XP upgrade considerations - on a Mac

2blue4u

2blue4u

Suspended / Banned
Messages
3,769
Name
John
Edit My Images
Yes
Help me out here. There's so much contradictory info about the coming end of support for XP. I'm going to have to make some decisions in the coming weeks and I'd really appreciate the thoughts of others on here.

I have three machines running Mavericks and XP under Parallels. One of these is merely a laptop duplicate of my main machine for out of office and holiday usage. So I'll now describe the two other machines.

Main puter, iMac running Mavericks and XP under Parallels. XP is required in order to run some ancient software (which shouldn't even run on XP - but it does). I cannot move away from this ancient software and I very much doubt if it will run on anything more recent than XP. I also use IE (under XP) as there is one site I have to use almost daily that requires IE. So, this instance of XP is connected to the Internet but only IE accesses the net and for only the one site.

One possible solution would be to run the ancient software under XP and deny XP access to the net and run Win8.1 under another virtual machine for the IE access. Seems expensive overkill to me :thinking:

Second machine, a laptop, running Mavericks and XP under Parallels. XP on this machine NEVER connects to the Internet as XP is only used to run accounting software. I see no reason to change this? Am I right to think this?

Thanks in advance for your thoughts.

J
 
If you existing system works OK why change. Do you need a more modern version of windows. OK if IE gets updated then it might not work with XP, but then don't update IE.

I have a old Compaq running XP ( I think it's SP2 ) for one occasional programme. It sits in the corner and is brought out once in a blue moon. Works for me
 
if it ain't broke why fix it. XP will still work, Microsoft just won't support it or release any more updates/fixes etc.
 
Because, without regular security updates, an Internet connected XP will become increasingly vulnerable over time.
 
2blue4u said:
Because, without regular security updates, an Internet connected XP will become increasingly vulnerable over time.
Click to expand...

That's what some folk would like you to think, personally, especially with the restrictions you mentioned, I reckon things will roll along as normal.
 
@2blue4u Considering you've got your XP Machine in a virtual machine, you don't use it for general internet browsing but just a specific task and a specific website....I think the risk will remain just as low as it used to be for the last several years you were running it. Just keep it, and make certain you've got backups for it...
 
If the software you can't change can only run on XP you're stuck with keeping XP. Change that software or do without it. You have hobson's choice. If you want the software you have to run XP and risk the machine being compromised if it is attached to the internet.

What is the ancient software? There may be something else that does what it does that you have yet to have discovered.

If you have a site you have to access daily only works with IE why haven't the people looking after that site woken up and smelled the coffee? IE is minority browser so it should be designed to work with firefox and chrome not just IE...
 
srichards said:
If you have a site you have to access daily only works with IE why haven't the people looking after that site woken up and smelled the coffee? IE is minority browser so it should be designed to work with firefox and chrome not just IE...
Click to expand...

Anything thats using activeX. Quite possibly Outlook Web Access, it will work in other browsers but as a 'lite' version lacking some functionality. Although th op hasn't stated I'm guessing it's work related and not a site for fun.
 
To the op, as some else mentioned. If you have xp in a vm then it should be fine.
 
Isn't it great that on this forum you don't get the hoards of doom and gloom merchants. Nice, refined, considered answers. Isn't TP great? (y)


srichards said:
What is the ancient software? There may be something else that does what it does that you have yet to have discovered.
Click to expand...
It's a large relational database using Lotus Approach. It's evolved over the years, does exactly what is required with a minimum of fuss. Please don't mention Access, it's been looked at in great depth - and so has Filemaker, and so has an online browser-based option that looked promising for a while. The investment needed to migrate to an alternative is horrific.

srichards said:
If you have a site you have to access daily only works with IE why haven't the people looking after that site woken up and smelled the coffee? IE is minority browser so it should be designed to work with firefox and chrome not just IE...
Click to expand...
I should have mentioned security issues - then, hopefully, you wouldn't have mentioned firefox and chrome ;)
 
Ugh. Lotus stuff is dreadful. Migrate away now! I'd never suggest Access for a database as it is a mickey mouse solution at the best of times. Mysql is one solution. If you have deeper pockets then oracle is probably better and it has all the forms generation and sophisticated business tools.

