A simple hack of Windows XP tricks Microsoft's update service into delivering patches intended for a close cousin of the aged OS, potentially extending support for some components until 2019, a security researcher confirmed today.
What's unclear is whether those patches actually protect a Windows XP PC against cyber criminals' exploits.
The hack, which has circulated since last week -- first on a German-language discussion forum, then elsewhere as word spread -- fools Microsoft's Windows Update service into believing that the PC is actually running a close relation of XP, called "Windows Embedded POSReady 2009."
Unlike Windows XP, which was retired from security support April 8 and no longer receives patches, Embedded POSReady 2009 is due patches until April 9, 2019.
As its name implies, POSReady 2009 is used as the OS for devices such as cash registers -- aka point-of-sale systems -- and ATMs. Because it's based on Windows XP Service Pack 3 (SP3), the last supported version of the 13-year-old OS, its security patches are a superset of those that would have been shipped to XP users if support was still in place. Many of POSReady 2009's patches are similar, if not identical, to those still offered to enterprises and governments that have paid Microsoft for post-retirement XP support.
Jerome Segura, a senior security researcher at Malwarebytes, an anti-malware software vendor, tried out the hack and came away impressed.
"The system is stable, no crashes, no blue screens," Segura said in an interview, talking about the Windows XP virtual machine whose updates he resurrected with the hack. "I saw no warnings or error messages when I applied patches for .Net and Internet Explorer 8."
The Internet Explorer 8 (IE8) update Segura applied appeared to be the same one Microsoft released May 13 for other versions of Windows, including POSReady 2009, but did not deliver to Windows XP.
But although he has run the hacked XP for several days now without any noticeable problems, he wasn't willing to give the trick a passing grade.
"[POSReady 2009] is not Windows XP, so we don't know if its patches fully protect XP customers," Segura said. "From an exploit point of view, when those vulnerabilities are exploited in the wild, will this patch protect PCs or will they be infected? That would be the ultimate proof."
Microsoft, not surprisingly, took a dim view of the hack.
"We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers," a company spokesperson said in an email. "The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP."
That last sentence was puzzling. While Microsoft would almost certainly not test POSReady 2009's patches on a Windows XP system, it would have tested the XP patches it crafted for its post-retirement support clients. And from all the evidence, POSReady 2009 is, at its heart, Windows XP SP3.
"The core of [Embedded POSReady 2009] is pretty much the same as Windows XP," said Segura.
Microsoft itself makes that plain on its own website. In one document, Microsoft stated that POSReady 2009 offers "full Win32 compatibility" with Windows applications.
While Microsoft urged XP users to steer clear of the hack and instead ditch the old OS for "a more modern operating system, like Windows 7 or Windows 8.1" -- Segura pointed out that wasn't always possible, often for financial reasons. "If someone is going to stick with XP [the hack] is better than doing nothing, better than not having any patches," Segura said.
"But there are better alternatives," he continued. "Don't use IE for one thing. Use an alternate browser -- Chrome are Firefox are going to still support XP -- and there are security products, including our anti-exploit products, that still run on XP. Those would be much better than the hack."
The POSReady 2009 hack wasn't the first end-around Windows XP users have found for patching their PCs. In August 2010, after Microsoft required customers to upgrade from XP SP2 to SP3 to continue to receive security updates, a security adviser with antivirus vendor F-Secure revealed a Windows registry hack that tricked Windows Update into "seeing" an XP SP2 PC as an XP SP3 system.
Segura was curious how Microsoft would deal with the hack. "It's so easy to get the patches," he said. "Did Microsoft miss something? Will they do additional validation [to block the hack]? Can they?"
Instructions on how to apply the hack can be found on the Web, including this piece by Martin Brinkman on his Ghacks blog last Saturday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].
Read more about windows in Computerworld's Windows Topic Center.
Find your next job with computerworld UK jobs