A simple workaround, published on the German Sebijk.com community forum on 22 May, enables XP users to change their system's ID to look like Windows Embedded POSReady 2009 - which is due to continue receiving security updates until April 2019.
The ploy was highlighted on 24 May by German cyber security commentator and Ghacks Technology News founder Martin Brinkmann, who explained: “You can use the trick to get another five years of security patches for XP.”
But industry watchers warn users that applying the workaround likely infringes software licensing laws, while Microsoft insists it represents “a significant risk” to users.
Brinkmann reported that the trick works because “Windows Embedded POSReady 2009 is based on Windows XP Service Pack 3, and the security updates released for that system are identical with the ones that Microsoft would have released for XP systems.”
The workaround only works on 32-bit versions of XP SP3, but the Sebijk forum provides instructions on how 64-bit XP users can also adopt it.
The solution taps into the fact that many organisations are still using XP, despite April's end of support, while some users have chosen to start paying for what were previously free patches. Meanwhile, the Chinese Government last week reacted to Microsoft's decision to end XP security support by declaring it would no longer buy replacement Windows 8 systems for fear they too would be left insecure.
Brinkmann says the latest workaround is intended to help XP users who cannot switch to a new system, or do not want to.
He told SCMagazineUK.com via email: “Windows XP users who don't switch are left on their own right now. While I would not recommend running XP any more, I understand that migration may not always be an option, for instance due to hardware or software incompatibilities. If you had to choose between installing some security updates for the system or none at all, which would you pick?”
But he added: “I recommend highly that you create a backup before you update the system as there is no guarantee that all updates will work properly on XP PCs. While POSReady 2009 uses the same core, some things are different.”
Commenting on the ploy, independent Microsoft specialist Robert Rutherford, CEO of IT consultancy QuoStar, said it could help users currently migrating away from XP - but beyond that it is “negligent” and probably in breach of licensing laws.
Rutherford told SC via email: “It's generally unadvisable to use this hack, unless you are in the process of removing XP from your infrastructure, but have been delayed. If any business is attempting to utilise this hack as part of its mainstream IT, then it needs to work quickly to change this. Continuing the practice will almost certainly put you in breach of licensing laws and from a security standpoint would be negligent.”
He added: “The updates are also focused around the stripped down POS-ready distribution of XP, thus you may well find core elements of other distributions do not get updated.”
Andrew Avanessian, VP of global professional services at security firm Avecto, advised security professionals to steer clear of the solution and to take steps to prevent their users applying it.
He told SC via email: “Corporate security professionals should be wary of this registry hack as it could potentially have an adverse effect on their environment. The risk here is one of compatibility. Microsoft will not be testing the patches on the full version of XP and so these updates could lead to downtime and have a negative effect on user experience.”
He advised: “Those who are concerned about their legacy XP estate and are unable to migrate to Windows 7 or 8 should strongly consider removing excessive privileges (admin and power user rights), in order to fully secure their systems and ensure that staff members can't implement this kind of registry hack. This will significantly reduce XP's attack vector.”
Meanwhile Microsoft itself warned that the workaround might give XP users a false sense of security as future security updates will not be tried and tested for them.
A Microsoft spokesperson told SC: “We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers - the security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers.
“Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1.”