3

I have software that only works with Windows XP. I have a computer that runs Windows XP. It has a firewall and up-to-date antivirus software.

Though I have several other computers running Windows 7, I have never "networked" them to the XP computer. They only use the same wifi connection as the XP computer.

I want to use the XP computer for the outdated software and to occasionally go online.

What are the risks?

If I only visit safe websites, am I still in danger? Is there any danger to my other computers?

Anders
  • 64,406
  • 24
  • 178
  • 215
Sun Storm
  • 31
  • 1
  • 1
    What do you mean by "networked"? How do you define safe websites? – SaAtomic Nov 16 '17 at 07:55
  • I suggest you to separate that XP machine from all other devices in the local network completely; it has a potentially huge risk. If you must use that application, you should add some proxy, firewall, ids solution to the front of XP machine and only let the port and service needed for that specific application to run; all other traffic should be dropped by default (both in and out). To find out and analyze the 'true traffic' you can use tcpdump/wireshark to capture that application traffic then configure security devices upon on. – JackSparrow Nov 16 '17 at 08:22
  • " I have never "networked" them to the XP computer. They only use the same wifi connection as the XP computer." <- that ***is*** "networking" them to the XP computer – user253751 Nov 17 '17 at 05:18

3 Answers3

10

Things are going wrong here, horribly:

I have software that only works with Windows XP.

Okay. That tends to happen from time to time.

I have a computer that runs Windows XP.

That is good, because of the need to run the software, probably.

It has a firewall and up-to-date antivirus software.

That is nice, but a firewall would only be needed if that XP box was networked. And you shouldn't connect an XP machine to any network that is not air gapped at this point. Even air gapped networks pose risks as other machines could be used to pivot (and be it from inside threats).

Though I have several other computers running Windows 7, I have never "networked" them to the XP computer. They only use the same wifi connection as the XP computer.

So you're saying you didn't network them, they are only in the same network? I'm not sure whether you understand what "networking" is meant to mean.

Stop networking your XP box. Right now.

I want to use the XP computer for the outdated software and to occasionally go online.

Nope. You do never want to go online with that machine.

What are the risks?

Complete and utter compromise of your XP box and possibly your whole network, both with a high probability.

If I only visit safe websites, am I still in danger? Is there any danger to my other computers?

That depends what you mean by safe websites, but there is a high probability that those use ads - and ad campaigns can be used to deliver drive by exploits that Windows XP is no longer getting any patches for.

As the comments suggested: there are even more risks, which I opted to preclude with presuming your firewall was watertight and you only browsed safe pages and read no mails and had no office installed etc.

All of my presumptions are probably not true.

Let me make this clear: you shouldn’t network an XP machine at this point - at all. Not even just for browsing “safe” websites, not even with a watertight firewall.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • 1
    Last I looked WannaCry didn't need you to visit *any* web site. It probably isn't the only one. If the firewall is local to the system, then there may be relevant risks there... – user Nov 16 '17 at 19:11
  • 2
    @MichaelKjörling my answer presumes a otherwise completely tight firewall and only browsing; with mails and a bad firewall, things get **way** worse. And how batsh!t crazy insecure this setup is doesn’t matter at this point. Networking with an XP machine is a nono. – Tobi Nary Nov 16 '17 at 19:58
  • 2
    The most important point to take away is that "safe" websites are not necessarily safe. Malicious ads, server compromise, XSS, user-submitted content (e.g. images), the list goes on. – forest Mar 12 '18 at 03:30
3

You could run the Windows XP machine on a virtual machine without any networking interface enabled.

If you need to get data onto it you can add them via a shared folder that the VM has access to.

Running it in a live network is not worth the risks, the operating system can only get less secure as time passes by.

1

In regards to "safe" websites - unless you use an advertisement blocker or keep your JavaScript turned off (which is highly recommended imo), the website is as "safe" as the advertisements that it displays.

Malvertising is a big problem and any website that uses an advertising network vulnerable to this is potentially exposing its users to malicious software. Users don't even have to click on the ads to get infected:

That’s fine by me, because I never click on ads. Right?

Not so fast. First, everyone clicks on ads sometimes, even if it’s just by mistake. And second, there are strands of malvertising that begin running malicious code the moment you open the page. No clicking or any other action required on your part.

There have been malvertising campaigns in the past that have bypassed adblockers, such as RoughTed, which caused all kinds of undesired redirections to tech-support scams, websites that forced browser extensions on you until you accepted the extension or killed the page, and even exploit kits and Ransomware which Windows XP are very vulnerable to nowadays; these exploits can potentially propagate malware to other vulnerable computers on your network.

If you really, really need to use the computer running Windows XP, do what JackSparrow suggested and isolate the computer as much as possible, preferably with hardware solutions or software that's not installed on the computer itself.

Sonickyle27
  • 368
  • 3
  • 11