[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 3rd party patch for XP for MS09-048?



On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
aren't MS contractually obliged to make this fix available to me?


2009/9/16 Aras "Russ" Memisyazici <nowhere@xxxxxxxxxxx>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didn't exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didn't read from the
> "big'uns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol' batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation it's really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@xxxxxxxxxxxxxxxx]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because they've got 4+ years of Extended Support Period
> left doesn't mean they're going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@xxxxxxxxxxxxx
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> It's only "default" for people running XP standalone/consumer that are
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that
> bulletin)
>
> Thor (Hammer of God) wrote:
>> Yeah, I know what it is and what it's for ;)  That was just my subtle
> way of trying to make a point.  To be more explicit:
>>
>> 1)  If you are publishing a vulnerability for which there is no patch,
> and for which you have no intention of making a patch for, don't tell me
> it's mitigated by ancient, unusable default firewall settings, and don't
> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERE'S
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, don't say
> 'you can deploy firewall settings via group policy to mitigate exposure'
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues.  It's like telling me that "the solution
> is to take the letter 'f' out of the word "solution."
>>
>> 2)  Think things through.  If you are going to try to boot sales of
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, don't deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it.    Seems like simple logic points
> to me.
>>
>> t
>>
>>
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@xxxxxxxxxxx]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> It's XP.  Running in RDP mode.  It's got IE6, and wants antivirus.
> Of
>>> course it's vulnerable to any and all gobs of stuff out there.  But
>>> it's
>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> It's not a security platform.  It's a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
> with
>>>>
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that get's DoS'd are?
>>>
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
> to
>>>>
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we won't
> patch
>>> old code."
>>>
>>>> t
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
>>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
>>>>>
>>> God)
>>>
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
>>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link.  The problem here is that not enough
>>>>>
>>> information
>>>
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>
>>> of
>>>
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's
>>>>> security team to explain why it wasn't patching XP, or if, in
>>>>>
>>> certain
>>>
>>>>> scenarios, their machines might be at risk. "We still use Windows
> XP
>>>>> and we do not use Windows Firewall," read one of the user
> questions.
>>>>> "We use a third-party vendor firewall product. Even assuming that
> we
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
> firewall
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
> answers
>>>>> like that to a public interview with Computerworld, they would be
> in
>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>
>>> accept
>>>
>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>
>>> you
>>>
>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>
>>> RDP
>>>
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>
>>> question.
>>>
>>>>> Yes, servers are the target.  A firewall should provide added
>>>>> protection, maybe.  Rumor is that's what they are for.  Not sure
>>>>> really.  What was the question again?"
>>>>>
>>>>> You don't get "trustworthy" by not answering people's questions,
>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>
>>> help,
>>>
>>>>> but don't bet on it.  XP code is something like 15 years old now,
>>>>>
>>> and
>>>
>>>>> we're not going to change it.  That's the way it is, sorry. Just be
>>>>> glad you're using XP and not 2008/vista or you'd be patching your
>>>>>
>>> arse
>>>
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>
>>> wrong.
>>>
>>>>> This just makes it worse. That's the long answer.  The short answer
>>>>>
>>> is
>>>
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
>>>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@xxxxxxxxxxxxxxxxx
>>>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
> MS09-048?
>>>>>>
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
> it
>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>
>>>>>>
>>>>> might
>>>>>
>>>>>
>>>>>> break that were designed for XP if they have to radically change
>>>>>>
>>> the
>>>
>>>>>> TCP/IP stack.  Now, I don't know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>
>>>>> system
>>>>>
>>>>>
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message  --------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@xxxxxxxxx>
>>>>>> To: nowhere@xxxxxxxxxxx
>>>>>> Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>
>>>>> should
>>>>>
>>>>>
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>
>>>>>> Home
>>>>>>
>>>>>>
>>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>
>>>>> support
>>>>>
>>>>>
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>
>>> support,
>>>
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>>     17. What is the Security Update policy?
>>>>>>>
>>>>>>>     Security updates will be available through the end of the
>>>>>>>
>>>>>>>
>>>>>> Extended
>>>>>>
>>>>>>
>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>
>>> years
>>>
>>>>>> of
>>>>>>
>>>>>>
>>>>>>>     the Extended Support) at no additional cost for most
> products.
>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>
>>>>> site
>>>>>
>>>>>
>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because it's a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@xxxxxxxxxxx> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find
>>>>>>>>
>>> out
>>>
>>>>>> whether
>>>>>>
>>>>>>
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>
>>> to
>>>
>>>>>> work on
>>>>>>
>>>>>>
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because it's a lot of work" rhetoric... I would just
>>>>>>>>
>>> like
>>>
>>>>>> to hear
>>>>>>
>>>>>>
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>