P.S. Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that get's DoS'd are?
I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we won't patch old code." t > -----Original Message----- > From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- > disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) > Sent: Wednesday, September 16, 2009 8:00 AM > To: Eric C. Lukens; bugtraq@securityfocus.com > Cc: full-disclos...@lists.grok.org.uk > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? > > Thanks for the link. The problem here is that not enough information > is given, and what IS given is obviously watered down to the point of > being ineffective. > > The quote that stands out most for me: > <snip> > During the Q&A, however, Windows users repeatedly asked Microsoft's > security team to explain why it wasn't patching XP, or if, in certain > scenarios, their machines might be at risk. "We still use Windows XP > and we do not use Windows Firewall," read one of the user questions. > "We use a third-party vendor firewall product. Even assuming that we > use the Windows Firewall, if there are services listening, such as > remote desktop, wouldn't then Windows XP be vulnerable to this?" > > "Servers are a more likely target for this attack, and your firewall > should provide additional protections against external exploits," > replied Stone and Bryant. > </snip> > > If an employee managing a product that my company owned gave answers > like that to a public interview with Computerworld, they would be in > deep doo. First off, my default install of XP Pro SP2 has remote > assistance inbound, and once you join to a domain, you obviously accept > necessary domain traffic. This "no inbound traffic by default so you > are not vulnerable" line is crap. It was a direct question - "If RDP > is allowed through the firewall, are we vulnerable?" A:"Great question. > Yes, servers are the target. A firewall should provide added > protection, maybe. Rumor is that's what they are for. Not sure > really. What was the question again?" > > You don't get "trustworthy" by not answering people's questions, > particularly when they are good, obvious questions. Just be honest > about it. "Yes, XP is vulnerable to a DOS. Your firewall might help, > but don't bet on it. XP code is something like 15 years old now, and > we're not going to change it. That's the way it is, sorry. Just be > glad you're using XP and not 2008/vista or you'd be patching your arse > off right now." > > If MSFT thinks they are mitigating public opinion issues by side- > stepping questions and not fully exposing the problems, they are wrong. > This just makes it worse. That's the long answer. The short answer is > "XP is vulnerable to a DoS, and a patch is not being offered." > > t > > > > > -----Original Message----- > > From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- > > disclosure-boun...@lists.grok.org.uk] On Behalf Of Eric C. Lukens > > Sent: Tuesday, September 15, 2009 2:37 PM > > To: bugtraq@securityfocus.com > > Cc: full-disclos...@lists.grok.org.uk > > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? > > > > Reference: > > > > > http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc > > hes_for_you_XP > > > > MS claims the patch would require to much overhaul of XP to make it > > worth it, and they may be right. Who knows how many applications > might > > break that were designed for XP if they have to radically change the > > TCP/IP stack. Now, I don't know if the MS speak is true, but it > > certainly sounds like it is not going to be patched. > > > > The other side of the MS claim is that a properly-firewalled XP > system > > would not be vulnerable to a DOS anyway, so a patch shouldn't be > > necessary. > > > > -Eric > > > > -------- Original Message -------- > > Subject: Re: 3rd party patch for XP for MS09-048? > > From: Jeffrey Walton <noloa...@gmail.com> > > To: nowh...@devnull.com > > Cc: bugtraq@securityfocus.com, full-disclos...@lists.grok.org.uk > > Date: 9/15/09 3:49 PM > > > Hi Aras, > > > > > > > > >> Given that M$ has officially shot-down all current Windows XP > users > > by not > > >> issuing a patch for a DoS level issue, > > >> > > > Can you cite a reference? > > > > > > Unless Microsoft has changed their end of life policy [1], XP > should > > > be patched for security vulnerabilities until about 2014. Both XP > > Home > > > and XP Pro's mainstream support ended in 4/2009, but extended > support > > > ends in 4/2014 [2]. Given that we know the end of extended support, > > > take a look at bullet 17 of [1]: > > > > > > 17. What is the Security Update policy? > > > > > > Security updates will be available through the end of the > > Extended > > > Support phase (five years of Mainstream Support plus five years > > of > > > the Extended Support) at no additional cost for most products. > > > Security updates will be posted on the Microsoft Update Web > site > > > during both the Mainstream and the Extended Support phase. > > > > > > > > >> I realize some of you might be tempted to relay the M$ BS about > "not > > being > > >> feasible because it's a lot of work" rhetoric... > > >> > > > Not at all. > > > > > > Jeff > > > > > > [1] http://support.microsoft.com/gp/lifepolicy > > > [2] http://support.microsoft.com/gp/lifeselect > > > > > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici > > > <nowh...@devnull.com> wrote: > > > > > >> Hello All: > > >> > > >> Given that M$ has officially shot-down all current Windows XP > users > > by not > > >> issuing a patch for a DoS level issue, I'm now curious to find out > > whether > > >> or not any brave souls out there are already working or willing to > > work on > > >> an open-source patch to remediate the issue within XP. > > >> > > >> I realize some of you might be tempted to relay the M$ BS about > "not > > being > > >> feasible because it's a lot of work" rhetoric... I would just like > > to hear > > >> the thoughts of the true experts subscribed to these lists :) > > >> > > >> No harm in that is there? > > >> > > >> Aras "Russ" Memisyazici > > >> Systems Administrator > > >> Virginia Tech > > >> > > >> > > >> > > > > -- > > Eric C. Lukens > > IT Security Policy and Risk Assessment Analyst > > ITS-Network Services > > Curris Business Building 15 > > University of Northern Iowa > > Cedar Falls, IA 50614-0121 > > 319-273-7434 > > http://www.uni.edu/elukens/ > > http://weblogs.uni.edu/elukens/ > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
