On 05/01/2020 05:56, Paul wrote:
Bert wrote:
Has anyone successfully updated their Win XP PCs with the latest MS
update?
This update was made available but not part of the standard update
process.
MS still supports the Point Of Sale and kiosks etc with security updates.
So I believe that this update can be used on any Win XP PC.
KB4316682
Someone provide steps to do updates please !
Lu Wei seems to have found the magic ingredient.
1) IE8 Cumulative of some sort (there have been a bunch).
Â*Â* The PosReady one won't install until the OS is "branded".
Â*Â* HKLM\SYSTEM\WPA\PosReady === New key
Â*Â*Â*Â*Â* Installed DWORD 1Â*Â*Â*Â* === New DWORD value
Â*Â* Now, try and remove that later. I'll have to find
Â*Â* another Kaspersky registry editor to get rid of that.
Â*Â* The KAV disc wouldn't boot in the VM, so I could do surgery.
2) SChannel update. SChannel provides encryption entries
Â*Â* and uses named pipes. Savvy software developers keep their
Â*Â* own "cryptlib", so they can never be held hostage by SChannel
Â*Â* missing features.
3) Slight registry adjustments to enable it.
So what did I learn ? Did IE8 suddenly become as
flexible as Chrome or Firefox. No.
a) Sure, it supports TLS 1.2 or TLS 1.3. Great.
Â*Â* It would be nice to verify this, but the "ssllabs"
Â*Â* site refused to work with the adulterated browser.
b) A crypto algorithm has to go with the overall protocol.
Â*Â* Microsoft liked their 40 bit and 128 bit methods a bit
Â*Â* too much. 3DES is no longer recommended. You need stronger stuff.
Â*Â* The SChannel update, it's Microsoft policy to "not improve things".
Â*Â* They can't be adding CHACHA20 or the elliptic curve
Â*Â* exxxxx item to the Schannel. Leaving the crusty old RSA
Â*Â* entries and the like, is more their speed.
Â*Â* I've tested one web site, which insisted on a high value of
Â*Â* TLS and only allowed the two named items in the previous paragraph.
Â*Â* That virtually guarantees a bad experience for the vast majority
Â*Â* of web browser users.
Things that could be missing (in no particular order)
Â*Â* "https everywhere": Just because the browser got TLS 1.2 or TLS 1.3,
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* doesn't mean the browser is going to connect to
anything.
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Only https to www.mozilla.org worked. I couldn't
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* connect to ssllabs and verify this stuff.
https://www.ssllabs.com/ssltest/viewMyClient.htmlÂ*Â* FAIL
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Normally, a site like that would "allow" weak
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* crypto, so it can "yell at you" to fix it :-)
Â*Â* Schannel weak crypto: At least on WinXP, they're not going to "give
away"
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* this stuff. Browsers like Firefox, might be
keeping
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* their cross-platform crypto inside the
executable,
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* so there can't be any "Schannel hostage dramas".
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* WinXP is never going to get a patch for CHACHA20.
Â*Â* javascript: No idea what level of Javascript development IE8 is
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* stuck with. panopticlick.eff.org didn't work with IE8
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* when I tried, and that might have been a script problem.
Â*Â* HTML5:Â* IE11 might have that, but did IE8 get any ? Since the
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* browser test results were so poor, I can't really say.
So, yeah, I tried to patch up a Windows XP Mode virtual machine
for the test, and the results were "weak to non-existent". It
still can't display an MSN page or the like. Nothing is worse
off than before I started, so there is that. I got to discover
some of the holes on Windows XP Mode along the way (*don't*
merge the differencing disk and make a single dynamic VHD of it, it
doesn't like that). The Microsoft Windows XP Mode was so poor,
the software threw a hissy fit and *erased* the control file.
I discovered how to do (limited) backups to stop that.
The surgery was a success but the patient died.
Â*Â* Paul
I tried this on a VM and tested IE8 with a bunch of my regular websites.
As expected results ranged from normal to will not open, with various
displays in between. Will continue to use Palemoon which opens all of
them correctly.
Guess the main benefit of this thread for those not already aware of the
POSReady fix is the extended security updates. My VM installed 173! As
far as I can see it is booting and running as before so the patient is
alive and well.