Does Windows XP/2003/posready 2009 also have spy patches like Windows 7/8/10?

[sam1275tom]

Hello.
I want to know is it safe to blindly install every patches on Windows XP/2003/posready 2009, including the optional ones? Do they have "spy" patches?
Thanks.

 

[COLGeek]

If those patches come from MS, then they are safe. If from another source, I would be wary. MS does not provide "spy" patches.

 

[sam1275tom]

If those patches come from MS, then they are safe. If from another source, I would be wary. MS does not provide "spy" patches.

Thank you, I mean those evil patch from windows update:
https://thehackernews.com/2015/08/windows-spying-on-you.html

 

[Paul NZ]

Doubt it. Since XP no longer gets updates

 

[COLGeek]

Nope. Those "features" are post-XP. No worries.

 

[BFG-9000]

Those spy patches are known for uploading an incredible amount of data from your computer to Microsoft regardless of any privacy settings that may have been set. That kind of behavior is difficult to hide and no-one has reported seeing it in XP so far.

Nevertheless even if you have been consistently using the unsupported POSready 2009 patches in XP you can hardly consider such a system to be fully patched and secure--things like multimedia simply aren't in POSready so e.g. Windows Media Player certainly contains unpatched vulnerabilities that may be reverse-engineered from patches for Vista and 7. And most XP machines will have the delightfully ribbon-free but sadly no-longer-updated Office 2003 as well.

Keep in mind that antivirus runs in Ring 0 and notably missing from Snowden's list of NSA hacking targets were the American anti-virus firms Microsoft, Symantec and Intel/McAfee as well as the UK-based firm Sophos. Presumably they allowed backdoors for the NSA and therefore didn't need to be reverse engineered. Intel in particular seems to have a fascination with backdoors--the Intel Management Engine (ME) is an entire embedded but independent CPU and firmware blob OS that is ostensibly there to allow an admin to manage computers remotely. It's in every modern Intel computer and cannot be shut off--in fact it can boot a shut-off computer directly into the BIOS and from there access both disk and network. It can monitor memory while the computer is running but is completely invisible to any OS. Anyone with the key would essentially have the ultimate rootkit.

This kind of thing is why people have been working on open-source BIOSes like Libreboot or even open-source hardware like the Talos Secure Workstation

 

[sam1275tom]

Those spy patches are known for uploading an incredible amount of data from your computer to Microsoft regardless of any privacy settings that may have been set. That kind of behavior is difficult to hide and no-one has reported seeing it in XP so far.

Nevertheless even if you have been consistently using the unsupported POSready 2009 patches in XP you can hardly consider such a system to be fully patched and secure--things like multimedia simply aren't in POSready so e.g. Windows Media Player certainly contains unpatched vulnerabilities that may be reverse-engineered from patches for Vista and 7. And most XP machines will have the delightfully ribbon-free but sadly no-longer-updated Office 2003 as well.

Keep in mind that antivirus runs in Ring 0 and notably missing from Snowden's list of NSA hacking targets were the American anti-virus firms Microsoft, Symantec and Intel/McAfee as well as the UK-based firm Sophos. Presumably they allowed backdoors for the NSA and therefore didn't need to be reverse engineered. Intel in particular seems to have a fascination with backdoors--the Intel Management Engine (ME) is an entire embedded but independent CPU and firmware blob OS that is ostensibly there to allow an admin to manage computers remotely. It's in every modern Intel computer and cannot be shut off--in fact it can boot a shut-off computer directly into the BIOS and from there access both disk and network. It can monitor memory while the computer is running but is completely invisible to any OS. Anyone with the key would essentially have the ultimate rootkit.

This kind of thing is why people have been working on open-source BIOSes like Libreboot or even open-source hardware like the Talos Secure Workstation

Thank you, I don't use XP, but I use a real Posready 2009 for 32 bit machine, and 2003 R2 for 64 bit machine, I also do not install any optional feature like media player/center.
I use Nod32 for antivirus, is it safe?
Luckily my CPUs don't have AMT support, but one of the device have a Intel ME driver, very strange.

 

[BFG-9000]

ESET is based in Slovakia, + it is up to you if you consider it safe to allow them a backdoor. I mean Eugene Kaspersky was sponsored by the KGB, but his company has also discovered more state-sponsored cyberattacks than anyone. It's also infamous for crafting false positives for competitors' products. You have to trust someone.

The Microsoft telemetry "spy" patches are mostly about collecting crash data to improve Windows (necessary after the massive layoffs in product validation because the new model is for Consumer Windows users to be patch beta testers for Business users). As they have no interest in improving XP-based Windows, there's no reason to have such patches for those. I don't think the patches are malicious and consider it more objectionable that if you are signed into your Microsoft account in Windows 10, any documents you are working on are uploaded to Microsoft just in case you suddenly decide to switch to editing them on your phone or tablet or even X-Box One! But then in order to Google Cloud Print from Android you have to send your document to Google too. The Eula helpfully says:

By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.

BTW the Intel Management Engine (ME) is in the MCH or PCH, not the CPU. AMT is just for a local administrator to use Vpro features, so Intel (plus whoever they give the key to) doesn't need it. Can you imagine when someone cracks it or loses the key into the wild? It'll be like when quantum computers show up to easily break AES and everyone will have to buy new hardware. After all remote bricking is one of the "features."

