Hacked Windows XP still updates, still a bad idea

Yes, you still can trick Microsoft into giving you security updates for Windows XP. No, it's not a good idea. You are not protected.

Perhaps the most popular story I've written for ZDNet was the one explaining how you can hack the registry in Windows XP and trick Windows Update into continuing to send you security updates. The basis of it is that Microsoft has an embedded variant of Windows XP and support doesn't end on that until April 2016. The hack makes XP look like the embedded version.

I have maintained a Hyper-V VM on a Windows 8.1 system running this configuration and it does indeed continue to get updates. In fact, it gets updates even when Microsoft doesn't list it as getting updates. In November, the marquee vulnerability fixed by Microsoft was the bug in Schannel , their SSL/TLS implementation. The bulletin and knowledge base article list every supported version of Windows, but not the embedded ones. Even so, it did receive the update:

WEPOS.Update

So no problem, right? Keep running Windows XP, right? For reasons that Microsoft and we have explained repeatedly, Windows XP is not really securable by modern standards. It lacks features like ASLR that prevent many vulnerabilities or at least make them more difficult to exploit. Many steps have been taken in later Windows versions to harden the internals of the operating system against attack. XP, embedded or otherwise, has not gotten these improvements and won't be getting them. If you use Internet Explorer, version 8 is the latest you can run on Windows XP, and it's a pretty crummy browser.

Because of these differences, the fact that Microsoft is not supporting it and the availability of new features post-XP for them to use, many software vendors have ended their own support for XP:

Java.no.XP

Java 8 may well work on Windows XP, but Oracle won't support it. They aren't providing or updating older Java versions either.

Now and then, vulnerabilities come along that aren't fixed in XP, even in the embedded version. Cisco came across one recently in the vulnerability patched by Microsoft in November as MS14-063. This one did not show up in the list of vulnerabilities patched in embedded XP in November.

If you're still trying to get your money's worth out of Windows XP, you may think you're really clever and playing with house money. If you get away with it, good for you. Know that you are taking a big risk, one that is getting bigger every day.

Finally, I should repeat the statement Microsoft gave me when I first wrote about this earlier this year:

We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.