being exploited in targeted attacks against Windows XP users. Microsoft confirmed the issue and published a security advisory to acknowledge the flaw after anti-malware vendor FireEye warned that the Windows bug is being used in conjunction with an Adobe Reader exploit to infect Windows machines with malware. Microsoft described the issue as an elevation of privilege vulnerability that allows an attacker to run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

Upate to the most current

[Ken Valderrama]

Adobe Reader - problem solved

Re:Upate to the most current

[Anonymous Coward]

Uninstall Adobe Reader - 2 problems solved!

Re:Upate to the most current

[Anonymous Coward]

Never have an adobe product installed in the first place - solved.

Re:

[Ken Valderrama]

genius !

Alternatives to Flash?

[tepples]

Never have an adobe product installed in the first place - solved.

So other than Flash or Edge Animate, what's a good program for creating vector animations?

Re:Alternatives to Flash?

[Anonymous Coward]

notepad

Re:

[ArbitraryName]

Synfig [synfig.org].

Re:

[philip.paradis]

Flash is on its last legs. You need to start moving to HTML5 based solutions. A Google query for "HTML5 animation editor" will yield a wealth of options.

Bloat

[tepples]

Export

Export from what, if not Flash?

to video

I tried that. The encoded video was 10 times bigger than the SWF, which counts against the viewer's monthly download cap, and had no means for interactivity.

Re:

[khellendros1984]

Then again, Youtube videos play on more devices than Flash animations do and don't require installation of a plugin of waning relevance. Mobile devices, which tend to have a more restricting bandwidth cap than most users' home Internet connection, would also be the least likely to be able to play the animation in swf form. The answer of which one is better would really depend on your audience, I suppose, but Flash is becoming more and more of a niche filler instead of a first choice for content delivery.

Re:

[tepples]

Youtube videos play on more devices than Flash animations do

Not always. I often get "The content owner has not made this video available on mobile" on my Nexus 7.

and don't require installation of a plugin of waning relevance.

Nor do they offer the slightest bit of interactivity. What's the multi-platform successor to Flash games?

Mobile devices, which tend to have a more restricting bandwidth cap than most users' home Internet connection

Except for PC users on satellite Internet. Besides, let me repeat this the third time: Even if one plans to export the animations to YouTube, in which non-Adobe program should one create them in the first place?

Re:

[khellendros1984]

Not always. I often get "The content owner has not made this video available on mobile" on my Nexus 7.

You know what you never see on your Nexus 7? Flash. Well....unless you don't upgrade to Kitkat, track down the apk and install it manually. That's not going to be a very popular option.

Nor do they offer the slightest bit of interactivity. What's the multi-platform successor to Flash games?

In spirit? Phones and mobile, produced using multi-platform game engines. I see people passing around goofy phone apps the way that they used to pass around goofy Flash games. As the closest-related technology? HTML5.

Except for PC users on satellite Internet.

Again, like I said, it depends on your audience. Honestly, I've never met anyone with satellite internet. St

Re:

[tepples]

HTML5/WebGL/etc not doing it for you?

So what graphical editor that exports to HTML5/WebGL is any good? In other words, SWF is to Adobe Flash as HTML5/WebGL is to what non-Adobe product?

Re:

[noh8rz10]

i do all my graphic layout in ppt. they have vectors and shapes too. also, cool animations.

Re: Upate to the most current

[Anonymous Coward]

Foxit is just as bloated as Adobe Reader.
Sumatra PDF is what Foxit was before becoming bloatware.

Re:

[unixisc]

Was it written in Java? Or Sumatra?

Re:

[FatdogHaiku]

Was it written in Java? Or Sumatra?

Caffe Verona...

Re:

[Black LED]

I have a problem where Sumatra PDF opens certain PDFs very slowly, perhaps taking 30 seconds or more. It doesn't seem to be dependant upon the file size either, as some large PDFs open quickly while some small ones take forever and vice versa.

Re:

[jones_supa]

Please do the responsible thing and file a bug report [google.com].

Re:

[Black LED]

I would, but I have already switched to a different reader.