If the approach database is only used in house then mysql on any old linux web server with some kind of web front end could do the same functions. If it is an external software installation then I'd see if there are any other solutions which offer similar functionality. Hosted ones would offer the minimum of fuss as they'd probably have migration paths set up. Also it's worth talking to local universities to see what computing students want for projects. This sort of thing sounds like the ideal internship/student project too.

If the lotus software only runs under XP (just) then you are pretty much going to have to move at some point so you may as well get it over with while it still works
so it isn't done in a mad rush.
 
2blue4u said:
Because, without regular security updates, an Internet connected XP will become increasingly vulnerable over time.
Click to expand...

Can you configure your virtual machine to only allow that one single website, and blacklist everything else? Proper firewall on your mac and then the virtualisation should be enough in that scenario.
 
What's the worst that can happen?

Seriously, if you have a VM running XP, and that version of XP runs IE to access 1 website, what's the worst that can happen IF somebody can be bothered to write malware that affects an obsolete operating system? Even if you get catastrophic damage to your VM then a recovery from backup should fix it.

AFAIK anything in a VM is sandboxed and can't reach the rest of your machine without permission. Even if it somehow broke out, I can't sensibly imagine a xeno-virus that gets transmitted via a leaky archaic version of IE on an obsolete version of Windows, breaks out of the sandbox and then attacks a hardened OS X system.

And yeah, I'm still running Quicken under XP in a VM ;)
 
I could say "Macs don't get viruses" because that's what people with Macs tell me when they are raving about their shiny computers :naughty:. So by that class of Mac user logic you should be fine. However, since you appear to know the difference between the hardware brand and the operating system ;) a more considered approach is warranted ...

1st machine - the ancient software isn't a problem, it doesn't (from your description) connect to the internet so there is no vector for any vulnerability to be exploited. Using IE to access only a specific website again is not a problem, the only way a vulnerability in IE or the OS it is running on could be exploited is if the website you are connecting to is itself compromised.

2nd machine (laptop) - XP never connects to the internet. Again, there is no vector for an attack.

Even if you were attacked, the worst that can happen is the VM is trashed and you have to restore it from a backup. Basically, "Keep calm and carry on" would seem to be appropriate.

All of the above pre-supposes that your machines are on a private network behind a router (that is, you are using NAT) or if not (and having a subnet of public IP addresses would be very unusual in a home environment) you have a decent hardware firewall.
 
I'd suggest that some people read the last page or two of the recent "which windows" thread regarding security updates.

Granted at least a vm is snapshot-able.
 
Last edited:
JonathanRyan said:
What's the worst that can happen?

Seriously, if you have a VM running XP, and that version of XP runs IE to access 1 website, what's the worst that can happen IF somebody can be bothered to write malware that affects an obsolete operating system? Even if you get catastrophic damage to your VM then a recovery from backup should fix it.

AFAIK anything in a VM is sandboxed and can't reach the rest of your machine without permission. Even if it somehow broke out, I can't sensibly imagine a xeno-virus that gets transmitted via a leaky archaic version of IE on an obsolete version of Windows, breaks out of the sandbox and then attacks a hardened OS X system.

And yeah, I'm still running Quicken under XP in a VM ;)
Click to expand...

Well, it depends what you're doing. You can sandbox the VM from local resources outside the VM on the same PC and network, sure. However, if that one website you access is something like, say, a banking site, then obviously there's more to worry about as you could potentially have that account hacked. Also, if you haven't correctly sandboxed the VM you risk compromising other resources locally and on your LAN.

Going back to the requirements - if it were me, what I'd look at doing would be...

