[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 3rd party patch for XP for MS09-048?



It's only "default" for people running XP standalone/consumer that are not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that bulletin)

Thor (Hammer of God) wrote:
Yeah, I know what it is and what it's for ;)  That was just my subtle way of 
trying to make a point.  To be more explicit:

1)  If you are publishing a vulnerability for which there is no patch, and for which you have no 
intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall 
settings, and don't withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERE'S 
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, don't say 'you can deploy firewall 
settings via group policy to mitigate exposure' when the firewall obviously must be accepting network 
connections to get the settings in the first place. If all it takes is any listening service, then you 
have issues.  It's like telling me that "the solution is to take the letter 'f' out of the word 
"solution."

2)  Think things through.  If you are going to try to boot sales of Win7 to corporate 
customers by providing free XP VM technology and thus play up how important XP is and how 
many companies still depend upon it for business critical application compatibility, 
don't deploy that technology in an other-than-default configuration that is subject to a 
DoS exploit while downplaying the extent that the exploit may be leveraged by saying that 
a "typical" default configuration mitigates it while choosing not to ever patch 
it.    Seems like simple logic points to me.

t

-----Original Message-----
From: Susan Bradley [mailto:sbradcpa@xxxxxxxxxxx]
Sent: Wednesday, September 16, 2009 10:16 AM
To: Thor (Hammer of God)
Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

It's XP.  Running in RDP mode.  It's got IE6, and wants antivirus.  Of
course it's vulnerable to any and all gobs of stuff out there.  But
it's
goal and intent is to allow Small shops to deploy Win7.  If you need
more security, get appv/medv/whateverv or other virtualization.

It's not a security platform.  It's a get the stupid 16 bit line of
business app working platform.

Thor (Hammer of God) wrote:
P.S.

Anyone check to see if the default "XP Mode" VM you get for free with
Win7 hyperv is vulnerable and what the implications are for a host
running an XP vm that get's DoS'd are?
I get the whole "XP code to too old to care" bit, but it seems odd to
take that "old code" and re-market it around compatibility and re-
distribute it with free downloads for Win7 while saying "we won't patch
old code."
t


-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
God)
Sent: Wednesday, September 16, 2009 8:00 AM
To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link.  The problem here is that not enough
information
is given, and what IS given is obviously watered down to the point
of
being ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsoft's
security team to explain why it wasn't patching XP, or if, in
certain
scenarios, their machines might be at risk. "We still use Windows XP
and we do not use Windows Firewall," read one of the user questions.
"We use a third-party vendor firewall product. Even assuming that we
use the Windows Firewall, if there are services listening, such as
remote desktop, wouldn't then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo.  First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously
accept
necessary domain traffic.  This "no inbound traffic by default so
you
are not vulnerable" line is crap.  It was a direct question - "If
RDP
is allowed through the firewall, are we vulnerable?" A:"Great
question.
Yes, servers are the target.  A firewall should provide added
protection, maybe.  Rumor is that's what they are for.  Not sure
really.  What was the question again?"

You don't get "trustworthy" by not answering people's questions,
particularly when they are good, obvious questions.  Just be honest
about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
help,
but don't bet on it.  XP code is something like 15 years old now,
and
we're not going to change it.  That's the way it is, sorry. Just be
glad you're using XP and not 2008/vista or you'd be patching your
arse
off right now."

If MSFT thinks they are mitigating public opinion issues by side-
stepping questions and not fully exposing the problems, they are
wrong.
This just makes it worse. That's the long answer.  The short answer
is
"XP is vulnerable to a DoS, and a patch is not being offered."

t




-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens
Sent: Tuesday, September 15, 2009 2:37 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Reference:



http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
hes_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications

might

break that were designed for XP if they have to radically change
the
TCP/IP stack.  Now, I don't know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP

system

would not be vulnerable to a DOS anyway, so a patch shouldn't be
necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@xxxxxxxxx>
To: nowhere@xxxxxxxxxxx
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Date: 9/15/09 3:49 PM

Hi Aras,



Given that M$ has officially shot-down all current Windows XP

users

by not

issuing a patch for a DoS level issue,


Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP

should

be patched for security vulnerabilities until about 2014. Both XP

Home

and XP Pro's mainstream support ended in 4/2009, but extended

support

ends in 4/2014 [2]. Given that we know the end of extended
support,
take a look at bullet 17 of [1]:

    17. What is the Security Update policy?

    Security updates will be available through the end of the

Extended

    Support phase (five years of Mainstream Support plus five
years
of

    the Extended Support) at no additional cost for most products.
    Security updates will be posted on the Microsoft Update Web

site

    during both the Mainstream and the Extended Support phase.



I realize some of you might be tempted to relay the M$ BS about

"not

being

feasible because it's a lot of work" rhetoric...


Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@xxxxxxxxxxx> wrote:


Hello All:

Given that M$ has officially shot-down all current Windows XP

users

by not

issuing a patch for a DoS level issue, I'm now curious to find
out
whether

or not any brave souls out there are already working or willing
to
work on

an open-source patch to remediate the issue within XP.

I realize some of you might be tempted to relay the M$ BS about

"not

being

feasible because it's a lot of work" rhetoric... I would just
like
to hear

the thoughts of the true experts subscribed to these lists :)

No harm in that is there?

Aras "Russ" Memisyazici
Systems Administrator
Virginia Tech




--
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/