Re:

[LinuxIsGarbage]

I use PDF-Xchange. I find better performance than Foxit, and it comes with free annotation tools.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Upate to the most current

[Anonymous Coward]

GP AC here. I looked around to see if Adobe had anything to say about this and I saw a post where an Adobe employee claimed that the inclusion of the McAfee software was required to fund the development of Flash Player because they provide it freely to users. It was also pointed out that users can opt-out and how they supposedly understand users' concerns about bundled crapware so they will always offer an opt-out. I can't seem to find the link now, but the way it was worded just sounded so smug and entitled. The question that comes to mind is, why not make it opt-in instead? The answer is because their original intent was to trick users into installing it.

Isn't it funny how a multi billion dollar corporation that made shitloads per software license of Creative Suite (and individual component applications therein) and distributed Flash Player (a necessary plugin for their own customers' audience) for years without the need for bundled crapware is all of a sudden "forced" to start including it; all around the same time that they discontinued Flash support on mobile devices and went to an even more expensive subscription model for their bread and butter products?

I'd definitely say Adobe is evil.

Re:Upate to the most current

[dreamchaser]

Upgrading the OS would be wise as well, especially since we're fast coming to the point of end of support, April 8th 2014. Windows 7 and 8.x both improved security considerable, and there are other more secure options as well such as MacOS X and the other varies flavors of *nix such as Linux distributions.

Re:

[Joce640k]

Sure, Windows 7 fits on my EeePC. Not.

I'm not even sure it would fit on my old HP laptop - that's only got a 30Gb hard disk in it. Windows 7 would overflow that in no time.

(Yes, they're both used used almost every day...)

Or I can upgrade all my perfectly-good hardware, right? Do they even make pocketable little 9" PCs any more?

Re:

[jones_supa]

Do they even make pocketable little 9" PCs any more?

I'm still a bit upset that they stopped making those nice 8.9" and 10.1" machines. Surely they were a bit low performance but they were fun to use. Well, at least there's still the 11.6" category.

Re:Upate to the most current

[twnth]

10" are not gone, just changed.
http://www.asus.com/in-search-of-incredible/us-en/asus-transformer-book-t100/ [asus.com]

Re:

[jones_supa]

Nice!

Re:

[0123456]

10" are not gone, just changed.
http://www.asus.com/in-search-of-incredible/us-en/asus-transformer-book-t100/ [asus.com]

Except:

1. It seems to be about twice the price of my old EeePC.
2. It's a tablet with attached keyboard, so, with an Atom stuffed inside, is likely to be even more poorly balanced than my ARM Transformer.

Chromebooks seem to be the real successor to netbooks, but the OS is a pain to replace.

Re:

[Luckyo]

Let's just say that I hope you don't offer those things to people actually using current EEE PCs. They don't have too many people that liked them which is why they got canceled in the first place. They are imho extremely uncomfortable to use, but I've heard a second opinion from my mother who would be ranking pissed if her current little baby EEE PC died and she found out there was no replacement. But those that did like them tend to be pretty fanatical and phone/tablet OS in the same form factor for people

Re:

[PrimeNumber]

I still have mine and it still runs linux just fine.

Re:

[twnth]

I'm not sure that you actually looked at the item I linked to.
Asus T100 "book" is a new product, only been on the market a couple weeks (local retailers here in Alberta got their first shipment last week). Its not the old android transformer that you may be thinking of.
-10" 1388x768. maybe a smidge bigger than the EEE
-full windows 8.1 32bit (not RT), comes with Office 2013 home and student. So it'll run just about anything
-quad core modern atom processor, 2 gig ram, Intel HD graphics. Office, netflix runs j

Re:

[Luckyo]

Oh, that's actually good to know, thanks! I looked up the transformer line, and apparently it was 100% android before this.

Frankly, I'd pay that extra just for the 768p screen. The one I bought back in the day had a 600p screen and w7 configuration windows didn't fit the vertical space in default size in for many menus, making configuration a pain.

Re:

[mlts]

I'm in the same boat. I would love to have a full featured PC with a 7-8" screen that I can carry with me that I can use with a USB serial port for diagnosing router issues.

