"Behind the Scenes"
|April 2014||The monthly newsletter by Felgall Pty Ltd|
End of Life
Earlier this month Microsoft finally killed off Windows XP and Office 2003. The most surprising thing about this is not that they have killed them off while so many people are still using them but that they have kept support for them alive for so long when there have been so many newer versions of those products released. Typically computer software producers only support the last two versions as it costs a lot of money to ensure that support staff know each version sufficiently well to support it. Usually their recommended fix for your problem if you are running an older version is to upgrade to the latest version and see if the problem still occurs.
That so many people are still using Windows XP now that Microsoft has dropped support for it is unfortunate for everyone as the computers running XP now represent a weak point for launching an attack against everyone else. There is enough common code between XP and the more recent versions of Windows that when future patches are released there is a good possibility that Windows XP will contain the same un-patched security hole. Simply by examining the patches released for Vista, 7, and 8 will make it easier to identify the holes in XP and identifying the holes is normally the hard part. Exploiting a hole once found is relatively easy.
Back in the early days of computers there was no need to keep up to date with operating system patches. Each computer was completely separate with no networking capability. The only way for viruses and other attacks to spread was by infecting floppy disks and then hoping that the disk would be inserted into a computer that hadn't patched the particular hole that was targetted. Most people only installed patches when the patch fixed a particular error that they were having. The actual occurrence of any form of security threat was so rate that the idea of creating programs to detect them still hadn't occurred to most people. Back in those days it was quite reasonable to continue running an old operating system because your choice was extremely unlikely to affect anyone else.
Even as computers themselves became more popular, keeping up to date was not essential. While the growing number of computers meant that there were more potential victims for any attack, the available mechanisms for making such an attack were still via physical media that was difficult to distribute at all widely. The main reasons for upgrading from DOS 3 to DOS 5 or 6 was due to the size of hard drive that the different versions could support rather than because support for DOS 3 had gone. For dedicated systems that only needed a small amount of disk space sticking with DOS 3 was a perfectly viable alternative (and still is for a stand alone system where the software requirements haven't changed).
Development from those early DOS versions followed two paths. First, a number of different companies attempted to introduce a common function library for DOS. These had all sorts of different names most of which are no longer remembered such as - topview, deskview and windows. For a long while none of these gained much support at all and so were not worth trying to attack as even a successful attack wouldn't affect many people. Even when IBM and Microsoft tried combining the best features of both their products together the result was still basically ignored. It took two further goes at improving the library before Windows 3.1 became the first (and only) common library running on DOS with sufficient users to make it worth attacking.
The second path was the creation of a completely new replacement operating system. DOS itself had been thrown together quickly by Microsoft to provide IBM with an operating system for the IBM PC. The partnership between the two companies meant that they really wanted to create a better operating system. DOS was only ever intended to run one program at a time and so had no security built into it whatever to isolate one program from another or to prevent the running program from having full access to the system. Microsoft developed a new operating system they initially called OS/2 to resolve these issues. Almost everyone ignored this replacement operating system even though it had a better version of the common function library built into it than was available as an add-on to DOS. Then came the breakup of the deal between IBM and Microsoft with each owning rights to the original version of OS/2. As IBM retained the OS/2 name, Microsoft renamed the second version of their copy of the operating system to Windows NT 3.1 to try to get people to switch to it from Windows 3.1 - their popular common function library for DOS. Neither OS/2v2 nor Windows NT 3.1 became popular as peopel stuck with what they knew. Microsoft decided that their version of OS/2 would be more successful if they could kill off the competition and so since people were not switching to NT 3.1 they released a new version of DOS with the common library built in - instead of calling it DOS 7 they called it Windows 95. The publicity campaign and the fact that this was far superior to DOS 6 (although still far inferior to NT 3.1) meant that a lot of people upgraded. Microsoft retrofitted new features of Windows 95 into NT and released their third version of OS/2 as Windows NT 4 but still few people switched away from the clunky old DOS.
As far as security was concerned there were far more security holes in Windows 95 and 98 than there were in any version of OS/2 simply because even when Windows ME was released it was still built on the DOS operating system intended for running one program at a time without any security layers to keep programs from changing things that they shouldn't need to change. This made no difference because even as late as 2000 most computers were still completely separate and not connected to any network. The idea of attaching your computer to the biggest network of all - the internet - was just starting to catch on.
As people started connecting to the internet, keeping your operating system patched became far more important. Running a more secure operating system was also important and so Microsoft made another attempt to get people to switch away from DOS by calling their fourth OS/2 version Windows 2000. This got a few people to swap over in the mistaken belief that it was an upgrade for Windows 95 rather than Windows NT 4. As recently as ten years ago there were still huge numbers of people still running DOS based operating systems connected to the internet. The issue of security changed completely at about that time.
With enough people running insecure operating systems connected to the internet, launching an attack that would affect a significant number of people was possible and attacks suddenly became a lot more common. New software to help protect against such attacks - firewalls, anti-virus etc - also became far more common. Which operating system you were running suddenly became a lot more important as to how secure your computer would be. With their fifth version of OS/2 called Windows XP, Microsoft was finally able to get everyone to switch to a more secure operating system that was designed from the start to be able to run multiple programs independently of each other and DOS finally receded into history.
Microsoft eventually retired the earlier versions of OS/2 but that did not necessarily mean that people using them upgraded to a more recent version of the operating system. So few people had switched across prior to XP that those older versions did not represent a big enough group of users to make them a worthwhile target. Most people only upgraded when they needed to replace the computer.
With the removal of support for Windows XP we have the situation for the first time where there is an old version of a popular operating system that is itself still in popular use where the code shared between the versions is large enough that patches for security holes in the new version will serve to highlight holes in the old version and where those holes will be worth exploiting. Perhaps the worst part of this is not that many of these old computers will be compromised - but that they will be able to then be used to launch even more attacks against everyone else.
Over the past ten or so years, Microsoft's Windows operating system has been the most popular target for attacks and has therefore had the largest number of security holes patched. Other operating systems such as Linux contain far more un-patched security holes simply because the operating system is not popular enough for people to spend the time trying to find them. We can only hope that with Windows XP all of the patches already applied have repaired enough of the security holes that little remains to be exploited now that any new holes found will not be patched.
The following links will take you to all of the various pages that have been added to the site or undergone major changes in the last month.