Re: 3rd party patch for XP for MS09-048?
Hi Aras, > Given that M$ has officially shot-down all current Windows XP users by not > issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and XP Pro's mainstream support ended in 4/2009, but extended support ends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase. > I realize some of you might be tempted to relay the M$ BS about "not being > feasible because it's a lot of work" rhetoric... Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici wrote: > Hello All: > > Given that M$ has officially shot-down all current Windows XP users by not > issuing a patch for a DoS level issue, I'm now curious to find out whether > or not any brave souls out there are already working or willing to work on > an open-source patch to remediate the issue within XP. > > I realize some of you might be tempted to relay the M$ BS about "not being > feasible because it's a lot of work" rhetoric... I would just like to hear > the thoughts of the true experts subscribed to these lists :) > > No harm in that is there? > > Aras "Russ" Memisyazici > Systems Administrator > Virginia Tech > >
Re: 3rd party patch for XP for MS09-048?
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP http://edge.technet.com/Media/MSRC-Monthly-Security-Bulletin-Webcast-September-2009/ Jeffrey Walton wrote: Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and XP Pro's mainstream support ended in 4/2009, but extended support ends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici wrote: Hello All: Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, I'm now curious to find out whether or not any brave souls out there are already working or willing to work on an open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... I would just like to hear the thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech
Re: 3rd party patch for XP for MS09-048?
Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. Jeffrey Walton wrote: Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and XP Pro's mainstream support ended in 4/2009, but extended support ends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici wrote: Hello All: Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, I'm now curious to find out whether or not any brave souls out there are already working or willing to work on an open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... I would just like to hear the thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech
Re: 3rd party patch for XP for MS09-048?
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723): http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks. Susan Bradley wrote: Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. Jeffrey Walton wrote: Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and XP Pro's mainstream support ended in 4/2009, but extended support ends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici wrote: Hello All: Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, I'm now curious to find out whether or not any brave souls out there are already working or willing to work on an open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... I would just like to hear the thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech
Re: 3rd party patch for XP for MS09-048?
Reference: http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP MS claims the patch would require to much overhaul of XP to make it worth it, and they may be right. Who knows how many applications might break that were designed for XP if they have to radically change the TCP/IP stack. Now, I don't know if the MS speak is true, but it certainly sounds like it is not going to be patched. The other side of the MS claim is that a properly-firewalled XP system would not be vulnerable to a DOS anyway, so a patch shouldn't be necessary. -Eric Original Message Subject: Re: 3rd party patch for XP for MS09-048? From: Jeffrey Walton To: nowh...@devnull.com Cc: bugtraq@securityfocus.com, full-disclos...@lists.grok.org.uk Date: 9/15/09 3:49 PM > Hi Aras, > > >> Given that M$ has officially shot-down all current Windows XP users by not >> issuing a patch for a DoS level issue, >> > Can you cite a reference? > > Unless Microsoft has changed their end of life policy [1], XP should > be patched for security vulnerabilities until about 2014. Both XP Home > and XP Pro's mainstream support ended in 4/2009, but extended support > ends in 4/2014 [2]. Given that we know the end of extended support, > take a look at bullet 17 of [1]: > > 17. What is the Security Update policy? > > Security updates will be available through the end of the Extended > Support phase (five years of Mainstream Support plus five years of > the Extended Support) at no additional cost for most products. > Security updates will be posted on the Microsoft Update Web site > during both the Mainstream and the Extended Support phase. > > >> I realize some of you might be tempted to relay the M$ BS about "not being >> feasible because it's a lot of work" rhetoric... >> > Not at all. > > Jeff > > [1] http://support.microsoft.com/gp/lifepolicy > [2] http://support.microsoft.com/gp/lifeselect > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici > wrote: > >> Hello All: >> >> Given that M$ has officially shot-down all current Windows XP users by not >> issuing a patch for a DoS level issue, I'm now curious to find out whether >> or not any brave souls out there are already working or willing to work on >> an open-source patch to remediate the issue within XP. >> >> I realize some of you might be tempted to relay the M$ BS about "not being >> feasible because it's a lot of work" rhetoric... I would just like to hear >> the thoughts of the true experts subscribed to these lists :) >> >> No harm in that is there? >> >> Aras "Russ" Memisyazici >> Systems Administrator >> Virginia Tech >> >> >> -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/
Re: 3rd party patch for XP for MS09-048?
