Unofficial XP update has Microsoft up in arms

Microsoft isn't amused by new hack that tricks Microsoft Update into applying XP security patches

Windows XP users are discovering that their now-unsupported operating system can receive updates from Microsoft by making a few simple changes to the Registry -- albeit updates intended for different versions of Windows.

Predictably enough, Microsoft isn't thrilled and is warning people away from the hack, even as some sources say it allows users to continue obtaining free security updates for Windows XP.

The hack in question, as reported by Larry Seltzer at ZDNet, involves altering Windows XP's Registry to make it appear to Windows Update as if it were a copy of Windows Embedded POSReady 2009 (WEPOS). The latter is described by Microsoft as an OS that "combines the power and familiarity of Windows XP Professional with a smaller footprint and specific features for point of service (POS) computers."

In other words, it bears enough under-the-hood similarities to Windows XP to nab its updates -- at least in theory.

Jerome Segura, senior security researcher for Malwarebytes (makers of a security suite that continues to protect Windows XP), noted that one of the big draws for such a hack is its simplicity. "It only takes adding one registry key, and all of a sudden, Windows updates thinks you are running an XP subversion." But he noted, "Users that apply the hack will see patches that are not going to be released for the XP mainstream version, such as an important security update for IE8."

Segura believes if Microsoft doesn't explicitly block this work-around, "we may also run into a parallel and unofficial stream of fixes for XP, developed by enthusiasts, much like in the mobile space with, for example, jailbroken iPhones running Cydia."

When trying out the hack, Segura was able to obtain a security update for the Microsoft .Net Framework 2.0 SP2 (KB2932079), which could in theory be applied by hand to an XP system. But two others were OS-level updates specifically written for WEPOS, including a fix for IE8 running on that platform.

When ZDNet ran news of the hack and confirmed that it worked, Microsoft contacted ZDNet and issued the following statement:

The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.

Microsoft's been pounding the upgrade-from-XP drum for some time now, but to little effect. NetMarketShare reports that as of May 2014, 26 percent of desktop users are still on Windows XP, with XP having lost only single percentage points of market share over the last three months. By that measure, it'll take at least two years for the existing base of XP users to phase out completely. In the meantime, XP users are as likely to keep engineering their own work-arounds as they are to turn to third parties for protection or aid.

This article, "Unofficial XP update has Microsoft up in arms," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform