Support for Windows XP ends in 18 days - how do I best protect myself?
March 20, 2014 1:52 AM   Subscribe

My laptop, running XP, has been chugging along nicely for nine years. Microsoft is "retiring" support for Windows XP. My surfing is fairly hygenic. How soon will I be vulnerable? What do I do to protect myself?

I am quite happy with XP and don't want to upgrade. I currently use "Advanced System Care" for maintenance and vetting websites.
posted by vapidave to Computers & Internet (14 answers total) 29 users marked this as a favorite
My surfing is fairly hygenic.

It doesn't matter. Bad guys routinely hack innocent sites and get malicious ads placed in innocuous sites. If you use Internet Explorer you will get hacked. If you use other browsers, it's less certain but it will still be messy if/when it happens. Sooner or later, the alternate browsers will also stop supporting XP. If a network level vulnerability is found, your router may protect you at home but if you go online at Starbucks or a friend gets onto your network with an infected device, you're hosed.

What do I do to protect myself?

You pay for the extended support for XP (only economically feasible to large corporations or governments), upgrade, or switch to Linux or a similar Unix-alike.

I am quite happy with XP and don't want to upgrade.

That's just the way it is. If you want to be online and safe, you need have to use a supported operating system. In 18 days you're going to be in the equivalent of a condemned building. It might last for days, it might last for years; there's no way to be sure. What is surety worth to you?
posted by Candleman at 2:23 AM on March 20, 2014 [1 favorite]

Upgrade to Vista?
posted by thelonius at 3:03 AM on March 20, 2014 [1 favorite]

Best answer: Time is a harsh mistress, the Upgrade Treadmill really is a thing, and despite all precautions every Windows box will eventually be to some degree exploited. So as well as doing your best to keep yours clean, you need at least two recent offline backups of everything you care about that's on it; and you need to be as sure as you possibly can be that before you plug a backup drive into your machine, your machine is clean.

Nine years of service makes your laptop an IT senior citizen. Not that there's anything wrong with that: my own laptop dates from 2001, though I've never run Windows on it (at least, not natively) because I'm a Linux bigot. However, had I been doing so I would probably not be spending money on an OS upgrade either, especially given how little there is to like in what Redmond currently has on offer. On balance, Windows 8.x is a large backward step from Windows 7, just as Vista was from XP and ME was from 98SE. Consider upgrading both OS and hardware after the first service pack gets released for Windows 9.

How soon will I be vulnerable?

As soon as the first exploit against a security flaw that will now never get patched appears in the wild.

What do I do to protect myself?

First thing is reduce your exposure to drive-by exploits. Single biggest contributor to that for a typical consumer desktop is refusing to download as much advertising content from the Web as you possibly can, and embracing the use of a script whitelisting tool. I recommend browsing with Firefox fitted with the Adblock Plus and NoScript extensions, with Adblock Plus subscriptions to EasyList, EasyPrivacy and Fanboy's Annoyances.

Next is to make full use of such inbuilt security features as Windows XP has. If you've not done so already, set up a separate user account called Admin, make that a Computer Administrator account, set that one up for convenient computer housekeeping, and change the type of your existing account(s) to Standard User (you can do all this with the User Accounts item in the Control Panel). Give Admin a semi-reasonable password. When you need to install software you can do that either by logging in to Admin first, or by right-clicking the installer and choosing Run As. XP's UI for this isn't as smooth as 7's, but if you're using separate admin and user accounts the degree of protection is the same.

Even when your OS is past end-of-life, make sure as many of your applications as possible are not. Use Ninite to update everything you use that it supports; consider cutting over to applications that Ninite does support if you're currently using alternatives that it doesn't. If you're using Microsoft Office and you haven't already switched from Windows Update to Microsoft Update, do that so you'll still get Office patches. Uninstall Java unless you have a specific reason to need it.

Finally, use a halfway decent anti-malware suite. My current favorite for a good while now has been Panda Cloud Antivirus Free running at all times, with Malwarebytes Anti-Malware Free installed and available for post-oopsie cleanup. I generally prefer to turn off MBAM's resident protection features, which will in any case cease to operate at the end of the free trial period.

During Panda Cloud Antivirus installation you will see a dialog with three checkboxes on it for installing the Panda Security Toolbar, changing your home page, and changing your default search provider. Turn all three of those off before clicking Next.

After PCAV is installed, you will see some options related to the Data Shield component first introduced in version 2.2. As of version 2.3 I recommend leaving that turned on with all default settings in place; if you're upgrading from version 2.2, turn on the checkbox labeled "Allow secure applications". If you're using a non-Microsoft office suite, you might want to use its Extensions tab and add a list of OpenDocument filetypes as well (odt,fodt,ods,fods,odp,fodp,odb,odg,fodg,odf).

I'm not super-impressed with Advanced System Care, but it is at least harmless as far as I know. Apart from anti-malware, the only regular maintenance that actually benefits an XP box is an occasional run of the only competent disk defragmenter available.
posted by flabdablet at 4:03 AM on March 20, 2014 [27 favorites]

You've had nine good years. Treat yourself to some new kit.
posted by devnull at 6:28 AM on March 20, 2014 [4 favorites]

I would also assume people who have recently discovered exploits are sitting on them until after XP support ends.
posted by kerplunk at 7:23 AM on March 20, 2014 [1 favorite]

> My laptop, running XP, has been chugging along nicely for nine years.