Hi Susan, > Read the bulletin. There's no patch. It is deemed by Microsoft to be of > low impact and thus no patch has been built. I don't know how I missed that XP/SP2 and above were not being patched. It appears that my two references are worhtless... I used to use them in position papers! * http://support.microsoft.com/gp/lifepolicy * http://support.microsoft.com/gp/lifeselect Jeff On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley wrote: > Read the bulletin. There's no patch. It is deemed by Microsoft to be of > low impact and thus no patch has been built. > > Jeffrey Walton wrote: >> >> Hi Aras, >> >> >>> >>> Given that M$ has officially shot-down all current Windows XP users by >>> not >>> issuing a patch for a DoS level issue, >>> >> >> Can you cite a reference? >> >> Unless Microsoft has changed their end of life policy [1], XP should >> be patched for security vulnerabilities until about 2014. Both XP Home >> and XP Pro's mainstream support ended in 4/2009, but extended support >> ends in 4/2014 [2]. Given that we know the end of extended support, >> take a look at bullet 17 of [1]: >> >> 17. What is the Security Update policy? >> >> Security updates will be available through the end of the Extended >> Support phase (five years of Mainstream Support plus five years of >> the Extended Support) at no additional cost for most products. >> Security updates will be posted on the Microsoft Update Web site >> during both the Mainstream and the Extended Support phase. >> >> >>> >>> I realize some of you might be tempted to relay the M$ BS about "not >>> being >>> feasible because it's a lot of work" rhetoric... >>> >> >> Not at all. >> >> Jeff >> >> [1] http://support.microsoft.com/gp/lifepolicy >> [2] http://support.microsoft.com/gp/lifeselect >> >> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici >> wrote: >> >>> >>> Hello All: >>> >>> Given that M$ has officially shot-down all current Windows XP users by >>> not >>> issuing a patch for a DoS level issue, I'm now curious to find out >>> whether >>> or not any brave souls out there are already working or willing to work >>> on >>> an open-source patch to remediate the issue within XP. >>> >>> I realize some of you might be tempted to relay the M$ BS about "not >>> being >>> feasible because it's a lot of work" rhetoric... I would just like to >>> hear >>> the thoughts of the true experts subscribed to these lists :) >>> >>> No harm in that is there? >>> >>> Aras "Russ" Memisyazici >>> Systems Administrator >>> Virginia Tech >>> >>> >>> >> >> > >
Re: 3rd party patch for XP for MS09-048?
On 16/09/09 8:49 AM, Jeffrey Walton wrote: Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? http://tech.slashdot.org/article.pl?sid=09/09/15/0131209 -- Cheers, Matt Riddell Director ___ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer) http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)
Re: 3rd party patch for XP for MS09-048?
It's not that they aren't supported per se, just that Microsoft has deemed the impact of DOS to be low, the ability to patch that platform impossible/difficult and thus have make a risk calculation accordingly. Sometimes the architecture is what it is. Jeffrey Walton wrote: Hi Susan, Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. I don't know how I missed that XP/SP2 and above were not being patched. It appears that my two references are worhtless... I used to use them in position papers! * http://support.microsoft.com/gp/lifepolicy * http://support.microsoft.com/gp/lifeselect Jeff On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley wrote: Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. Jeffrey Walton wrote: Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and XP Pro's mainstream support ended in 4/2009, but extended support ends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici wrote: Hello All: Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, I'm now curious to find out whether or not any brave souls out there are already working or willing to work on an open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... I would just like to hear the thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech
Re: 3rd party patch for XP for MS09-048?
