[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] 3rd party patch for XP for MS09-048?



P.S.

Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that get's DoS'd are?  

I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we won't patch old code."  

t 

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> 
> Thanks for the link.  The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
> 
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsoft's
> security team to explain why it wasn't patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldn't then Windows XP be vulnerable to this?"
> 
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
> 
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is that's what they are for.  Not sure
> really.  What was the question again?"
> 
> You don't get "trustworthy" by not answering people's questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but don't bet on it.  XP code is something like 15 years old now, and
> we're not going to change it.  That's the way it is, sorry. Just be
> glad you're using XP and not 2008/vista or you'd be patching your arse
> off right now."
> 
> If MSFT thinks they are mitigating public opinion issues by side-
> stepping questions and not fully exposing the problems, they are wrong.
> This just makes it worse. That's the long answer.  The short answer is
> "XP is vulnerable to a DoS, and a patch is not being offered."
> 
> t
> 
> 
> 
> > -----Original Message-----
> > From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
> > disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@xxxxxxxxxxxxxxxxx
> > Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I don't know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldn't be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@xxxxxxxxx>
> > To: nowhere@xxxxxxxxxxx
> > Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pro's mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because it's a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@xxxxxxxxxxx> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, I'm now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because it's a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/