Windows XP patches on the black market?
Despite what several reports say, Windows XP is still an operating system that is widely used, all over the world. And now that Microsoft has stopped its official (and free) support of this succesful OS, a lot of people find themselves in need of a scarce good: XP patches. So what happens when you need a scarce good: a black market!
An official date for the first black market is already known: May 13, 2014, since that would be the first day the formerly regular patch distribution will be no longer be initiated for Windows XP.
At least for those who don’t have that expensive contract with Microsoft. Microsoft offers these custom contracts only for sites that have at least 750 computers and are willing to pay at least $150k per year for maintaining the OS and other Microsoft software.
But a lot of small organisations weren’t able to make to step up to a more modern OS compared to Windows XP. They probably weren’t willing to pay $200 per computer for the extended support, but would be willing to pay $25 or so, as rumors say some custom contracts are settled for.
There’s no doubt that certain people will start distributing patches using the BitTorrent or NEWS channels, so predicts Steven J. Vaughan-Nichols in an opinion post on the Computerworld website. The obvious problems emerges that you don’t know the validity of these “new patches” since they’re not coming from Microsoft directly.
Interesting thought … what if Microsoft starts fingerprinting their patches in relation to their paying customers? You can imagine what happens when Microsoft finds updates “in the wild” that shouldn’t be. It’s not very hard to fingerprint executables on demand. I’m also wondering about the distribution mechanism Microsoft will be using to provide paying customers with these extended-extended support patches. Automatically through WSUS can be a challenge unless they modify WSUS to some degree. I’m guessing a webportal where the patches are offered for download.
We won’t know until it happens. Keep your eyes and ears open and share the information!
First of all, you can validate patches since Microsoft provides hashes. By example: https://support.microsoft.com/kb/2922229
Because of this, I also think it would be a hassle to add company specifics to a patch, because this would also result in a different hash value.
And even if Microsoft would add company specifics, it is hard for a company to prevent an employee from distributing it without their knowledge since all these patches are downloaded to the local C:\Windows\SoftwareDistribution\Download folder where users can simply copy them.
It is an interesting idea though if someone would set up a public WSUS server to provide these updates. A bit similar to the illegal online KMS servers used to activate Windows/Office (that generally get taken down rather quickly).
In my opinion, if you’re still on XP you should simply move to a newer version and take advantage of all the improvements of those versions.
And that’s easier said than done when you haven’t moved yet. I agree that you should upgrade, but in the meantime you need a certain level of protection which is renewed every once in a while, since you wouldn’t be using the same birth control means every time, right? You renew it and continue to work! Until your generation served its purpose. Then and only then you dispose of it. I’m sure there are applications out there that are developed on Windows 2000 / XP and never tested on anything newer. You either upgrade that software too or you allow it to die.
No black market needed as it seems: http://betanews.com/2014/05/26/how-to-continue-getting-free-security-updates-for-windows-xp-until-2019/