Running old versions of Windows and security

But the argument with the ATM’s is that they have special locked down versions with long term support.

1 Like

I’m also going to point out that Windows 7 Embedded is NOT Windows 7;

When dealing with ATMs (because I can actually talk about these) you have systems with no administrative access, not connected to the internet and extremely tight controls over how software lands on them. Did I also mention that Embedded editions of Windows is not quite Windows as you expect.

I’ll turn this around, how are you installing software on your Windows 7 system if it’s not connected to the internet and if you never have any external media connecting to it?

1 Like

Install a piece of software from an untrusted source on your Android/iOS device without having to break the security first.

I’ll wait…

1 Like

what i have noticed that even if an OS is not supported officially anymore, if a massive global attack happens then MS will still release priority emergency patches for it, most likely due to the large userbase still using that OS

case in point

Now the reason why my laptop is still on windows 7 is simple
its a 2nd gen i5 with 4 gigs of Ram
Windows 10 will run slower as its a more bloated OS (And it runs like crap with only 4 gigs of ram)
i dont do any banking on the laptop (i use my phones for banking, online purchases via apps etc)
I have software and diagnostics cables for my audi that only works on windows 7
the fingerprint scanner on my laptop does not have windows 10 drivers.
there are plenty of other small reasons why its still on 7 and not 10.

2 Likes

The core of windows 7 embedded is the same core of windows 7 (CE embedded is different) because it provides the full win 32 api (you can probably google that) which means that whatever exploits your home windows 7 can get, the embedded ones are also susceptible to. ATMS are connected to the internet, have u ever stood infront of a crashed atm terminal ? even pick n pay’ smart shopper kiosks run windows 7 embedded (not ce embedded) and that is also connected to the internet.

the same way the core of the Xbox one OS is the same core as windows 10, the Xbone used the windows 8 core for its initial OS.

1 Like

Yes it is

but dont take my word for it

Windows Embedded Standard 7 (WES7) is built on the same framework as Windows 7 Ultimate, which means that any software that’s compatible with a standard Windows 7 distribution will also run properly on WES7. Windows Embedded Standard 7 allows users to identify the specific components of the Windows OS that their system or device requires and include only those features in the final image. In essence, Windows Embedded allows you to pick and choose the features you need in your OS and forgo those that aren’t suitable for your unique installation or dedicated appliance.

1 Like

Yeah, I really do like the Enhanced Write Filter feature of Windows 7 Ultimate, Embedded Lockdown Manager is also a great Windows 7 Ultimate Feature…Same framework != same; The fact that you can run the same and similar software of the operating system doesn’t make it the same. With the old Embedded and now IoT editions of Windows you have certain customizations you can employ to further lock down and secure the OS.

1 Like

those are features that can be turned off from within the OS, and Embedded Lockdown Manager is a certificate that can be installed and uninstalled from windows 7 ultimate (hell even windows 7 basic probably) as its just a management console snapin :wink:

https://www.microsoft.com/en-za/download/details.aspx?id=37020

Fact is it is the same operating system (which you intially denied and still trying to deny)

if i really wanted to and also had the energy and time i can create a windows 7 ultimate slip streamed iso with all of those features :roll_eyes:

1 Like

and on the topic of security, standard bank’s business online system still uses java 6 from 2006 because it has compatibility issues with later versions, im guessing they are also playing russian roulette with all their client accounts

1 Like

https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19116/Oracle-JDK.html

You tell me…

1 Like

This discussion is really interesting. Just keep it civil, folks. Remember we’re disagreeing to learn from one another.

FWIW, based on my interactions with Standard Bank over the years in covering security news for MyBroadband, they’re the ones who’s security practices concern me the most.

Maybe things are better now, but using Java/Java EE 6 is super dodgy.

I genuinely get concerned about security practices. You can get away with truly dodgy things that on the surface appears totally secure.

1 Like

I looked and its difficult to draw any conclusions from a list of 600 CVEs.

However, I clicked on the “CVE Scores greater than 9” filter and there are lots in there affecting Java SE 6, 7, and 8.

They are all old. Is there a way to see which have been patched?

Apologies it is java 8 not 6, even though the website says upgrade to the latest version, once you do the launcher wont open and their business online tech support recommended we revert to version 8 as its the LTS release they’re supporting

1 Like

You have to start digging deeper past this point. Oracle tends to be relatively good at patching their software once issues have been identified, but it does leave you exposed.

1 Like

Banks (and I cannot comment on banks outside of SA) move so slowly when it comes to supporting new operating systems, frameworks, platforms, etc.

1 Like
4 Likes

well thats not good

2 Likes

Looks like it wasn’t reported very well. They’re saying it is a 16 month old vulnerability in a 3rd party library that is long since fixed.

2 Likes

Running win 10 no problem on my side

2 Likes