1) Fire up a Windows 7/Windows 8 VM. Try running the software in compatibility mode and see if I could get it up and running - there are some pieces of software that flat out won't work in compatibility mode, but usually it's only ones that are doing something funky at a hardware level. You're quite likely to get lucky. Maybe even try the virtual XP mode available in Windows 7 Pro. If that works, then keep a modern, supported Windows VM. In Parallels on the Mac, create shortcuts to the software and IE so you can run them and have them feel like native OSX apps - this feels like the optimium position for you to be in right now.
2) If you can't run the software in Windows 7 or 8, then I would probably consider creating a 2nd VM for a later version of the OS. In Parallels you don't have to actually dual boot into the OS to do this so all it costs you is setup time and some hard drive space. Use XP for whatever you have that needs it, and use IE on a modern, supported and patched OS for the website that you need it for. Both will look and feel like native apps with Parallels handling the Windows side of things and surfacing them as apps to OS X.
3) Personally, since I have a Windows Server box running 24x7 I'd probably run IE on the server and RDP onto it from the Mac for ease of use...

Going back to Jonathan's post "what's the worst that can happen IF somebody can be bothered to write malware that affects an obsolete operating system" - the thing you need to realise is that a HUGE NUMBER of hackers will be doing *exactly* that. They'll be writing malware to hit XP because they know that a) a sizeable number of less clueful users will still be running it, and b) MS aren't going to patch it. It's low hanging fruit and it will be targeted heavily come April. This will be made even easier for them, as they will be able to examine the critical updates being released for newer versions of the OS, and using those work out what the unpatched vulnerabilities are in XP and attack them.
See http://www.pcpro.co.uk/features/386077/windows-xp-microsoft-s-ticking-time-bomb

Basically you have a situation where there is risk. You need to decide yourself how to manage that risk as a trade-off between convenience and potential damage. You should do this with as great an understanding of the threat landscape as possible.
 
landwomble said:
You should do this with as great an understanding of the threat landscape as possible.
Click to expand...
I can see where you are coming from, but what is important is what the infection vectors are. Given there are multiple computers, I would expect any connection to the internet to be via a NATed router, which means any XP machine is not attached directly to the internet. This leaves a few possible attack vectors:

  • User clicking something they shouldn't - without knowing what the internet site IE connects to, it is impossible to know if this is a viable attack vector. I also assume no mail is read on either XP machine and it is used as described (i.e. for the explicit package and accessing the one website).
  • Local network infection - this depends how Parallels is set up. I know with VMWare Workstation, there are different modes you can set the network up in. One (and from memory is the default) is to NAT on the host machine which means the VM can't be seen on the local network. This would stop any worm attacks from locally infected machines
  • Attaching USB drives/sticks to the VM - does this ever happen?

Just because an infection exists for XP that hasn't been patched, doesn't mean any machine that runs XP is necessarily going to get infected by it. I would be making my judgement about what to do based on my understanding of how easily the machine is able to get infected, not on how many viruses may be targeting the OS.
 
Yep, all good points. If the OP can guarantee their not going to be in any of the scenarios you mention, they may be OK. This is exactly what I mean about an individual managing risk - understanding the threat and attack vectors and making an informed decision. They may choose to minimize risk completely, or sperate with am accepted level of risk with full awareness of the consequences. Only they can make that call, ultimately.

(Hopefully we won't see anything like the Slammer worm again!)
 
The IE is used for access to a credit reference agency site. And only that site.

No USB sticks or similar are used with XP. But XP does have access to a shared OSX folder, mapped to XP as drive 'S:'. This folder only contains WORD, PAGES and .pdf files. XP ONLY writes .pdf to a sub-folder of S: and has no reason to read anything from it.
 
Can you ping the XP machine on the local network (this would tell you if an infected machine got on your local network whether it could infect it via a worm).
 