Re:

[dreamchaser]

I find that my Asus Transformer Prime 201 is just fine for the majority of tasks, and it works with my USB serial cable. Yes, I can console into firewalls, routers, switches, etc. with my tablet, and the fact that I have the optional keyboard dock makes it all the nicer.

Re:

[ozmanjusri]

I would love to have a full featured PC with a 7-8" screen that I can carry with me that I can use with a USB serial port for diagnosing router issues.

A lot of them are made by a company in China called Hiton (sometimes anglicised to Highton) and resold with vendor branding. You can still get a variety of size and spec XP/7/Linux machines from 5 to 11" from them. Googling should bring up a few places to buy them on, or just look in Alibaba.

Asus have also just released the 1015E, which is a faily capable little 10" laptop available with Linux for $199 or Windows for $250.

http://liliputing.com/2013/05/asus-1015e-low-cost-mini-notebook-review.html [liliputing.com]

Re:

[Luckyo]

Sadly they didn't sell all that well. I'm already dreading having to tell my mother that I won't be able to replace her beloved 10.1" EEE PC when it eventually dies. She loves the damn thing to death, and I have no idea why - it was so small and uncomfortable to use for me when I set it up but she actually get her company to pay for it and install all of her work software on it.

Re:

[noh8rz10]

just get an 11 inch mac book air. those are pretty small too.

Re:Upate to the most current

[mlts]

For Web browsing in a VM, it is hard to beat XP for something that takes 512 MB of RAM, 16-24 gigs of disk space (partitioned into two disks, one for the system, one for scratch space for sandboxie's sandbox.) Its footprint is so light, the VM can stay resident on a box with 6-8 gigs of memory without issue, even with running fairly larger applications like Acrobat [1], Photoshop, Dreamweaver, and Flash.

I use Acrobat for producing PDFs for long term storage, FoxIt for viewing. So far, so good.

Re:

[0123456]

In the old days people would laugh at you for running a 5 year old OS and many here wont even move to that yet?!

That's because in the old days, a 5 year old OS would suck ass. XP is no worse for most users than Windows 7, and a step up for most users from Windows 8.

Microsoft should just have called XP the final version of Windows and kept updating it, but then they couldn't charge upgrade fees.

Re:

[Billly Gates]

Sorry I prefer progress. I like TRIM for my ssds, pin apps and websites, instant search (no more using the all programs with a mouse to find something), ribbons, HTML 5, security, no hangs, side by side SXS .dlls which dynamically link so one .dll doesn't overwite another during an app install, virtualized registry for each user with defrags and doesn't have windows rot... and with Windows 8 instant fast boot up, no memory leaks, less bloat, etc.

Windows 7 is a very superior OS. XP has tons of bugs and quirk

Re:

[0123456]

Sorry I prefer progress.

Same here. And there's been very little of that in Windows since XP.

BTW, I was amused by your mention of SxS, SxS Hell is one reason I'm glad I only ever have to boot Windows for games these days. There are better operating systems for everything else.

Re:

[Zibodiz]

I'm not sure I follow. If you have an XP disk with sp0, sp1, or sp2 you can install just fine (I do it semi-regularly with an sp2 disk). I've never tried with a disk that has sp3, but I wouldn't expect anything different. After install, I install sp3 from an .iso, then it updates fully to current level over the course of a couple hours, and it runs very stably. What VM software are you using, and what PC platform? I use Virtualbox in Ubuntu on both AMD & Intel machines (older dual-cores).
On anothe

Re:

[LinuxIsGarbage]

Even Windows 7 is showing its age as it takes forever with updates on a fresh install and workarounds if you need to test older IE browsers.

Just get VM's for free from Microsoft for your desired IE version and OS.
http://www.modern.ie/en-us/virtualization-tools#downloads [modern.ie]

Re:

[lgw]

30GB is fine for Win 7, but you might have a lot of other stuff.

Keeping WinXP around for aging crufty hardware isn't that interesting - just throw that old worthless crap out already, this isn't the 90s where you have to hang on to the old box until you have $3000 for a new one.

