Bugtraq mailing list archives
Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
From: Susan Bradley <sbradcpa () pacbell net>
Date: Thu, 17 Sep 2009 10:16:33 -0700
Good geeks ...not gook geeks.It's not a racial slight, it's spellchecker not working and I didn't realize I spelled it wrong. My deepest apologies if anyone reads that wrong.
Hisashi T Fujinaka wrote:
On Thu, 17 Sep 2009, Susan Bradley wrote:<jaded mode off>I know too many of the gook geeks behind Microsoft and I do trust that this^^^^ ^^^^ You do realize this can be read as a racial slight towards Koreans.IS NOT a plot to sell more Win7. Granted the marketing folks spun this bulletin WAY WAY TOO much. It is what it is. I do believe the architecture in XP just isn't there. It's a 10 year old platform that sometimes you can't bolt on this stuff afterwards. Even in Vista, it's not truly fixing the issue, merely making the system more resilient to attacks. Read the fine print in the patch.. it's just making the system kill a session and recover better.I am not a fan of third party because you bring yourself outside the support window of the product.It is just a DOS. I DOS myself after patch Tuesday sometimes with mere patch issues. Also the risk of this appears low, the potential for someone coding up an attack low... I have bigger risks from fake A/V at me.Is this truly the risk that one has to take such actions and expect such energy? I don't see that it is. Give me more information that it is a risk and I may change my mind, but right now, I'm just not seeing that it's worth it.Aras "Russ" Memisyazici wrote::)Thank you all for your valuable comments... Indeed I appreciated some of the links/info extended (Susan, Thor and Tom) However, in the end, it soundedlike: a) As a sysadmin in charge of maintaining XP systems along with a wholeshebang of other mix setups, unless I deploy a "better" firewall solution, Iseem to be SOL.b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated earlier, they did the exact same thing back in Win2K days... Nothing newhere... :/ As Larry and Thor pointed out, what sux is that despite M$"PROMISING" that they would continue supporting XP since they didn't exactly state WHAT they would support, they seem to be legally free to actually get away with this BS *sigh* gotta love insurance-salesman-tactics when it comesto promises...So... with all this commentary, in the end, I still didn't read from the"big'uns" on whether or not a 3rd party open-source patch would bereleased... I sure miss the days that people back in the day who cared would:) In the end I realize, it sounds like a total over-haul of the TCP/IP stack is required; but does it really have to? Really?How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's suggesting switching to an iptables based protection along with a registry tweak... ahh the good ol' batch firewall :) Would this actually work as aviable work-around? I realize M$ stated this as such, but given theircurrent reputation it's really hard to take their word for anything thesedays :PWhat free/cheap client-level-IPS solutions block this current attack? Anysuggestions? Thank you for your time and look forward to some more answers. Sincerely, Aras "Russ" Memisyaziciarasm {at) vt ^dot^ edu --> I set my return addy to /dev/null for... wellyou know why! Systems Administrator Virginia Tech -----Original Message-----From: Larry Seltzer [mailto:larry () larryseltzer com] Sent: Wednesday, September 16, 2009 5:03 PMTo: Susan Bradley; Thor (Hammer of God) Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Yes, they used the bulletin to soft-pedal the description, but at the same time I think they send a message about XP users being on shaky ground. Just because they've got 4+ years of Extended Support Period left doesn't mean they're going to get first-class treatment. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Susan Bradley Sent: Wednesday, September 16, 2009 2:26 PM To: Thor (Hammer of God) Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?It's only "default" for people running XP standalone/consumer that are not even in a home network settings.That kinda slices and dices that default down to a VERY narrow sub sub sub set of customer base.(Bottom line, yes, the marketing team definitely got a hold of that bulletin)Thor (Hammer of God) wrote:Yeah, I know what it is and what it's for ;) That was just my subtleway of trying to make a point. To be more explicit:and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't1) If you are publishing a vulnerability for which there is no patch,withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'SEVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to getthe settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."2) Think things through. If you are going to try to boot sales ofWin7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.t-----Original Message----- From: Susan Bradley [mailto:sbradcpa () pacbell net] Sent: Wednesday, September 16, 2009 10:16 AM To: Thor (Hammer of God) Cc: bugtraq () securityfocus com; full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? It's XP. Running in RDP mode. It's got IE6, and wants antivirus.Ofcourse it's vulnerable to any and all gobs of stuff out there. But it's goal and intent is to allow Small shops to deploy Win7. If you need more security, get appv/medv/whateverv or other virtualization. It's not a security platform. It's a get the stupid 16 bit line of business app working platform. Thor (Hammer of God) wrote:P.S. Anyone check to see if the default "XP Mode" VM you get for freewithWin7 hyperv is vulnerable and what the implications are for a host running an XP vm that get's DoS'd are?I get the whole "XP code to too old to care" bit, but it seems oddtotake that "old code" and re-market it around compatibility and