This is a community-run resource to help you fix the Windows Update service on earlier versions of Windows.
Since Windows XP was discontinued in 2014, followed by Windows 7 in 2020, Microsoft’s support for their earlier OSes has significantly dwindled. As XP and earlier don’t officially support modern security improvements, such as the SHA256 hash algorithm required by modern SSL and Authenticode certificates as of 2019, much of the internet has become inaccessible to these devices. Adding insult to injury, Microsoft actively removed many downloads for XP and earlier versions in 2020. In effect, working with these OSes is now incredibly difficult.
Windows Update provides many optional and recommended updates, in addition to drivers for your system, but Windows XP and 2000 can only install critical security updates through the built-in Automatic Updates feature. Legacy Update revives the original Windows Update website – the only way to see and install every update available for your system.
This is very cool for virtual machines and old boxes you may have lying around for use with legacy software or games.
I especially like that you can activate the OS without using 3rd party hacks like antiwpa, well done!
That will be their legal undoing. Probably would have been alright if they didn’t touch that part, but they’ll certainly get sued and DMCA’d out of existence for activation hacks.
Maybe it’s my cynicism, but this feels like a bot farming dream. There appears to be no controls here to stop any other payload being offered up to the machines by the admins. This feels a matter of time before these machines are either mining bitcoin or acting as ddos nodes
I doubt there are huge numbers, and they are probably not very powerful machines either. They wouldn’t be terribly useful for DDoS nodes or coin miners.
On the other hand, even a fully patched XP machine is a security liability. It’s not the known published vulnerabilities you have to watch out for either, it’s the newer ones that don’t mention XP. When software becomes end of life, they no longer check newly reported vulnerabilities against the older versions or mention them in the official advisories but that doesn’t mean the vulnerability isn’t present. Not only could it easily be present if it affects an older component that was present in the older version, but it might actually be easier to exploit due to there being less exploit mitigation technologies in the older versions.
One good example is the MS17-010 vulnerability family (eternalblue, eternalsynergy etc). The official advisory doesn’t mention windows 2000 at all, yet the exploit shipped with metasploit framework works very reliably against 2000.
Eternal.. would be blocked by disabling SMB altogether, no?
bubi,
I would think so too. Most of these old systems are fine if you keep them off the net. If they need to use the net, an outbound-only firewall to limit the scope of attacks to outbound connections drastically reduces the attack surface. With this in mind it would be advisable to only run browsers and other network clients that are currently supported obviously, although part of the problem is that browser support for older operating systems is dwindling.
When even Notepad can be abused via ctfmon you know you’re on a sinking ship (LOL!)
It’s great though not having to rely on daddy Microsoft for 9x/2k/XP/Vista support.
I don’t see the use for XP, as there are great update-packs available.
But I have to test it with Homeserver 2011, as updates on a clean install are completely broken, and there is no update-pack.
Thanks MS…
WHS2011 is based on Windows Server 2008 R2. You can use the WSUS Offline Update for 2008R2 to update your home server.