[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] 3rd party patch for XP for MS09-048?



Good geeks ...not gook geeks.

It's not a racial slight, it's spellchecker not working and I didn't 
realize I spelled it wrong.  My deepest apologies if anyone reads that 
wrong.

Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust 
>> that this
>                          ^^^^ ^^^^
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
>> this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
>> architecture in XP just isn't there.  It's a 10 year old platform 
>> that sometimes you can't bolt on this stuff afterwards.  Even in 
>> Vista, it's not truly fixing the issue, merely making the system more 
>> resilient to attacks.  Read the fine print in the patch.. it's just 
>> making the system kill a session and recover better.
>>
>> I am not a fan of third party because you bring yourself outside the 
>> support window of the product.
>>
>> It is just a DOS.  I DOS myself after patch Tuesday sometimes with 
>> mere patch issues.  Also the risk of this appears low, the potential 
>> for someone coding up an attack low... I have bigger risks from fake 
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect 
>> such energy? I don't see that it is.  Give me more information that 
>> it is a risk and I may change my mind, but right now, I'm just not 
>> seeing that it's worth it.
>>
>>
>>
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated 
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it 
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall 
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was 
>>> stated
>>> earlier, they did the exact same thing back in Win2K days... Nothing 
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didn't 
>>> exactly
>>> state WHAT they would support, they seem to be legally free to 
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when 
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didn't read from 
>>> the
>>> "big'uns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who 
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless I'm 
>>> misunderstanding, he's
>>> suggesting switching to an iptables based protection along with a 
>>> registry
>>> tweak... ahh the good ol' batch firewall :) Would this actually work 
>>> as a
>>> viable work-around? I realize M$ stated this as such, but given their
>>> current reputation it's really hard to take their word for anything 
>>> these
>>> days :P
>>>
>>> What free/cheap client-level-IPS solutions block this current 
>>> attack? Any
>>> suggestions?
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null 
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@xxxxxxxxxxxxxxxx] Sent: Wednesday, 
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because they've got 4+ years of Extended Support Period
>>> left doesn't mean they're going to get first-class treatment.
>>>
>>> Larry Seltzer
>>> Contributing Editor, PC Magazine
>>> larry_seltzer@xxxxxxxxxxxxx http://blogs.pcmag.com/securitywatch/
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Susan
>>> Bradley
>>> Sent: Wednesday, September 16, 2009 2:26 PM
>>> To: Thor (Hammer of God)
>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> It's only "default" for people running XP standalone/consumer that 
>>> are not even in a home network settings.
>>>
>>> That kinda slices and dices that default down to a VERY narrow sub 
>>> sub sub set of customer base.
>>>
>>> (Bottom line, yes, the marketing team definitely got a hold of that 
>>> bulletin)
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> Yeah, I know what it is and what it's for ;)  That was just my subtle
>>>>
>>> way of trying to make a point.  To be more explicit:
>>>
>>>> 1)  If you are publishing a vulnerability for which there is no patch,
>>>>
>>> and for which you have no intention of making a patch for, don't 
>>> tell me
>>> it's mitigated by ancient, unusable default firewall settings, and 
>>> don't
>>> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERE'S
>>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, don't 
>>> say
>>> 'you can deploy firewall settings via group policy to mitigate 
>>> exposure'
>>> when the firewall obviously must be accepting network connections to 
>>> get
>>> the settings in the first place. If all it takes is any listening
>>> service, then you have issues.  It's like telling me that "the solution
>>> is to take the letter 'f' out of the word "solution."
>>>
>>>> 2)  Think things through.  If you are going to try to boot sales of
>>>>
>>> Win7 to corporate customers by providing free XP VM technology and thus
>>> play up how important XP is and how many companies still depend upon it
>>> for business critical application compatibility, don't deploy that
>>> technology in an other-than-default configuration that is subject to a
>>> DoS exploit while downplaying the extent that the exploit may be
>>> leveraged by saying that a "typical" default configuration mitigates it
>>> while choosing not to ever patch it.    Seems like simple logic points
>>> to me.
>>>
>>>> t
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Susan Bradley [mailto:sbradcpa@xxxxxxxxxxx]
>>>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>>>> To: Thor (Hammer of God)
>>>>> Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> It's XP.  Running in RDP mode.  It's got IE6, and wants antivirus.
>>>>>
>>> Of
>>>
>>>>> course it's vulnerable to any and all gobs of stuff out there.  But
>>>>> it's
>>>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>>>> more security, get appv/medv/whateverv or other virtualization.
>>>>>
>>>>> It's not a security platform.  It's a get the stupid 16 bit line of
>>>>> business app working platform.
>>>>>
>>>>> Thor (Hammer of God) wrote:
>>>>>
>>>>>> P.S.
>>>>>>
>>>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>>>
>>> with
>>>
>>>>>>
>>>>> Win7 hyperv is vulnerable and what the implications are for a host
>>>>> running an XP vm that get's DoS'd are?
>>>>>
>>>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>>>
>>> to
>>>
>>>>>>
>>>>> take that "old code" and re-market it around compatibility and re-
>>>>> distribute it with free downloads for Win7 while saying "we won't
>>>>>
>>> patch
>>>
>>>>> old code."
