Full Disclosure mailing list archives
Re: 3rd party patch for XP for MS09-048?
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 16 Sep 2009 12:15:23 -0300
P.S. Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that get's DoS'd are? I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we won't patch old code." t
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Thor (Hammer of God) Sent: Wednesday, September 16, 2009 8:00 AM To: Eric C. Lukens; bugtraq () securityfocus com Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Thanks for the link. The problem here is that not enough information is given, and what IS given is obviously watered down to the point of being ineffective. The quote that stands out most for me: <snip> During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?" "Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant. </snip> If an employee managing a product that my company owned gave answers like that to a public interview with Computerworld, they would be in deep doo. First off, my default install of XP Pro SP2 has remote assistance inbound, and once you join to a domain, you obviously accept necessary domain traffic. This "no inbound traffic by default so you are not vulnerable" line is crap. It was a direct question - "If RDP is allowed through the firewall, are we vulnerable?" A:"Great question. Yes, servers are the target. A firewall should provide added protection, maybe. Rumor is that's what they are for. Not sure really. What was the question again?" You don't get "trustworthy" by not answering people's questions, particularly when they are good, obvious questions. Just be honest about it. "Yes, XP is vulnerable to a DOS. Your firewall might help, but don't bet on it. XP code is something like 15 years old now, and we're not going to change it. That's the way it is, sorry. Just be glad you're using XP and not 2008/vista or you'd be patching your arse off right now." If MSFT thinks they are mitigating public opinion issues by side- stepping questions and not fully exposing the problems, they are wrong. This just makes it worse. That's the long answer. The short answer is "XP is vulnerable to a DoS, and a patch is not being offered." t-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-bounces () lists grok org uk] On Behalf Of Eric C. Lukens Sent: Tuesday, September 15, 2009 2:37 PM To: bugtraq () securityfocus com Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? Reference:http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP MS claims the patch would require to much overhaul of XP to make it worth it, and they may be right. Who knows how many applicationsmightbreak that were designed for XP if they have to radically change the TCP/IP stack. Now, I don't know if the MS speak is true, but it certainly sounds like it is not going to be patched. The other side of the MS claim is that a properly-firewalled XPsystemwould not be vulnerable to a DOS anyway, so a patch shouldn't be necessary. -Eric -------- Original Message -------- Subject: Re: 3rd party patch for XP for MS09-048? From: Jeffrey Walton <noloader () gmail com> To: nowhere () devnull com Cc: bugtraq () securityfocus com, full-disclosure () lists grok org uk Date: 9/15/09 3:49 PMHi Aras,Given that M$ has officially shot-down all current Windows XPusersby notissuing a patch for a DoS level issue,Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XPshouldbe patched for security vulnerabilities until about 2014. Both XPHomeand XP Pro's mainstream support ended in 4/2009, but extendedsupportends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of theExtendedSupport phase (five years of Mainstream Support plus five yearsofthe Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Websiteduring both the Mainstream and the Extended Support phase.I realize some of you might be tempted to relay the M$ BS about"notbeingfeasible because it's a lot of work" rhetoric...Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici <nowhere () devnull com> wrote:Hello All: Given that M$ has officially shot-down all current Windows XPusersby notissuing a patch for a DoS level issue, I'm now curious to find outwhetheror not any brave souls out there are already working or willing towork onan open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about"notbeingfeasible because it's a lot of work" rhetoric... I would just liketo hearthe thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: 3rd party patch for XP for MS09-048?, (continued)
- Re: 3rd party patch for XP for MS09-048? Jeffrey Walton (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 15)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 15)
- Re: 3rd party patch for XP for MS09-048? Jeffrey Walton (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 15)
- Re: 3rd party patch for XP for MS09-048? Tom Grace (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 15)
- Re: 3rd party patch for XP for MS09-048? Jeffrey Walton (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Eric Kimminau (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Matt Riddell (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Eric C. Lukens (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Thor (Hammer of God) (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Thor (Hammer of God) (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Thor (Hammer of God) (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Larry Seltzer (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Aras "Russ" Memisyazici (Sep 17)
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 17)
- Message not available
- Re: 3rd party patch for XP for MS09-048? Susan Bradley (Sep 17)
- Re: 3rd party patch for XP for MS09-048? John Morrison (Sep 17)
- Re: 3rd party patch for XP for MS09-048? Peter Besenbruch (Sep 16)
- Re: 3rd party patch for XP for MS09-048? Rohit Patnaik (Sep 16)