3

I know there is secunia and cve.mitre and ms kb database but I could not find a way to filter results only for operating system "windows xp" (or 2003 server, they share about the same code) with impact "arbitrary code execution" for which there is no workaround and no patch.

Costin Gușă
  • 141
  • 1
  • 4
  • If you install an unpatched XP you can use any of the patched vulns. In what context are you looking for vulns? – RoraΖ Nov 24 '14 at 14:28
  • I want to be able to use this OS for as long as possible so I need to know how to reduce mitigation. Right now the only interaction with external data is via the web browser, for which I have already disabled remote fonts. – Costin Gușă Nov 24 '14 at 14:31
  • 2
    http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-739/cvssscoremin-4/cvssscoremax-4.99/Microsoft-Windows-Xp.html – RoraΖ Nov 24 '14 at 14:31
  • cvedetails was actually the first where I have looked but it gives no option to combine all filter criteria I've enumerated (os + vuln type + patch unavailable + workaround unavailable) – Costin Gușă Nov 24 '14 at 14:32
  • @CostinGușă in all honesty I'd just upgrade to Win7. XP is a dinosaur with unlimited vulnerability power. – RoraΖ Nov 24 '14 at 14:38
  • @raz old habits die hard, but it's not just that. there are lots of features slashed in succesor versions which are really a must for me. – Costin Gușă Nov 24 '14 at 14:40
  • 1
    @CostinGușă This is for your personal computer? Not a work one? And you *want* XP for its features? Maybe this is "too chatty," but what features are you talking about? I can't think of a single thing that would keep me on XP. It is just like saying "I don't want new software to work for me, and I want to have to constantly be worried about my OS being compromised." – Gray Nov 24 '14 at 16:05
  • @CostinGușă cvedetails is where you need to be. You can download the list then filter the way you want to. – schroeder Nov 24 '14 at 18:40
  • @Gray yes. I would avoid xp on business at all costs, however for my personal use vista/7 do not have: - detachable taskbar toolbars - explorer single click left panel tree expanding - shortcut keys in ctrl-alt-del window 8 & 10 do not have windows standard color scheme & gdi-like look (I understand gdi is rotten but they did not manage to come up with identical visual replacement), taskbar colors are confusing - right click on computer object - manage opens something else than compmgmt.msc overall regress in usability windows.uservoice.com See http://xpwasmyidea.blogspot.com for a full list – Costin Gușă Nov 24 '14 at 18:41
  • @CostinGușă Thanks for typing that up. I can't say I agree, but I have to say a lot of the stuff you talk about is just something to adapt to because it's different (not necessarily bad - maybe even better!). A lot of it is pretty minor, like how you say you want some old menu to come up when you click manage on computer, but now you can now just push Windows Key and type what you want to do. "Partition" for example. Going through a bunch of random GUIs is not good UX, it's just something we got used to. I'd say use 3rd party utils to recreate the features you are missing, and be more secure. – Gray Nov 24 '14 at 18:56
  • there is no third party file manager that does single click folder expanding *and* at the same time is as fast and simple as native explorer! – Costin Gușă Nov 24 '14 at 18:59
  • @CostinGușă http://answers.microsoft.com/en-us/windows/forum/windows_7-files/enable-single-click-expand-in-win-7-windows/3c3d08b2-7d1c-41e7-a54a-005317650525 My suggestion, make a SU post about recreating these settings. I bet people will be able to do it for you. – Gray Nov 24 '14 at 20:00
  • 1
    this is my last comment because we are way offtopic by now. that answer is incorrect and does something else instead. also please read what blog "xpwasmyidea" has to say about features broken/removed by vista+ windows versions. there are LOTS OF POSTS on that blog, here's an example http://xpwasmyidea.blogspot.ro/2012/05/how-windows-8-copy-file-conflict-dialog.html – Costin Gușă Nov 24 '14 at 20:02
  • @raz I can't figure out where are the patch availability and workaround availability listed in that cvedetails page?! – Costin Gușă Nov 24 '14 at 20:14

1 Answers1

1

You will not find this elaborate data no matter where you search simply because there are a lot of unreported attacks against many operating systems. When dealing with XP, you are likely also dealing with the security issues with newer operating systems (Windows 7, Windows 8) not to mention software such as Adobe, Firefox, etc., that are no longer supporting Windows XP either.

By stating you are looking for "code execution" in Windows XP, you're forgetting about the amount of software that will never be updated for XP. Flash, Firefox, IE, Office, and this list goes on and on. It's akin to playing Russian Roulette with 3 or more bullets in the chamber.

Because you're still going to do whatever you choose to do, I suggest you focus on something like Tripwire, OSSEC or some other HIPS checksum mechanism to make sure nothing new is introduced on the system. You might be able to find (archive.org or something) a legacy copy of Black Ice Defender which can be configured to alert on the fly at in and outbound connection attempts versus relying on the standard Windows firewall.

As for your initial question, you won't find a source that will tell you ALL code execution exploits because you need to worry not only about Windows, but about the software it is running.

munkeyoto
  • 8,682
  • 16
  • 31
  • I have mentioned *known* *unpatched* vulnerabilities right in the title! What this means is that for each known vulnerability there is a published microsoft kb article and an associated patch and/or workaround. Definitely I am taking care on my own about other third party software. The questios is ONLY about the native operating system version - windows xp! – Costin Gușă Nov 24 '14 at 20:58
  • Your comment literally says that *known unpatched* vulnerabilities have *associated patches*. So I'm not sure what kind of answer you're looking for. What you're asking is slightly unreasonable. Microsoft has stopped documenting XP vulnerabilities. No master list exists, I'm sorry to say. – RoraΖ Nov 25 '14 at 03:07
  • Raz I think you're misunderstanding my comment. At no point in time do I believe known unpatched vulns have patches. But for what it's worth, there are technologies (IBM XGS virtual patching) that can aide when no patches are available. – munkeyoto Nov 25 '14 at 13:13