Is this relevant? QUOTE--- Protect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting. NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows - IIRC? This is called the "Silly Window Syndrome", & this is a way, in theory, around it... & iirc, "Scalable Windows", via setsockopt API calls from an attacker are what the problem is here anyhow & this ought to 'stall it'... thoughts/feedback? APK P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above) SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify... Thus, effectively stalling the ability to use TcpWindowScaling is stopped by SynAttackProtect too, so an attacking system/app sending a setsockopt of 0 for this SHOULD also be nullified, on a server also... (However/Again - Workstations are easily taken care of , vs. servers, just by what I wrote up above either by PORT FILTERING) IP Security Policies, which can work on ranges of addresses to block, OR, single systems as well you either ALLOW or DENY to talk to your system, still can help also... vs. a DDOS though? SynAttackProtect is your best friend here... you'd use netstat -b -n tcp to see which are held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR WAY (or just by doing it in a router or routing table)... takers anyone, on these thoughts (especially for Windows 2000)? Thanks for your time... apk UNQUOTE-- Source: http://tech.slashdot.org/comments.pl?sid=1368439&cid=29424787 Susan Bradley wrote: It's not that they aren't supported per se, just that Microsoft has deemed the impact of DOS to be low, the ability to patch that platform impossible/difficult and thus have make a risk calculation accordingly. Sometimes the architecture is what it is. Jeffrey Walton wrote: Hi Susan, Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. I don't know how I missed that XP/SP2 and above were not being patched. It appears that my two references are worhtless... I used to use them in position papers! * http://support.microsoft.com/gp/lifepolicy * http://support.microsoft.com/gp/lifeselect Jeff On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley wrote: Read the bulletin. There's no patch. It is deemed by Microsoft to be of low impact and thus no patch has been built. Jeffrey Walton wrote: Hi Aras, Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, Can you cite a reference? Unless Microsoft has changed their end of life policy [1], XP should be patched for security vulnerabilities until about 2014. Both XP Home and XP Pro's mainstream support ended in 4/2009, but extended support ends in 4/2014 [2]. Given that we know the end of extended support, take a look at bullet 17 of [1]: 17. What is the Security Update policy? Security updates will be available through the end of the Extended Support phase (five years of Mainstream Support plus five years of the Extended Support) at no additional cost for most products. Security updates will be posted on the Microsoft Update Web site during both the Mainstream and the Extended Support phase. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... Not at all. Jeff [1] http://support.microsoft.com/gp/lifepolicy [2] http://support.microsoft.com/gp/lifeselect On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici wrote: Hello All: Given that M$ has officially shot-down all current Windows XP users by not issuing a patch for a DoS level issue, I'm now curious to find out whether or not any brave souls out there are already working or willing to work on an open-source patch to remediate the issue within XP. I realize some of you might be tempted to relay the M$ BS about "not being feasible because it's a lot of work" rhetoric... I would just like to hear the thoughts of the true experts subscribed to these lists :) No harm in that is there? Aras "Russ" Memisyazici Systems Administrator Virginia Tech
Re: 3rd party patch for XP for MS09-048?
Only if you are a consumer. In a network we ALL have listening ports out there. elizabeth.a.gre...@gmail.com wrote: As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it. Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it? By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks." -eg
Re: 3rd party patch for XP for MS09-048?
Susan Bradley wrote: > Only if you are a consumer. In a network we ALL have listening ports > out there. This is simply Microsofts way of forcing you to upgrade your OS. They pulled the same shenanigans with Windows 2000, if you do not recall. I'd have to say, it's time to re-evaluate where you are funneling your $$$. If the vendor that you PAID your hard earned dollars to is not supporting their product like they said they would, then it's time to move on. There are plenty of alternatives out there. No one says you _have_ to run Windows. > > elizabeth.a.gre...@gmail.com wrote: >> As I understand the bulletin, Microsoft will not be releasing MS09-048 >> patches for XP because, by default, it runs no listening services or >> the windows firewall can protect it. >> >> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx >> "If Windows XP is listed as an affected product, why is Microsoft not >> issuing an update for it? >> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and >> Windows XP Professional x64 Edition Service Pack 2 do not have a >> listening service configured in the client firewall and are therefore >> not affected by this vulnerability. Windows XP Service Pack 2 and >> later operating systems include a stateful host firewall that provides >> protection for computers against incoming traffic from the Internet or >> from neighboring network devices on a private network. ... Customers >> running Windows XP are at reduced risk, and Microsoft recommends they >> use the firewall included with the operating system, or a network >> firewall, to block access to the affected ports and limit the attack >> surface from untrusted networks." >> >> -eg >> >> > > -- Rob +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | _ | | ASCII ribbon campaign ( ) | | - against HTML email X | |/ \ | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Re: 3rd party patch for XP for MS09-048?
Cloud option maybe as we go forward but right now today, this is business making the decisions here. Desktop, if it were that easy we'd have ripped out desktops years ago. Businesses have to be realistic. Sometimes there is not "plenty of comparable alternatives out there". Sometimes the boss/business needs/line of business apps dictates you run windows. Rob Thompson wrote: Susan Bradley wrote: Only if you are a consumer. In a network we ALL have listening ports out there. This is simply Microsofts way of forcing you to upgrade your OS. They pulled the same shenanigans with Windows 2000, if you do not recall. I'd have to say, it's time to re-evaluate where you are funneling your $$$. If the vendor that you PAID your hard earned dollars to is not supporting their product like they said they would, then it's time to move on. There are plenty of alternatives out there. No one says you _have_ to run Windows. elizabeth.a.gre...@gmail.com wrote: As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it. Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it? By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks." -eg
Re: Re: 3rd party patch for XP for MS09-048?
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it. Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it? By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks." -eg