Sorry, but no. Thats the Dunning-Kruger effect talking. "Hygenic surfing" cannot protect you, and just because you think your system is clean does not mean that it is. You've been chugging along as a part of any number of botnets, oblivios to the DDOS attacks you've participated in, spam you've helped distribute, and illegal content you've helped host. XP is a massively flawed and insecure OS. Just leaving it on and connected to the internet puts you at risk. Most viruses do everything they can to prevent the user from noticing that anything is different. It can be extremely difficult even for a professional to know if a given system is infected, to the point that OEMs have occasionally accidentally distributed infected brand new hardware.

Your best bet it to fresh install the OS daily or use Linux.
posted by brenton at 7:36 AM on March 20, 2014

You can make XP behave more like 7 when it comes to admin/user account privileges by installing SuRun (site is in German but the software has an English translation). Then instead of right-clicking and picking "Run as..." when you want to install something or run a program with elevated privileges, you choose the SuRun context menu entry.

You can configure SuRun to either ask for your password (user, not admin, just like sudo on a Unix OS) every time, or to just display a confirmation prompt, no password input required, like Win 7. However, I'm not qualified to judge whether SuRun is in some way not as safe as the separate account method flabdablet suggests.

There's also the option of creating DropMyRights shortcuts for your regularly used Internet facing programs, but remember that these will only work as advertised when you execute them by double-clicking the special shortcut you created. This is probably overkill if you already run as a limited user.

Or you can just try running Debian with Xfce or LXDE desktop environments, since your laptop probably doesn't have much RAM to spare.
posted by Bangaioh at 7:47 AM on March 20, 2014

XP is a massively flawed and insecure OS. Just leaving it on and connected to the internet puts you at risk.

This is quite a fashionable belief, but I know of no data that genuinely supports it. An XP box whose security patches are up to date, doing its day-to-day work with a limited user account, and connected to the Internet via a NAT router, is is no less inherently secure than a similarly configured Windows 7 box and may in fact be more malware-resistant than a Windows 7 box with the customary single user account.

The reason XP now has such a poor security reputation compared to Vista and subsequent versions is because most Windows boxes are configured with a single user account, and that account is a Computer Administrator. Set up that way, XP truly isn't any more secure than Windows 98 was. But if you set it up properly, it's fine.

By the way, limited user accounts have existed in all versions of Windows built on NT kernels: NT, NT4, 2000 and XP are all quite capable of being set up securely.

An XP limited user account is every bit as restricted as a Windows Vista limited user account, and is therefore equally secure by design. An XP administrative account, though, has instant access to possibilities for system damage that a Vista administrative account has to jump through assorted hoops to gain; XP trusts its administrators more readily than Vista and later versions do.

Windows Vista did introduce some new security features (e.g. assorted folders only have Full Control permissions for the TrustedInstaller process rather than for the entire Administrators security group) but these are mostly just workarounds for design holes that would otherwise make the new split-authentication-token mechanism underlying User Account Control less effective than it would seem at first sight that it should be. XP doesn't have that mechanism, so it doesn't need those workarounds.

Naturally, once the security patches dry up all bets are off. But you can use a vulnerable OS for quite some while without getting infected if you are careful about what you allow to run on it.
posted by flabdablet at 10:30 AM on March 20, 2014 [2 favorites]

SuRun, by the way, is insecure because it's subject to a race condition. It works by briefly adding the current user to the Administrators group, then launching whatever software it was invoked for, then immediately removing the user from Administrators again; the intended result is that the process SuRun launched while the user briefly held Administrator rights retains those rights until it quits. There's another tool called MakeMeAdmin that works the same way.

Malware targeted against either of these could sit in the background doing nothing but monitor the current user account's security group membership. If it was quick enough, it would also get a tiny window of opportunity to re-launch itself with elevated privileges whenever the user invoked SuRun or MakeMeAdmin to do something legitimate.

UAC in Vista/7/8 doesn't work that way and doesn't cause the same race condition.
posted by flabdablet at 10:43 AM on March 20, 2014 [1 favorite]

Or you can just try running Debian with Xfce or LXDE desktop environments, since your laptop probably doesn't have much RAM to spare.

For what it's worth: my own old Dell Inspiron 8200 laptop had a ridiculously massive 512MB of RAM installed when I bought it in 2001, and Debian with Xfce is quite tolerable with a single-core 1.7GHz processor and that much RAM. It's noticeably nicer with the 1GB RAM and the quick WD Scorpio Blue hard disk that's in it now, though.

I wouldn't bother with LXDE. Sure it's lightweight, but it's also distressingly ugly to have to look at every day compared to just about every other option.
posted by flabdablet at 10:55 AM on March 20, 2014

Used and off-lease laptops with Windows 7 can be had from Dell, Lenovo and HP for less than $200. The first major Windows XP post-support exploit will likely be released by the end of April. Sucks to have to spend money, but you're probably going to have to upgrade or use Linux.
posted by cnc at 2:22 PM on March 20, 2014 [1 favorite]

Response by poster: A follow up if I may; Windows 7 would be my preferred upgrade [though it seems I might as well get a new laptop as upgrade] or what I would like to run on my next computer, what is the current expectation as to how long Windows 7 will be supported?

Thanks for the responses all.
posted by vapidave at 4:54 PM on March 20, 2014

As of now, 7 will be supported until January 2020.
posted by Bangaioh at 5:17 PM on March 20, 2014 [1 favorite]

Windows 7 is great, but you can (unfortunately) expect that newer machines will not last nearly that long. I had an XP laptop that went 8 years without almost any issues, but now it seems like the going life of laptops is closer to 4-5.
posted by getawaysticks at 9:40 AM on March 21, 2014

« Older Oh, Hello, Therapist   |   My neighbor's dog is barking every time I unlock... Newer »
This thread is closed to new comments.