RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Yeah, I know what it is and what it's for ;) That was just my subtle way o=
f trying to make a point. To be more explicit:
1) If you are publishing a vulnerability for which there is no patch, and =
for which you have no intention of making a patch for, don't tell me it's m=
itigated by ancient, unusable default firewall settings, and don't withhold=
explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING W=
E KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deplo=
y firewall settings via group policy to mitigate exposure' when the firewal=
l obviously must be accepting network connections to get the settings in th=
e first place. If all it takes is any listening service, then you have issu=
es. It's like telling me that "the solution is to take the letter 'f' out =
of the word "solution."
2) Think things through. If you are going to try to boot sales of Win7 to=
corporate customers by providing free XP VM technology and thus play up ho=
w important XP is and how many companies still depend upon it for business =
critical application compatibility, don't deploy that technology in an othe=
r-than-default configuration that is subject to a DoS exploit while downpla=
ying the extent that the exploit may be leveraged by saying that a "typical=
" default configuration mitigates it while choosing not to ever patch it. =
Seems like simple logic points to me.
t
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
> course it's vulnerable to any and all gobs of stuff out there. But
> it's
> goal and intent is to allow Small shops to deploy Win7. If you need
> more security, get appv/medv/whateverv or other virtualization.
>=20
> It's not a security platform. It's a get the stupid 16 bit line of
> business app working platform.
>=20
> Thor (Hammer of God) wrote:
> > P.S.
> >
> > Anyone check to see if the default "XP Mode" VM you get for free with
> Win7 hyperv is vulnerable and what the implications are for a host
> running an XP vm that get's DoS'd are?
> >
> > I get the whole "XP code to too old to care" bit, but it seems odd to
> take that "old code" and re-market it around compatibility and re-
> distribute it with free downloads for Win7 while saying "we won't patch
> old code."
> >
> > t
> >
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
> God)
> >> Sent: Wednesday, September 16, 2009 8:00 AM
> >> To: Eric C. Lukens; bugtraq@securityfocus.com
> >> Cc: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>
> >> Thanks for the link. The problem here is that not enough
> information
> >> is given, and what IS given is obviously watered down to the point
> of
> >> being ineffective.
> >>
> >> The quote that stands out most for me:
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsoft's
> >> security team to explain why it wasn't patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldn't then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> >> should provide additional protections against external exploits,"
> >> replied Stone and Bryant.
> >> </snip>
> >>
> >> If an employee managing a product that my company owned gave answers
> >> like that to a public interview with Computerworld, they would be in
> >> deep doo. First off, my default install of XP Pro SP2 has remote
> >> assistance inbound, and once you join to a domain, you obviously
> accept
> >> necessary domain traffic. This "no inbound traffic by default so
> you
> >> are not vulnerable" line is crap. It was a direct question - "If
> RDP
> >> is allowed through the firewall, are we vulnerable?" A:"Great
> question.
> >> Yes, servers are the target. A firewall should provide added
> >> protection, maybe. Rumor is that's what they are for. Not sure
> >> really. What was the question again?"
> >>
> >> You don't get "trustworthy" by not answering people's questions,
> >> particularly when they are good, obvious questions. Just be honest
> >> about it. "Yes, XP is vulnerable to a DOS. Your firewall might
> help,
> >> but don't bet on it. XP code is something like 15 years old now,
> and
> >> we're not going to change it. That's the way it is, sorry. Just be
> >> glad you're using XP and not 2008/vista or you'd be patching your
> arse
> >> off right now."
> >>
> >> If MSFT thinks they are mitigating public opinion issues by side-
> >> stepping questions and not fully exposing the problems, they are
> wrong.
> >> This just makes it worse. That's the long answer. The short answer
> is
> >> "XP is vulnerable to a DoS, and a patch is not being offered."
> >>
> >> t
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> >>> Sent: Tuesday, September 15, 2009 2:37 PM
> >>> To: bugtraq@securityfocus.com
> >>> Cc: full-disclosure@lists.grok.org.uk
> >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>>
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right. Who knows how many applications
> >>>
> >> might
> >>
> >>> break that were designed for XP if they have to radically change
> the
> >>> TCP/IP stack. Now, I don't know if the MS speak is true, but it
> >>> certainly sounds like it is not going to be patched.
> >>>
> >>> The other side of the MS claim is that a properly-firewalled XP
> >>>
> >> system
> >>
> >>> would not be vulnerable to a DOS anyway, so a patch shouldn't be
> >>> necessary.
> >>>
> >>> -Eric
> >>>
> >>> -------- Original Message --------
> >>> Subject: Re: 3rd party patch for XP for MS09-048?
> >>> From: Jeffrey Walton <noloader@gmail.com>
> >>> To: nowhere@devnull.com
> >>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> >>> Date: 9/15/09 3:49 PM
> >>>
> >>>> Hi Aras,
> >>>>
> >>>>
> >>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue,
> >>>>>
> >>>>>
> >>>> Can you cite a reference?
> >>>>
> >>>> Unless Microsoft has changed their end of life policy [1], XP
> >>>>
> >> should
> >>
> >>>> be patched for security vulnerabilities until about 2014. Both XP
> >>>>
> >>> Home
> >>>
> >>>> and XP Pro's mainstream support ended in 4/2009, but extended
> >>>>
> >> support
> >>
> >>>> ends in 4/2014 [2]. Given that we know the end of extended
> support,
> >>>> take a look at bullet 17 of [1]:
> >>>>
> >>>> 17. What is the Security Update policy?
> >>>>
> >>>> Security updates will be available through the end of the
> >>>>
> >>> Extended
> >>>
> >>>> Support phase (five years of Mainstream Support plus five
> years
> >>>>
> >>> of
> >>>
> >>>> the Extended Support) at no additional cost for most products.
> >>>> Security updates will be posted on the Microsoft Update Web
> >>>>
> >> site
> >>
> >>>> during both the Mainstream and the Extended Support phase.
> >>>>
> >>>>
> >>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because it's a lot of work" rhetoric...
> >>>>>
> >>>>>
> >>>> Not at all.
> >>>>
> >>>> Jeff
> >>>>
> >>>> [1] http://support.microsoft.com/gp/lifepolicy
> >>>> [2] http://support.microsoft.com/gp/lifeselect
> >>>>
> >>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> >>>> <nowhere@devnull.com> wrote:
> >>>>
> >>>>
> >>>>> Hello All:
> >>>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue, I'm now curious to find
> out
> >>>>>
> >>> whether
> >>>
> >>>>> or not any brave souls out there are already working or willing
> to
> >>>>>
> >>> work on
> >>>
> >>>>> an open-source patch to remediate the issue within XP.
> >>>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because it's a lot of work" rhetoric... I would just
> like
> >>>>>
> >>> to hear
> >>>
> >>>>> the thoughts of the true experts subscribed to these lists :)
> >>>>>
> >>>>> No harm in that is there?
> >>>>>
> >>>>> Aras "Russ" Memisyazici
> >>>>> Systems Administrator
> >>>>> Virginia Tech
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>> --
> >>> Eric C. Lukens
> >>> IT Security Policy and Risk Assessment Analyst
> >>> ITS-Network Services
> >>> Curris Business Building 15
> >>> University of Northern Iowa
> >>> Cedar Falls, IA 50614-0121
> >>> 319-273-7434
> >>> http://www.uni.edu/elukens/
> >>> http://weblogs.uni.edu/elukens/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
討論串 (同標題文章)
完整討論串 (本文為第 5 之 7 篇):