OTOH, Windows is really hurting for a lightweight OS to replace XP in virtual machines. When you're trying to stack 200 virtual machines on a server, WinXP really hits a sweet spot. MS seems to have lost the ability to do "thin and

Re:

[mlts]

There is always WinFLP (Windows Fundamentals for Legacy PCs), which Microsoft put out to compete with lightweight clients a few years back. Essentially it is a modified copy of XPe and doesn't have a number of features (no BlueTooth, etc.) that XP has. Another alternative is Windows Server 2003 which tends to be more lightweight than XP.

Re:

[kthreadd]

If the machine isn't very old it's often easier to get XP x64 to run well rather than the 32 bit version.

Re:Upate to the most current

[ArcadeMan]

My CNC requires a parallel port which doesn't even exists anymore and my CNC software can't run on Windows versions above XP. Are you suggesting I throw away my perfectly good CNC setup just because it's "old worthless crap"? Send me a check for $15K and I'll think about it.

Re:

[couchslug]

I agree as I support my buds CNC equipment.

Of course that XP machine never needs to connect to the internet.

BTW you can ditch the direct PC-to-parallel port connection if you ever wish to. These little units work a treat and tech support was outstanding. (A card in my buds Fanuc had malfunctioned and they helped him isolate that problem though it had nothing to do with their unit.)

http://www.highlanddnc.com/ [highlanddnc.com]

"parallel port which doesn't even exists anymore"

There are plenty of parallel and serial port cards t

Re:Upate to the most current

[LoRdTAW]

It sounds like he might be running a PC based CNC system that uses a PC for control. You posted a DNC box that is for uploading programs via DNC which has always been serial. Some older PC based CNC controllers used the parallel port (especially common for stepper systems). Systems that used brushless servos typically used some type of dedicated hardware to close the servo loop and is commanded via the PC. Typically those were ISA cards with a DSP on board but also parallel based units were available.

I also support the PC based CNC systems at my place of work. The system is quite advanced and uses a real time subsystem which only supports Windows 2000/XP. One of the systems is XP and the others are Windows 2000. New software costs about 4k and depending on the drives used, may require new drives at a cost of $1700 per axis. We still have one DOS based CNC system left, an ISA/DSP card with proprietary vendor written software supported by one guy on planet earth. Since that system sees little use it is not worth to $30k+ to upgrade to a modern CNC system. And that price is just to keep the existing motors and stages, $60+k for a complete replacement.

Re:

[tlhIngan]

There are plenty of parallel and serial port cards to adapt later desktops.

It's hard to believe, but yeah, there are tons of serial and parallel cards with PCIe interfaces on them. And if you have a laptop, ExpressCard serial and parallel ports exist too - and these aren't the chintzy USB ones (that use the USB port on the ExpressCard slot) - but use the real PCIe side of the slot and appear as a native port.

I'm just waiting for the Thunderbolt ones to come out as well - after all, it's also PCIe.

And I thou

Re:

[NJRoadfan]

If you are looking at desktop machines, there are motherboards being sold that still have the good old serial and parallel port headers. Laptops on the other hand...

Re:Upate to the most current

[QuantumRiff]

We have some expensive pitney bowes mailing systems. We inquired about a newer computer, NOT running xp. Turns out they changed the entire print assembly for the version that runs Windows 7. Its a $20k upgrade. (also need a new controller box, old one doesn't work with WIndows 7 software (mainly the hardware dongle, apparently)..

Our brand new pitney bowes mailing system has a windows 7 computer. The techs that installed it told our senior management to never run windows update, or install antivirus on it, or it would cause problems and make the machine not work. Boy did they get pissy when I put it on its own vlan, with only access to one server, and one port on that server, to get its updated files.

Re:

[LinuxIsGarbage]

Without digging in too deep, last I checked, some "business class" desktops from Dell, HP, Lenovo could be equipped with LPT and serial ports. With laptops, you can usually configure a business class laptop with docking station to get legacy ports. Eg from Dell:

http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=eep&cs=6099&sku=331-6304 [dell.com]
"E-Port Plus, dock adds dual digital display and legacy port support, USB 3.0"

And for anyone not in the know, USB parallel adapters are no good

Re:Upate to the most current

[serviscope_minor]

My CNC requires a parallel port which doesn't even exists anymore and my CNC software can't run on Windows versions above XP.

