Re: 3rd party patch for XP for MS09-048?

[Susan Bradley <sbradcpa () pacbell net>]

Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in 
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

<P><B>If Windows XP is listed as an affected product, why is Microsoft 
not issuing an update for it?</B><BR>By default, Windows XP Service Pack 
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition 
Service Pack 2 do not have a listening service configured in the client 
firewall and are therefore not affected by this vulnerability. Windows 
XP Service Pack 2 and later operating systems include a stateful host 
firewall that provides protection for computers against incoming traffic 
from the Internet or from neighboring network devices on a private 
network. The impact of a denial of service attack is that a system would 
become unresponsive due to memory consumption. However, a successful 
attack requires a sustained flood of specially crafted TCP packets, and 
the system will recover once the flood ceases. This makes the severity 
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. 
Customers running Windows XP are at reduced risk, and Microsoft 
recommends they use the firewall included with the operating system, or 
a network firewall, to block access to the affected ports and limit the 
attack surface from untrusted networks.</P>

Susan Bradley wrote:
> Read the bulletin.  There's no patch.  It is deemed by Microsoft to be 
> of low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
> > Hi Aras,
> >
> >  
> > > Given that M$ has officially shot-down all current Windows XP users 
> > > by not
> > > issuing a patch for a DoS level issue,
> > >     
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP Home
> > and XP Pro's mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the Extended
> >     Support phase (five years of Mainstream Support plus five years of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >  
> > > I realize some of you might be tempted to relay the M$ BS about "not 
> > > being
> > > feasible because it's a lot of work" rhetoric...
> > >     
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere () devnull com> wrote:
> >  
> > > Hello All:
> > >
> > > Given that M$ has officially shot-down all current Windows XP users 
> > > by not
> > > issuing a patch for a DoS level issue, I'm now curious to find out 
> > > whether
> > > or not any brave souls out there are already working or willing to 
> > > work on
> > > an open-source patch to remediate the issue within XP.
> > >
> > > I realize some of you might be tempted to relay the M$ BS about "not 
> > > being
> > > feasible because it's a lot of work" rhetoric... I would just like 
> > > to hear
> > > the thoughts of the true experts subscribed to these lists :)
> > >
> > > No harm in that is there?
> > >
> > > Aras "Russ" Memisyazici
> > > Systems Administrator
> > > Virginia Tech
> > >
> > >
> > >     
> >
> >   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/