[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
- From: "James Lay" <jlay@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 16 Sep 2009 11:34:00 -0600 (MDT)
> Reference:
>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP
>
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right. Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack. Now, I don't know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldn't be
> necessary.
>
> -Eric
>
Apparently MS either:
a) believes that people/employees on a LAN would NEVER EVER do anything
naughty or;
b) that hostbased firewalls should be enabled on ALL workstations
regardless if they are behind corporate firewall/nat/etc...
Either way....remote code or DoS, it's still a timebomb. PCI DSS requires
these types of things to be patched or mitigated (compensating control) if
placed in the cardholder data environment. Looks like no patch means a
lot of extra work for companies taking debit/credit and running XP.
James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/