Microsoft: Ignore Unofficial XP Update Workaround

A small change to the Windows XP Registry allows users to receive security updates for another five years. Yet the tweak could create other security and functionality issues for XP holdouts.

An unofficial workaround for installing updates to the 13-year-old Windows XP operating system was released this week, but Microsoft and some security experts are telling users to forget the workaround, forget XP, and upgrade to a new OS.

After planning to cut off support for XP many times over many years, Microsoft finally officially ended all support for XP on April 8 (though it further enabled XP addicts by releasing another security patch three weeks later). On Monday, Wayne Williams of BetaNews wrote about a workaround that could allow XP users to continue getting updates for five years.

The hack is simply a "tweak" to the XP Registry that tricks Windows Update into thinking that XP is actually Windows Embedded POSReady 2009 (WEPOS), which Microsoft will support until 2019. WEPOS is build specifically for point-of-sale computers, but it is similar enough to XP that some of the security updates for WEPOS will also work for XP... kind of.

ZDNet tested and confirmed the hack, as Larry Seltzer wrote Monday. Microsoft later responded to Seltzer's article:

We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.

In addition to potential functionality problems, the hack might cause users to believe they're getting security updates that they're not really getting.

"Users that apply the hack will see patches that are not going to be released for the XP mainstream version, such as an important security update for IE8," says Jerome Segura, senior security researcher for Malwarebytes. "While it may be tempting to use this hack, users should bear in mind that Microsoft did not intend for those upcoming updates to be applied on regular XP. In other words, you are entering into an unfamiliar territory at your own risk."

In most cases, a 13-year software refresh cycle would seem adequate, if not lengthy, to enterprise IT staff. Yet depending on whom you ask, Windows XP still accounts for anywhere from 16% to 26% of desktop OS usage -- second only to Windows 7 -- including both home and business usage.

The people likeliest to use this hack are a relatively small population of XP devotees who feel comfortable making alterations to the OS registry and will continue to use XP on their home computers (for all of eternity, if they can). Yet Segura says home users who are not particularly tech savvy could also make the change to the registry rather easily by downloading an executable that will do it for them.

The bigger concern, though, would be if this workaround were implemented by IT staff at companies still running XP on their corporate PCs. Segura says this is unlikely. "Typically IT departments are very careful or sometimes reluctant to deploy even official patches." Some pros are wary of OS updates, because of the risks of productivity or compatibility problems. "I highly doubt they would apply this hack. It would be very irresponsible, because they should know better."

Steve Hultquist, CIO and vice president of customer success at RedSeal Networks, says, "Looking backwards at technology that feels comfortable" is the fundamental issue. "Windows XP was released to manufacturing in August, 2001, when a T1 (1.5 Mbit/s) was considered 'high speed,' and technology has accelerated rapidly in the past 15 years. Similarly, it's simpler to focus on the historically understood aspects of security such as firewalls, but the complexity of the Internet and enterprise networks mean that you must have systems to analyze your overall, end-to-end network to know what you have and know the potential for attack."

His advice: "Don't compromise. Use the current tools to stay safe and get the job done effectively."

Hultquist and Segura agree with Microsoft that the wise move is to skip the hack and upgrade instead.

"Without trusted authentication, there is always a way for anything or anyone to masquerade as another on the Internet, and this hack simply does that," says Hultquist. "While it is interesting on its surface, Microsoft's warning is accurate: Systems that use this hack will receive updates not intended for Windows XP and may actually damage the system."

Segura says that the hack "is interesting, and certainly people will try it out for fun." However, "it should not be considered a viable option for businesses or consumers. Instead, you should plan on migrating to a newer, and supported, platform."

That said, Segura admits that he still runs XP himself, but he runs it inside a virtual machine. He will use the Windows Update hack himself, for research purposes, to see if it will be stable.

He also says that there are plenty of legitimate reasons for people to continue using XP. It is a smaller OS than its younger siblings, so a new OS could significantly hamper productivity unless you get new hardware, as well. Places where there is heavy use of secondhand computers are even less likely to invest in an upgrade. Also, many applications (productivity software, games, device drivers) that are compatible with XP may not be compatible with newer operating systems.

Microsoft could take action to stop this hack from working. There are other ways to tell if a machine is running a point-of-sale system or just pretending to run one. So Microsoft could update Update to do so.

"If Microsoft goes that route, there's going to be a strong negative reaction," says Segura. If Microsoft is ever going to persuade XP devotees to upgrade willingly, they'll need help. Only when application developers and companies like Google and Amazon stop providing their services to XP users will there be a significant change.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio