[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
- To: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
- From: Susan Bradley <sbradcpa@xxxxxxxxxxx>
- Date: Wed, 16 Sep 2009 11:25:54 -0700
It's only "default" for people running XP standalone/consumer that are
not even in a home network settings.
That kinda slices and dices that default down to a VERY narrow sub sub
sub set of customer base.
(Bottom line, yes, the marketing team definitely got a hold of that
bulletin)
Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;) That was just my subtle way of
> trying to make a point. To be more explicit:
>
> 1) If you are publishing a vulnerability for which there is no patch, and
> for which you have no intention of making a patch for, don't tell me it's
> mitigated by ancient, unusable default firewall settings, and don't withhold
> explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE
> KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy
> firewall settings via group policy to mitigate exposure' when the firewall
> obviously must be accepting network connections to get the settings in the
> first place. If all it takes is any listening service, then you have issues.
> It's like telling me that "the solution is to take the letter 'f' out of the
> word "solution."
>
> 2) Think things through. If you are going to try to boot sales of Win7 to
> corporate customers by providing free XP VM technology and thus play up how
> important XP is and how many companies still depend upon it for business
> critical application compatibility, don't deploy that technology in an
> other-than-default configuration that is subject to a DoS exploit while
> downplaying the extent that the exploit may be leveraged by saying that a
> "typical" default configuration mitigates it while choosing not to ever patch
> it. Seems like simple logic points to me.
>
> t
>
>
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@xxxxxxxxxxx]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
>> course it's vulnerable to any and all gobs of stuff out there. But
>> it's
>> goal and intent is to allow Small shops to deploy Win7. If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> It's not a security platform. It's a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free with
>>>
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that get's DoS'd are?
>>
>>> I get the whole "XP code to too old to care" bit, but it seems odd to
>>>
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we won't patch
>> old code."
>>
>>> t
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
>>>>
>> God)
>>
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link. The problem here is that not enough
>>>>
>> information
>>
>>>> is given, and what IS given is obviously watered down to the point
>>>>
>> of
>>
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's
>>>> security team to explain why it wasn't patching XP, or if, in
>>>>
>> certain
>>
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave answers
>>>> like that to a public interview with Computerworld, they would be in
>>>> deep doo. First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>
>> accept
>>
>>>> necessary domain traffic. This "no inbound traffic by default so
>>>>
>> you
>>
>>>> are not vulnerable" line is crap. It was a direct question - "If
>>>>
>> RDP
>>
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>
>> question.
>>
>>>> Yes, servers are the target. A firewall should provide added
>>>> protection, maybe. Rumor is that's what they are for. Not sure
>>>> really. What was the question again?"
>>>>
>>>> You don't get "trustworthy" by not answering people's questions,
>>>> particularly when they are good, obvious questions. Just be honest
>>>> about it. "Yes, XP is vulnerable to a DOS. Your firewall might
>>>>
>> help,
>>
>>>> but don't bet on it. XP code is something like 15 years old now,
>>>>
>> and
>>
>>>> we're not going to change it. That's the way it is, sorry. Just be
>>>> glad you're using XP and not 2008/vista or you'd be patching your
>>>>
>> arse
>>
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>
>> wrong.
>>
>>>> This just makes it worse. That's the long answer. The short answer
>>>>
>> is
>>
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
>>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@xxxxxxxxxxxxxxxxx
>>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right. Who knows how many applications
>>>>>
>>>>>
>>>> might
>>>>
>>>>
>>>>> break that were designed for XP if they have to radically change
>>>>>
>> the
>>
>>>>> TCP/IP stack. Now, I don't know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>
>>>> system
>>>>
>>>>
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@xxxxxxxxx>
>>>>> To: nowhere@xxxxxxxxxxx
>>>>> Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>
>>>> users
>>>>
>>>>
>>>>> by not
>>>>>
>>>>>
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>
>>>> should
>>>>
>>>>
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>
>>>>> Home
>>>>>
>>>>>
>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>
>>>> support
>>>>
>>>>
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>
>> support,
>>
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>> 17. What is the Security Update policy?
>>>>>>
>>>>>> Security updates will be available through the end of the
>>>>>>
>>>>>>
>>>>> Extended
>>>>>
>>>>>
>>>>>> Support phase (five years of Mainstream Support plus five
>>>>>>
>> years
>>
>>>>> of
>>>>>
>>>>>
>>>>>> the Extended Support) at no additional cost for most products.
>>>>>> Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>
>>>> site
>>>>
>>>>
>>>>>> during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>
>>>> "not
>>>>
>>>>
>>>>> being
>>>>>
>>>>>
>>>>>>> feasible because it's a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@xxxxxxxxxxx> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>
>>>> users
>>>>
>>>>
>>>>> by not
>>>>>
>>>>>
>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find
>>>>>>>
>> out
>>
>>>>> whether
>>>>>
>>>>>
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>
>> to
>>
>>>>> work on
>>>>>
>>>>>
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>
>>>> "not
>>>>
>>>>
>>>>> being
>>>>>
>>>>>
>>>>>>> feasible because it's a lot of work" rhetoric... I would just
>>>>>>>
>> like
>>
>>>>> to hear
>>>>>
>>>>>
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/