RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Thanks for the link. The problem here is that not enough information is gi=
ven, and what IS given is obviously watered down to the point of being inef=
fective.
The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsoft's securit=
y team to explain why it wasn't patching XP, or if, in certain scenarios, t=
heir machines might be at risk. "We still use Windows XP and we do not use =
Windows Firewall," read one of the user questions. "We use a third-party ve=
ndor firewall product. Even assuming that we use the Windows Firewall, if t=
here are services listening, such as remote desktop, wouldn't then Windows =
XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should=
provide additional protections against external exploits," replied Stone a=
nd Bryant.
</snip>
If an employee managing a product that my company owned gave answers like t=
hat to a public interview with Computerworld, they would be in deep doo. F=
irst off, my default install of XP Pro SP2 has remote assistance inbound, a=
nd once you join to a domain, you obviously accept necessary domain traffic=
.. This "no inbound traffic by default so you are not vulnerable" line is c=
rap. It was a direct question - "If RDP is allowed through the firewall, a=
re we vulnerable?" A:"Great question. Yes, servers are the target. A firew=
all should provide added protection, maybe. Rumor is that's what they are =
for. Not sure really. What was the question again?"
You don't get "trustworthy" by not answering people's questions, particular=
ly when they are good, obvious questions. Just be honest about it. "Yes, =
XP is vulnerable to a DOS. Your firewall might help, but don't bet on it. =
XP code is something like 15 years old now, and we're not going to change =
it. That's the way it is, sorry. Just be glad you're using XP and not 2008=
/vista or you'd be patching your arse off right now."=20
If MSFT thinks they are mitigating public opinion issues by side-stepping q=
uestions and not fully exposing the problems, they are wrong. This just ma=
kes it worse. That's the long answer. The short answer is "XP is vulnerabl=
e to a DoS, and a patch is not being offered."
t=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right. Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack. Now, I don't know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldn't be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pro's mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> > 17. What is the Security Update policy?
> >
> > Security updates will be available through the end of the
> Extended
> > Support phase (five years of Mainstream Support plus five years
> of
> > the Extended Support) at no additional cost for most products.
> > Security updates will be posted on the Microsoft Update Web site
> > during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because it's a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, I'm now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because it's a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
討論串 (同標題文章)
完整討論串 (本文為第 4 之 7 篇):