You can buy single lane PCIe parallel port cards for about $30. If you pick a decent one, they act like totally bog standard parallel ports and don't require drivers etc.

I don't know if you need harware virtualisation to connect the parallel port to a VM (I suspect not, but such processors are cheap now anyway--I think AMD offers it across the range).

There's a good chance the PC will die long before the mill: a good, well maintained mill will last nearly forever. Probably worth investigating contingencies for when that happens.

Also, have you checked to see if the mill runs off g-code? Many do which makes it pretty machine independent.

Re:

[epyT-R]

The most irrational bullshit ever. If the equipment works fine, leave it be. Changing software around just to bump the OS revision on high uptime equipment is a fool's game. THAT is idiocy.

Re:

[The Grim Reefer]

Keeping WinXP around for aging crufty hardware isn't that interesting - just throw that old worthless crap out already, this isn't the 90s where you have to hang on to the old box until you have $3000 for a new one.

On one hand I agree. On the other it's a little annoying that just about any system from the last 10 years, or more, has enough power to surf the web and check email. So it would be nice to keep perfectly adequate hardware out of landfills and not piss away a couple hundred bucks on a replacement.

Re:

[Patch86]

If all you're doing is checking email and surfing the web, surely Linux would do? LXDE is lighter weight than standard XP (and I'm sure XFCE isn't far off either). If all you want is to keep hardware alive for pleasure use, there's no reason not to.

Bigger sympathy goes to people who have specific applications which are XP-compatible-only. As much as I love Wine as a project, it can still be a nightmare to get it working for anything both complicated and niche.

Re:

[Billly Gates]

Have you tried to install XP in the last 6 months in VMware

It has the SVCHost.exe taking 100% cpu utilization bug, updates do not work, this is what happens [neowin.net]. It took a week to install XP with my host machine running very hot.

I finally found a fix of looking for a KB randomly for an IE update. MS support and googling had no answer to this but someone in a forum mentioned this fix after many many patches and fixits.

100% of all XP versions are impacted regardless of source as I assumed I had a bad .iso. The t

Re:

[machine321]

WSUS Offline [wsusoffline.net] may solve your problem.

Re:

[lgw]

Just checked my gaming box and it's 40GB, but I know I've used VM images that were 20GB: wonder what we stripped out? Of course, for any small install it's important to not have a pagefile, and to turn off volume snapshotting, but that's the case on my gaming rig and it's still using 40GB.

Re:Upate to the most current

[LinuxIsGarbage]

Minimum requirements for Windows 7 is 16GB. I forget how much it actually uses, but it will be less. Hard drive footprint of 7Starter through 7Ultimate is the same. You can do an "anytime upgrade" from starter to Ultimate if you want. Starter just disables features.

The actual story of why Starter exists is early in the Netbook era (with small 4GB SSDs, and non Aero compatible Intel 915 chipsets which themselves were part of a Vista capable lawsuit), machines like EeePC 701 physically could not run Vista, but could run XP well, and Asus was selling them with Xandros (which was a terrible distro). Acer was selling Linux Netbooks too. To keep from losing market share Microsoft had to embarrassingly extend the life of XP by selling cheap XP Home licenses for low cost PCs (with restrictions on the hardware). Eventually the Netbook market platform had standardized on Atom processors, Aero compatible i945 (or better), 160GB hard drive, but low cost XP licences drove prices down. These machines technically were more than capable of running Vista or better. So when Windows 7 came out, Microsoft wanted to kill off selling new XP licences, so to capture the low cost PC market they sold 7 Starter, again with limitations on hardware.

My father has an MSI Wind that sold with Windows XP, and I upgraded the RAM from 1 to 2GB, and the machine happily runs Windows 8. I have an EeePC 701 that shipped with Xandros that happily runs XP, though I have set up Windows 7 to run off of an external Hard drive if I wanted. I also have an AMD based MSI netbook that shipped with XP Home, that I upgraded to Windows 7 right away. It came with 200GB HDD and 2GB RAM, which technically exceeded the limitations for low cost versions of XP Home so I don't know how they managed that.

