Microsoft Warns Against Windows XP Hack For Updates


Microsoft is warning against a simple hack that enables those still using Windows XP to receive security updates through 2019.

The trick involves modifying the system registry, a process that is fairly easy, said security experts. The modification makes the Windows XP system appear as a point-of-sale system or automated teller machine by Microsoft's update servers. Both restricted Windows XP systems received a support extension while the financial industry upgrades the devices.

A Microsoft spokesperson told CRN that the modifications will enable updates, but doing so could cause system instability. The updates are designed to run on Windows XP Embedded and Windows Server 2003, lightweight versions of the operating system designed to be locked down and void of obscure and rarely used processes. 

[Related: The End Of Microsoft Windows XP Support]

"Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP," the spokesperson said. "The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1."

The hacking technique is simple and only takes one registry key change, but it should not be considered a viable option for businesses or consumers, said Jerome Segura, a senior security researcher at San Jose, Calif.-based security vendor Malwarebytes, provider of the No. 1 user-installed antimalware solution:

"Users that apply the hack will see patches that are not going to be released for the XP mainstream version, such as an important security update for IE8," Segura said.  "While it may be tempting to use this hack, users should bear in mind that Microsoft did not intend for those upcoming updates to be applied on regular XP."

Businesses using Windows XP include manufacturers with equipment running the embedded version, some point-of-sale system equipment that hasn't been updated and automated teller machines, which are being slowly addressed by banks to meet PCI compliance rules. The Windows XP install base has fallen below 15 percent, according to figures from vulnerability management vendor Secunia, which has been tracking the decline. Kasper Lindgaard, director of research and Security at Secunia, has predicted a rise in attacks against XP users.

Microsoft's last official Patch Tuesday supporting Windows XP was April 8. The software maker also issued statistics showing more than 70 percent of its 2013 updates impacted Windows XP and has been urging users to upgrade to its more modern Windows 7 or Windows 8.  Microsoft included Windows XP users when it issued an emergency, out-of-band Internet Explorer update May 1, but said an exception was made due to the security update being so close to the Windows XP end-of-life date.

Most firms have moved off of Windows XP, and the cycle has generated service revenue for providers, said Gus Chiarello, sales manager at New York-based solution provider Ramp Up Technology. The company has been bundling services for businesses that were finally motivated by Microsoft's final patch release in April to move off of the Windows XP platform, Chiarello told CRN in a recent interview.

"Overall features and management is much stronger in the Windows 7 world," he said. "For many clients, it's been about getting new hardware in there and getting them current."

PUBLISHED MAY 28, 2014