A simple hack of Windows XP tricks Microsoft’s update service into delivering patches intended for a close cousin of the aged OS, potentially extending support for some components until 2019, a security researcher confirmed today.
What’s unclear is whether those patches actually protect a Windows XP PC against cyber criminals’ exploits.
The hack, which has circulated since last week — first on a German-language discussion forum, then elsewhere as word spread — fools Microsoft’s Windows Update service into believing that the PC is actually running a close relation of XP, called “Windows Embedded POSReady 2009.”
Unlike Windows XP, which was retired from security support April 8 and no longer receives patches, Embedded POSReady 2009 is due patches until April 9, 2019.
As its name implies, POSReady 2009 is used as the OS for devices such as cash registers — aka point-of-sale systems — and ATMs. Because it’s based on Windows XP Service Pack 3 (SP3), the last supported version of the 13-year-old OS, its security patches are a superset of those that would have been shipped to XP users if support was still in place. Many of POSReady 2009’s patches are similar, if not identical, to those still offered to enterprises and governments that have paid Microsoft for post-retirement XP support.
Jerome Segura, a senior security researcher at Malwarebytes, an anti-malware software vendor, tried out the hack and came away impressed.
“The system is stable, no crashes, no blue screens,” Segura said in an interview, talking about the Windows XP virtual machine whose updates he resurrected with the hack. “I saw no warnings or error messages when I applied patches for .Net and Internet Explorer 8.”
The Internet Explorer 8 (IE8) update Segura applied appeared to be the same one Microsoft released May 13 for other versions of Windows, including POSReady 2009, but did not deliver to Windows XP.
But although he has run the hacked XP for several days now without any noticeable problems, he wasn’t willing to give the trick a passing grade.
“[POSReady 2009] is not Windows XP, so we don’t know if its patches fully protect XP customers,” Segura said. “From an exploit point of view, when those vulnerabilities are exploited in the wild, will this patch protect PCs or will they be infected? That would be the ultimate proof.”
Microsoft, not surprisingly, took a dim view of the hack.
“We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers,” a company spokesperson said in an email. “The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP.”