Americas

  • United States

Hacking Windows XP to get security patches is a really bad idea

Analysis
May 28, 20143 mins
MicrosoftSmall and Medium BusinessWindows

Microsoft and security vendors are both warning users not to do it.

By now, you probably know about the registry hack trick to get updates for Windows XP. I shouldn’t have to tell you this, but that’s a really bad idea, one you should not do, and both Microsoft and at least one security firm are saying not to do it.

Initially, I thought they were enabling XP to use Windows 7 updates, which wouldn’t be that far-fetched. XP and 7 have considerable overlap and common code. But I learned these are not Windows 7 patches, they are in fact for Windows Point of Service (Windows Embedded) machines, which run a custom version of the regular XP.

BACKGROUND: Registry hack enables free Windows XP security updates until 2019

Because many businesses are still transitioning off XP due to the high cost of replacing the hardware, Microsoft will support that version of XP 2019. A replacement Embedded OS is already out there, based on Windows 7.

“Regular XP and POSready XP are so similar, which is why you can apply these updates,” Jerome Segura, senior security researcher for Malwarebytes tells me.

Naturally, Microsoft thinks this is a really bad idea.

“We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1,” the company said in a statement to the media.

Segura also warned against this.

“This hack is remarkably simple because it only takes adding one registry key and then, all of a sudden, Windows updates thinks you are running an XP subversion. Users that apply the hack will see patches that are not going to be released for the XP mainstream version, such as an important security update for IE8. While it may be tempting to use this hack, users should bear in mind that Microsoft did not intend for those upcoming updates to be applied on regular XP. In other words, you are entering into an unfamiliar territory at your own risk.”

He added, “the hack is interesting and certainly people will try it out for fun, but it should not be considered a viable option for businesses or consumers. Instead, you should plan on migrating to a newer, and supported, platform.”

I don’t fault the hackers who want to try it for fun, but anyone who does this on a business/production machine deserves whatever happens next.