Re:Upate to the most current

[tepples]

Sure, Windows 7 fits on my EeePC. Not.

Then do like I did: install an Xfce-based Linux distribution and run Windows applications in Wine. Should Microsoft follow through on the rumored complete deprecation of the desktop in Windows 9, you'll be ready. Or you can install a larger SSD in your Eee PC and max its RAM.

Do they even make pocketable little 9" PCs any more?

I too mourned the end of netbooks [slashdot.org]. Tablets sold with a keyboard, such as the ASUS Transformer Book, are probably the closest successor.

Re:

[DMJC]

Wine is not actually a replacement for windows yet. It still cannot emulate DirectX 1-6 which is crucial for a lot of games and applications. Wine devs need to finish fixing the older parts of wine before trying to run a race against DirectX 10/11/12 The way it stands now wine is only good for a few DirectX 7-9 games.

Steambox One

[tepples]

So games are your argument. For one thing, an Eee PC has the Intel "Graphics My Ass" integrated GPU that isn't really intended for heavyweight 3D gaming, and Wine runs a lot of the 2D games. For another, Wine isn't needed for any game that is ported to Linux, and once the Steambox One ships next year [theverge.com], video game publishers that want money will commission Linux ports.

Re:

[epyT-R]

Deprecation is not always an indicator of progress, especially when 'progress' is defined subjectively.

Re:

[NJRoadfan]

Windows 7 and 8 will fit on a 30GB drive without a problem.

Re:

[machine321]

Fits just fine on my EeePC, although I upgraded the memory and drive as soon as I bought it. It actually runs quite well. Win8 won't fit though, as they artificially block installation if you don't have at least 768 pixels high.

Re:

[Joce640k]

I installed Windows 7 on my Eee 901 back in the day; it ran fine.

You must have put in a bigger storage device. Mine is only 16Gb.

Re:Upate to the most current

[cant_get_a_good_nick]

Service Pack 2, a.k.a. when XP really became stable, was way back in 2004. SP3 was back in 2008, still 5 years ago. If you think about XP being NT2000 with a nicer GUI, then the design was set way back in 1997 or so, back when dialup was king and an AOL disk was not yet a running joke.

To those that say "well my computer works fine".. umm, no it doesn't. Your OS was designed in 1997-2001, in a relatively much safer Internet environment, and is not designed for always on persistent attacks with billions of dollars available by hacking. As much as I think Microsoft keeps people out to dry, at some point you need to update.

For good and bad (and Mavericks has some things that piss me off) the Apple model of forced upgrades has some reasoning to it.

Re:

[epyT-R]

Service Pack 2, a.k.a. when XP really became stable, was way back in 2004. SP3 was back in 2008, still 5 years ago. If you think about XP being NT2000 with a nicer GUI, then the design was set way back in 1997 or so, back when dialup was king and an AOL disk was not yet a running joke.

Argument from antiquity fallacy. Older designs are not necessarily inferior. Using your logic, I could make the same claims about bsd and linux, since their design tenets date back even earlier than windows NT. You also conflate GUI design with security. AOL was a joke from the beginning.. Where have you been?

To those that say "well my computer works fine".. umm, no it doesn't. Your OS was designed in 1997-2001, in a relatively much safer Internet environment, and is not designed for always on persistent attacks with billions of dollars available by hacking. As much as I think Microsoft keeps people out to dry, at some point you need to update.

So as of the last patch tuesday, do you think you're now secure? You'd be a fool to think so. The proof is in the next batch of patches due out next tuesday. It's your behavior and process that

Re:

[epyT-R]

Yeah I know they do. That hasn't stopped anyone from exploiting things, has it? They said the same thing about java in the 90s, then the same about .NET, and now the browser sandboxes. They've all had exploits in the past, and the safe thing to do is to assume they'll have more exposed in the future.

ASLR and DEP are hardware features that windows xp supported with sp2. My point stands: The best defenses are prudent operating procedures, not big 'update now' buttons that make people feel safe when it is

Re:

[LinuxIsGarbage]

XP has +800 workarounds for tens of thousands of virii each time code executes which is why a 128 meg Pentium III that ran XP fast in 2001 can't run XP SP 3 at all today

New updated XP will run on a PIII with 128MB RAM. Problem isn't the base OS, but newer applications are more bloated than they were in 2002, even if they run on XP (Firefox, Adobe reader, flash, any AV package, etc).

Re:

[Anonymous Coward]

Microsoft needs to decide whether they are going to let XP go public domain, as per contract on copyright, or to continue to support it.

You have a hilariously mistaken idea of how copyrights work.

Re:

[cant_get_a_good_nick]

How many bugs are in Windows XP? You don't know, no one knows. Someone needs to do work to figure that out. Some geek needs to spend time to figure out the attack surface and see what breaks. How do you fix it? A harder question, how do you fix it without causing more problems? I've got nearly 15 years of code and machines that support XP. If you don't test, and this breaks, i'm going to be angry at Microsoft. Oh, and this is a Zero day. So I need to be FAST and RIGHT. That doesn't come cheap.

Are you going

Re:

[LinuxIsGarbage]

Unless you've been living under a rock for the past year or more, they HAVE decided what they're doing with it. On April 8, 2014, the update and activation servers are going dark. That's it. Game over. The End. They're NOT releasing a patch to disable activation and they're NOT releasing another service pack or update pack. You won't be able to do a fresh install without cracking the activation and you won't be able to get the 150 or so updates since SP3 without using a third party update pack. Do not pass GO, do not collect $200.

I doubt we'll go through the same thing with people hanging on to Vista for dear life on April 11, 2017 but I can already hear the same whining for Win 7 on January 14, 2020.

I have heard nothing indicating that they are planning on shutting down activation servers. This (recent) article agrees http://www.windowsobserver.com/2013/09/17/will-microsoft-turn-off-the-windows-xp-activations-servers-after-official-support-ends-in-april-2014/ [windowsobserver.com]

After XP End Of Support, Windows XP will remain on MSDN and TechNet for customers who still need to activate and re-activate XP (there aren’t new retail copies). We don’t have a date to share around when activation will be shut off, but it will be on for the foreseeable future.

As a precedent, Microsoft released a "sunset" version of Money Plus when they shut down activation servers for it. Adobe did similar for CS2.
http://www.microsoft.com/en-ca/download/details.aspx?id=20738 [microsoft.com]

When usage rates drop below 1-5% they'd proba

Re:

[AC-x]

The elevation of privilege vulnerability isn't Adobe's fault, any program running under a limited user could get full admininstrator rights with that.

Re:

[account_deleted]

Comment removed based on user account deletion

They Didn't save this?

[cant_get_a_good_nick]

Hmm, a bug that gets admin rights.... If I were sufficiently evil I would have saved this until April when there's no chance of it being patched ever.

Re:

[SgtChaireBourne]

Who's to say there aren't other, better things saved up for April? If they've managed to fritter away their window to migrate to GNU/Linux, well they'll have fun in April.

Re-buying peripherals

[tepples]

A lot of companies own multi-thousand-dollar PC peripherals with no NT 6 (Windows Vista/7/8) driver, and the peripheral's manufacturer has either gone out of business or deliberately chosen not to make new drivers for old but still working hardware. When companies have to re-buy expensive peripherals, the manufacturer makes more money.

Too Bad

[Oysterville]

Too bad Windows XP won't be supported much longer. Once that happens, it would be a...shame if something were to happen to that PC. If you upgrade to Windows 8, Microsoft will surely protect you.

Re:

[Anonymous Coward]

Because your cellphone, tablet, or Macintosh enjoyed 13 years of support from initial release (and 7 years after being replaced by the next version).

Re:

[Barlo_Mung_42]

I know it was supposed to be funny but this is in fact the reality we face. MS isn't going to support a 13 year old OS forever. Exploits will still be found after they stop supporting it. Conspiracy types will claim MS planted them but it would be even crazier if the last bug was patched on the day they cut support. That isn't going to happen.
If you are using your system for professional work and it's still running XP it has paid for itself many times over. Upgrading is a cost of business. A responsible com

Re:

[Patch86]

I wonder idly how many zero-day exploits have been discovered by the bad guys and are being kept in the bank waiting for April. Are we going to see a sudden explosion of exploits mid next year, as everyone makes their move in the knowledge that security updates won't be forthcoming?