>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
>>>>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
>>>>>>>
>>>>> God)
>>>>>
>>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>>>> To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
>>>>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>>>
>>>>>>> Thanks for the link.  The problem here is that not enough
>>>>>>>
>>>>> information
>>>>>
>>>>>>> is given, and what IS given is obviously watered down to the point
>>>>>>>
>>>>> of
>>>>>
>>>>>>> being ineffective.
>>>>>>>
>>>>>>> The quote that stands out most for me:
>>>>>>> <snip>
>>>>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's
>>>>>>> security team to explain why it wasn't patching XP, or if, in
>>>>>>>
>>>>> certain
>>>>>
>>>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
>>>>>>> use the Windows Firewall, if there are services listening, such as
>>>>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>>>>
>>>>>>> "Servers are a more likely target for this attack, and your
>>>>>>>
>>> firewall
>>>
>>>>>>> should provide additional protections against external exploits,"
>>>>>>> replied Stone and Bryant.
>>>>>>> </snip>
>>>>>>>
>>>>>>> If an employee managing a product that my company owned gave
>>>>>>>
>>> answers
>>>
>>>>>>> like that to a public interview with Computerworld, they would be
>>>>>>>
>>> in
>>>
>>>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>>>
>>>>> accept
>>>>>
>>>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>>>
>>>>> you
>>>>>
>>>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>>>
>>>>> RDP
>>>>>
>>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>>>
>>>>> question.
>>>>>
>>>>>>> Yes, servers are the target.  A firewall should provide added
>>>>>>> protection, maybe.  Rumor is that's what they are for.  Not sure
>>>>>>> really.  What was the question again?"
>>>>>>>
>>>>>>> You don't get "trustworthy" by not answering people's questions,
>>>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>>>
>>>>> help,
>>>>>
>>>>>>> but don't bet on it.  XP code is something like 15 years old now,
>>>>>>>
>>>>> and
>>>>>
>>>>>>> we're not going to change it.  That's the way it is, sorry. Just be
>>>>>>> glad you're using XP and not 2008/vista or you'd be patching your
>>>>>>>
>>>>> arse
>>>>>
>>>>>>> off right now."
>>>>>>>
>>>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>>>> stepping questions and not fully exposing the problems, they are
>>>>>>>
>>>>> wrong.
>>>>>
>>>>>>> This just makes it worse. That's the long answer.  The short answer
>>>>>>>
>>>>> is
>>>>>
>>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
>>>>>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens
>>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>>>> To: bugtraq@xxxxxxxxxxxxxxxxx
>>>>>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>>>
>>> MS09-048?
>>>
>>>>>>>> Reference:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>
>>>>>>>> hes_for_you_XP
>>>>>>>>
>>>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>>>
>>> it
>>>
>>>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>>>
>>>>>>>>
>>>>>>> might
>>>>>>>
>>>>>>>
>>>>>>>> break that were designed for XP if they have to radically change
>>>>>>>>
>>>>> the
>>>>>
>>>>>>>> TCP/IP stack.  Now, I don't know if the MS speak is true, but it
>>>>>>>> certainly sounds like it is not going to be patched.
>>>>>>>>
>>>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>>>
>>>>>>>>
>>>>>>> system
>>>>>>>
>>>>>>>
>>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be
>>>>>>>> necessary.
>>>>>>>>
>>>>>>>> -Eric
>>>>>>>>
>>>>>>>> -------- Original Message  --------
>>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>>>> From: Jeffrey Walton <noloader@xxxxxxxxx>
>>>>>>>> To: nowhere@xxxxxxxxxxx
>>>>>>>> Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>>> Date: 9/15/09 3:49 PM
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Aras,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Can you cite a reference?
>>>>>>>>>
>>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>>>
>>>>>>>>>
>>>>>>> should
>>>>>>>
>>>>>>>
>>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Home
>>>>>>>>
>>>>>>>>
>>>>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended
>>>>>>>>>
>>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>
>>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>>>
>>>>> support,
>>>>>
>>>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>>>
>>>>>>>>>     17. What is the Security Update policy?
>>>>>>>>>
>>>>>>>>>     Security updates will be available through the end of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Extended
>>>>>>>>
>>>>>>>>
>>>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>>>
>>>>> years
>>>>>
>>>>>>>> of
>>>>>>>>
>>>>>>>>
>>>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>>>
>>> products.
>>>
>>>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>>>
>>>>>>>>>
>>>>>>> site
>>>>>>>
>>>>>>>
>>>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because it's a lot of work" rhetoric...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Not at all.
>>>>>>>>>
>>>>>>>>> Jeff
>>>>>>>>>
>>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>>>
>>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>>>> <nowhere@xxxxxxxxxxx> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello All:
>>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find
>>>>>>>>>>
>>>>> out
>>>>>
>>>>>>>> whether
>>>>>>>>
>>>>>>>>
>>>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>>>
>>>>> to
>>>>>
>>>>>>>> work on
>>>>>>>>
>>>>>>>>
>>>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because it's a lot of work" rhetoric... I would just
>>>>>>>>>>
>>>>> like
>>>>>
>>>>>>>> to hear
>>>>>>>>
>>>>>>>>
>>>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>>>
>>>>>>>>>> No harm in that is there?
>>>>>>>>>>
>>>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>>>> Systems Administrator
>>>>>>>>>> Virginia Tech
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Eric C. Lukens
>>>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>>>> ITS-Network Services
>>>>>>>> Curris Business Building 15
>>>>>>>> University of Northern Iowa
>>>>>>>> Cedar Falls, IA 50614-0121
>>>>>>>> 319-273-7434
>>>>>>>> http://www.uni.edu/elukens/
>>>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/