I don't know what's in AMD as their DASH went nowhere but Ryzen is likely to have ExactTrak. Open-source hasn't really proved safe either given how many longstanding huge vulnerabilities were discovered in 2016.

I suppose in order to minimize the number of parties you have to trust, using iE in 2k3 or POSready 2009 with Microsoft Forefront Antivirus would do it. Should be safe enough but don't forget you have to trust your ISP as well!

As safe as possible would be to not patch or ever go online with that system, and to use an old enough computer running Tails whenever you needed to. At a coffeeshop 😉

 

[sam1275tom]

ESET is based in Slovakia, + it is up to you if you consider it safe to allow them a backdoor. I mean Eugene Kaspersky was sponsored by the KGB, but his company has also discovered more state-sponsored cyberattacks than anyone. It's also infamous for crafting false positives for competitors' products. You have to trust someone.

The Microsoft telemetry "spy" patches are mostly about collecting crash data to improve Windows (necessary after the massive layoffs in product validation because the new model is for Consumer Windows users to be patch beta testers for Business users). As they have no interest in improving XP-based Windows, there's no reason to have such patches for those. I don't think the patches are malicious and consider it more objectionable that if you are signed into your Microsoft account in Windows 10, any documents you are working on are uploaded to Microsoft just in case you suddenly decide to switch to editing them on your phone or tablet or even X-Box One! But then in order to Google Cloud Print from Android you have to send your document to Google too. The Eula helpfully says:

By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.

BTW the Intel Management Engine (ME) is in the MCH or PCH, not the CPU. AMT is just for a local administrator to use Vpro features, so Intel (plus whoever they give the key to) doesn't need it. Can you imagine when someone cracks it or loses the key into the wild? It'll be like when quantum computers show up to easily break AES and everyone will have to buy new hardware. After all remote bricking is one of the "features."

I don't know what's in AMD as their DASH went nowhere but Ryzen is likely to have ExactTrak. Open-source hasn't really proved safe either given how many longstanding huge vulnerabilities were discovered in 2016.

I suppose in order to minimize the number of parties you have to trust, using iE in 2k3 or POSready 2009 with Microsoft Forefront Antivirus would do it. Should be safe enough but don't forget you have to trust your ISP as well!

As safe as possible would be to not patch or ever go online with that system, and to use an old enough computer running Tails whenever you needed to. At a coffeeshop 😉

Wow, thank you very much for the very detailed anwser!

Yes, I used to use Kaspersky because it had the highest real-life detection rate and the most cruel method to kill viruses, but recently switch to nod32 because it becomes better these years and use much less resources.

I'm not going to sign in a MS account in Windows 10, if I'm force to use it. I tried Windows 10 sometime ago and decided never use it again, not only because the privacy, but also the tons of bugs.

I've read about Intel's ME/AMT long time ago, but haven't really realize it's such a problem, and in fact I'm still not very clear about it, could you tell me in a simple way: if I use a Intel platform PC with ME, how could a hacker get into my system? Does ME auto listening on some network ports even if I don't have AMT enabled? If yes, what if I don't use the onboard NIC?

I never trust my ISP because I'm currently live in a very bad country, the government/ISP always modify/block network traffic, so I'm using VPN as long as I'm online, I also have a DNScrypt proxy server for my home network.

As for browsers, IE performs extremely poor on every Windows versions after Windows 10 release, looks like MS do it on purpose, I use Firefox now for daily browsing, it's open source and I can run it in a non-admin account, so the worst case it will crush itself and not affect my system.

I'm not paranoid enough to use tail for my daily life, I just want to keep my devices safe, and I don't like to be controlled or watches by others

 

[BFG-9000]

Yes I understand exactly what you mean. I'm just annoyed by these needless increases in attack surface creating security risks for no benefit. And Windows 10 for me has been far buggier than Windows ME ever was--whenever Windows ME broke I could at least be sure that it was my fault for breaking it, but 10 seems to slowly corrupt itself requiring plenty of Googling for which files and keys to delete before a sfc or RestoreHealth or startcomponentcleanup--perhaps it's the hybrid shutdown? While 10 is usable with a Local Account I vastly prefer 7 now that you can manually install all of the security-only rollups monthly (WindowsUpdate was broken for a couple of years, pegging one core at 100% for hours, coincidentally while they were pushing free Windows 10. Now it can remain disabled, good riddance).

It's impossible to say anything definitively about Intel ME as it's almost completely undocumented and secret, likely thanks to public outrage over the Pentium III's seemingly innocuous Processor Serial Number. I'm pretty sure it still works just fine without Vpro or AMT support, and that the 2048-bit key should be more than reasonably safe unless there are weaknesses we do not know about, which is of course what hackers are working on. It's probably more concerning that some people in government have the key algorithm, as that means it'll probably end up on Wikileaks.
As you suggest, the tiny firmware blob is unlikely to have a driver for any non-Intel NIC but it's possible it could still manage transfers at a very low bitrate which is a problem in these IPv6 times. However it's known AMT does need to be specifically set up for wifi, as it is unable to query the OS for SSID and key itself.

If you trust Firefox, and Debian, and some guy in Singapore, Webconverger is an interesting browser-only distro that can be used for general purpose browsing on a diskless workstation or even a public computer. There's not much documentation for modifying the live.cfg as they do want you to pay for the customized version. I do have to say that Firefox in Linux is noticeably slower than Firefox in Windows, or at least requires more CPU perhaps because of worse hardware acceleration or just worse graphics drivers.