Gosh....

[hazeii]

Oh, I see, a ramping-up of press releases about 'exploits' against XP prior to the cut-off date.

Didn't see that coming.

Re:

[Gavagai80]

Ramping up? There's been news about an XP exploit every week since XP was released in 2001.

Useless exploit, just gives admin to a local user.

[ReekRend]

Per TFA, this exploit is dumb and unconcerning. It just lets a standard user perform admin operations, no remote exploit of any kind. There have always been many ways for a standard user to get admin on any OS, the most trivial being physical access.

Re:

[Joe_Dragon]

so all you need to due is use this to install that remote exploit app.

Re:

[phantomfive]

Truly remote exploits are getting rarer and rarer. These days it usually takes two (or more) exploits, an exploit to become a local user, and a permission escalation exploit to become admin.

Re:Useless exploit, just gives admin to a local us

[Anonymous Coward]

I don't know if you're joking, I suspect you are, but for the benefit of the following readers I'll explain.

Here's how it works. User is tricked into accessing an infected pdf which contains code to elevate the user's privileges. the infected document's code downloads further exploits to root-kit the box. Right now the exploit is in a pdf, but infected websites are sure to follow.
If it's out there, and it has a picture of a puppy (or, in the USA, the word "free"), some user will click on it.

If you read the TFA, then you know it also is a Server 2003 bug as well.
Privilege elevation exploits are a nightmare for Terminal Server and Citrix boxes because it is a conduit for installing tools (using the admin rights) to grab other users' credentials and to continue from there to own the entire environment.

Re:

[something_wicked_thi]

No, it is not trivial to go from a non-root user to a root user, at least in a properly secured system. That requires local root exploits such as these. This is the whole basis for running daemons as non-privileged users. Even if Apache has an exploit, if it's running as a dedicated, non-privileged user, you can't get root on the system.

Local root exploits are serious, though obviously not as serious as a remote remote exploit. It's also true that they are usually easy to come by on unpatched systems. But y

Would be funny if the attacker could

[future assassin]

wipe windows and install Linux on the machine.

Re:

[DMJC]

All they need to do to make this happen is find a memory point in windows, where Linux can be injected so it overwrites the kernel and boots linux after enough of the root filesystem has been written to disk. I'm surprised noone has tried to do this before.

beta.slashdot.org

[BringsApples]

Man, I guess they were testing or something, but for a while, "slashdot.org" was redirecting to "beta.slashdot.org". All I could really make out was this "New Windows XP Zero-Day Under Attack" Headline and thought that something was wrong with either my PC or the site.

But maan that new layout [slashdot.org] sucks balls. I hope they don't go through with it.

Re:

[BringsApples]

That link isn't what I meant to link to. It was supposed to go to http://beta.slashdot.org./ [beta.slashdot.org]

Re:

[drinkypoo]

They probably will. That's strikingly like the shitty, unfeatured mobile interface.

Server 2003 as well

[Anonymous Coward]

Did the submitter RTFA, or just submit as soon as (s)he saw the words "XP exploit" somewhere?

It's not mentioned, in the Slashdot article, but it's also a Server 2003 bug.
https://technet.microsoft.com/en-us/security/advisory/2914486
This means Server 2003 Terminal Servers and Citrix boxes.

Re:

[Barlo_Mung_42]

No, that would be stupid. Why do you conspiracy types always take the easy route? If they stop supporting XP and the best and brightest malware creators suddenly can't find any holes to exploit would be a more compelling conspiracy. That would mean MS has been doing it all along just to maintain an entire industry dedicated to fixing them (not to mention under the table kickbacks from the virus writers guild).

Obviously MS isn't going to patch the *last* hole on the day they cut support. So your conspiracy i

Re:

[Elbart]

Can't fix the backdoors the NSA is still using.