PS. the attack vectors for the credit reference site will then be:


The first of these can be kept at bay (as much as you can) by running an up-to-date anti-virus that examines web pages. The second you can do very little about, but then running a different browser/OS will leave you just as vulnerable....
 
landwomble said:
Going back to Jonathan's post "what's the worst that can happen IF somebody can be bothered to write malware that affects an obsolete operating system" - the thing you need to realise is that a HUGE NUMBER of hackers will be doing *exactly* that.
Click to expand...

You're probably right. According to Mashable/Reuters, lots of cash machines currently run XP. That could be bad.
 
Not unless the people administering them are idiots. Which is possible. I have run systems that administer dosing of first-into-man clinical trials on nt4 when it was unsupported but it was done in an utterly controlled and isolated manner and inspected by the FDA. similar legislation covers security of financial systems such as PCI.
 
It's one of many legislative measures. Let's not go there. Safe to say that properly validated systems are bulletproof. I've done this for a living, rather than just read about it, and am personally liable for documents signed up to 25 years later for FDA regulated systems I designed and built...
As an ex specialist in CFR21 part 11 compliance for pharma systems for one of the largest pharma companies in the world, I am qualified to comment here.

I now work for Microsoft in Enterprise Support so am fully aware of the risks associated with out of life cycle products.

Opinions my own, not necessarily those of my employer, etc.
 
Last edited:
I know nothing about FDA as I've not been there.

Anything but the most basic PCI compliance relies on network integrity - which is fine if you know what you are doing but most small businesses are self-certified. I reckon a fair percentage won't even understand the questions the compliance asks, let alone understand why they are being asked. Anyway, this is WAY off topic now :)
 
landwomble said:
Not unless the people administering them are idiots. Which is possible.
Click to expand...

The thing about XP was in a story about how "hackers" had managed to break a hole in the side of ATMs and jack in a thumbdrive full of malware to a USB socket that really shouldn't be there and, as far as I understand it, install a new jackpot program which then sat there undetected even though the robbed the machines a number of times. I'd say more than possible ;)
 
thing is being plugged directly into the machine you can do a LOT more than remote exploits can (which shouldnt work on an ATM anyway as it should be on a standalone secure network).
 
neil_g said:
thing is being plugged directly into the machine you can do a LOT more than remote exploits can (which shouldnt work on an ATM anyway as it should be on a standalone secure network).
Click to expand...

Which is a good argument for physically removing the USB sockets ;) I know they need updates now and again but I'm shocked they have a standard port on them.
 
the argument should be that the physical housing should've been more secure so that access to the port was not available (presumably the USB was at the rear where the internal access is). nobody is going to make a proprietary connector for installing software/data.

most tills these days are PC based also, wouldn't be hard to do something similar (although again these machines should be secured i.e. non admin rights etc etc). but again it relies on getting something installed without being detected inserting the device and/or actually using the machine not in the normal ways.
 
I think we can agree they are going to look at changing the design ;)
 
landwomble said:
To be fair, with physical access to the machine, all bets are off. There's not a lot you can do to stop a truly determined hacker with hardware access.
Click to expand...
or disgruntled/untrustworthy staff for that matter.

also youd be surprised (or not, reading some of your posts) how few businesses change their top level admin password(s) when staff leave.. less than 5 minutes = crippled network.
 
See also p/w on embedded devices, network hardware etc. Which is where pen testing comes in...
 
PS Jonathan, did you find out if you can run your XP application on a later version of Windows by the way?
 
landwomble said:
PS Jonathan, did you find out if you can run your XP application on a later version of Windows by the way?
Click to expand...

No - I haven't tried.

I use one bit of s/w from a lab that need Windows. I bet it will be fine in Win8 but it's also fine on XP. I also use Quicken 2001. Given its age it's possible but may not run well. For me it's just not worth trying. I'd need to buy a retail version of Win8 just to find out.

VM goes on....use app...VM off. I'm comfortable with the risk.
 
You must log in or register to reply here.
Back
Top