re- distribute it with free downloads for Win7 while saying "we won'tpatchold code."t-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Thor (Hammer ofGod)Sent: Wednesday, September 16, 2009 8:00 AM To: Eric C. Lukens; bugtraq () securityfocus com Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Thanks for the link. The problem here is that not enoughinformationis given, and what IS given is obviously watered down to the pointofbeing ineffective. The quote that stands out most for me: <snip> During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, incertainscenarios, their machines might be at risk. "We still use WindowsXPand we do not use Windows Firewall," read one of the userquestions."We use a third-party vendor firewall product. Even assuming thatweuse the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?" "Servers are a more likely target for this attack, and yourfirewallshould provide additional protections against external exploits," replied Stone and Bryant. </snip> If an employee managing a product that my company owned gaveanswerslike that to a public interview with Computerworld, they would beindeep doo. First off, my default install of XP Pro SP2 has remote assistance inbound, and once you join to a domain, you obviouslyacceptnecessary domain traffic. This "no inbound traffic by default soyouare not vulnerable" line is crap. It was a direct question - "IfRDPis allowed through the firewall, are we vulnerable?" A:"Greatquestion.Yes, servers are the target. A firewall should provide added protection, maybe. Rumor is that's what they are for. Not sure really. What was the question again?" You don't get "trustworthy" by not answering people's questions, particularly when they are good, obvious questions. Just be honest about it. "Yes, XP is vulnerable to a DOS. Your firewall mighthelp,but don't bet on it. XP code is something like 15 years old now,andwe're not going to change it. That's the way it is, sorry. Just be glad you're using XP and not 2008/vista or you'd be patching yourarseoff right now." If MSFT thinks they are mitigating public opinion issues by side- stepping questions and not fully exposing the problems, they arewrong.This just makes it worse. That's the long answer. The short answeris"XP is vulnerable to a DoS, and a patch is not being offered." t-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Eric C. Lukens Sent: Tuesday, September 15, 2009 2:37 PM To: bugtraq () securityfocus com Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] 3rd party patch for XP forMS09-048?Reference:http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP MS claims the patch would require to much overhaul of XP to makeitworth it, and they may be right. Who knows how many applicationsmightbreak that were designed for XP if they have to radically changetheTCP/IP stack. Now, I don't know if the MS speak is true, but it certainly sounds like it is not going to be patched. The other side of the MS claim is that a properly-firewalled XPsystemwould not be vulnerable to a DOS anyway, so a patch shouldn't be necessary. -Eric -------- Original Message -------- Subject: Re: 3rd party patch for XP for MS09-048? From: Jeffrey Walton <noloader () gmail com> To: nowhere () devnull com Cc: bugtraq () securityfocus com, full-disclosure () lists grok org uk Date: 9/15/09 3:49 PMHi Aras,Given that M$ has officially shot-down all current Windows XPusersby notissuing a patch for a DoS level issue,Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XPshouldbe patched for security vulnerabilities until about 2014. Both XPHomeand XP Pro's mainstream support ended in 4/2009, but extendedsupportends in 4/2014 [2]. Given that we know the end of extendedsupport,take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of theExtendedSupport phase (five years of Mainstream Support plus fiveyearsofthe Extended Support) at no additional cost for mostproducts.Security updates will be posted on the Microsoft Update Websiteduring both the Mainstream and the Extended Support phase.I realize some of you might be tempted to relay the M$ BS about"notbeingfeasible because it's a lot of work" rhetoric...Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici <nowhere () devnull com> wrote:Hello All: Given that M$ has officially shot-down all current Windows XPusersby notissuing a patch for a DoS level issue, I'm now curious to findoutwhetheror not any brave souls out there are already working or willingtowork onan open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about"notbeingfeasible because it's a lot of work" rhetoric... I would justliketo hearthe thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048?, (continued)
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Larry Seltzer (Sep 16)
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Thor (Hammer of God) (Sep 16)
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Thor (Hammer of God) (Sep 16)
- Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Susan Bradley (Sep 16)
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Thor (Hammer of God) (Sep 16)
- Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Susan Bradley (Sep 16)
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Larry Seltzer (Sep 16)
- RE: [Full-disclosure] 3rd party patch for XP for MS09-048? Aras "Russ" Memisyazici (Sep 17)
- Re: [Full-disclosure] 3rd party patch for XP for MS09-048? John Morrison (Sep 17)
- Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Susan Bradley (Sep 17)
- Message not available
- Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Susan Bradley (Sep 17)
- Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Mailing lists at Core Security Technologies (Sep 23)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Rob Thompson (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 16)