It's only "default" for people running XP standalone/consumer that are not even in a home network settings.
That kinda slices and dices that default down to a VERY narrow sub sub sub set of customer base. (Bottom line, yes, the marketing team definitely got a hold of that bulletin) Thor (Hammer of God) wrote: > Yeah, I know what it is and what it's for ;) That was just my subtle way of > trying to make a point. To be more explicit: > > 1) If you are publishing a vulnerability for which there is no patch, and > for which you have no intention of making a patch for, don't tell me it's > mitigated by ancient, unusable default firewall settings, and don't withhold > explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE > KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy > firewall settings via group policy to mitigate exposure' when the firewall > obviously must be accepting network connections to get the settings in the > first place. If all it takes is any listening service, then you have issues. > It's like telling me that "the solution is to take the letter 'f' out of the > word "solution." > > 2) Think things through. If you are going to try to boot sales of Win7 to > corporate customers by providing free XP VM technology and thus play up how > important XP is and how many companies still depend upon it for business > critical application compatibility, don't deploy that technology in an > other-than-default configuration that is subject to a DoS exploit while > downplaying the extent that the exploit may be leveraged by saying that a > "typical" default configuration mitigates it while choosing not to ever patch > it. Seems like simple logic points to me. > > t > > >> -----Original Message----- >> From: Susan Bradley [mailto:[email protected]] >> Sent: Wednesday, September 16, 2009 10:16 AM >> To: Thor (Hammer of God) >> Cc: [email protected]; [email protected] >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >> >> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of >> course it's vulnerable to any and all gobs of stuff out there. But >> it's >> goal and intent is to allow Small shops to deploy Win7. If you need >> more security, get appv/medv/whateverv or other virtualization. >> >> It's not a security platform. It's a get the stupid 16 bit line of >> business app working platform. >> >> Thor (Hammer of God) wrote: >> >>> P.S. >>> >>> Anyone check to see if the default "XP Mode" VM you get for free with >>> >> Win7 hyperv is vulnerable and what the implications are for a host >> running an XP vm that get's DoS'd are? >> >>> I get the whole "XP code to too old to care" bit, but it seems odd to >>> >> take that "old code" and re-market it around compatibility and re- >> distribute it with free downloads for Win7 while saying "we won't patch >> old code." >> >>> t >>> >>> >>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:full- >>>> [email protected]] On Behalf Of Thor (Hammer of >>>> >> God) >> >>>> Sent: Wednesday, September 16, 2009 8:00 AM >>>> To: Eric C. Lukens; [email protected] >>>> Cc: [email protected] >>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>>> >>>> Thanks for the link. The problem here is that not enough >>>> >> information >> >>>> is given, and what IS given is obviously watered down to the point >>>> >> of >> >>>> being ineffective. >>>> >>>> The quote that stands out most for me: >>>> <snip> >>>> During the Q&A, however, Windows users repeatedly asked Microsoft's >>>> security team to explain why it wasn't patching XP, or if, in >>>> >> certain >> >>>> scenarios, their machines might be at risk. "We still use Windows XP >>>> and we do not use Windows Firewall," read one of the user questions. >>>> "We use a third-party vendor firewall product. Even assuming that we >>>> use the Windows Firewall, if there are services listening, such as >>>> remote desktop, wouldn't then Windows XP be vulnerable to this?" >>>> >>>> "Servers are a more likely target for this attack, and your firewall >>>> should provide additional protections against external exploits," >>>> replied Stone and Bryant. >>>> </snip> >>>> >>>> If an employee managing a product that my company owned gave answers >>>> like that to a public interview with Computerworld, they would be in >>>> deep doo. First off, my default install of XP Pro SP2 has remote >>>> assistance inbound, and once you join to a domain, you obviously >>>> >> accept >> >>>> necessary domain traffic. This "no inbound traffic by default so >>>> >> you >> >>>> are not vulnerable" line is crap. It was a direct question - "If >>>> >> RDP >> >>>> is allowed through the firewall, are we vulnerable?" A:"Great >>>> >> question. >> >>>> Yes, servers are the target. A firewall should provide added >>>> protection, maybe. Rumor is that's what they are for. Not sure >>>> really. What was the question again?" >>>> >>>> You don't get "trustworthy" by not answering people's questions, >>>> particularly when they are good, obvious questions. Just be honest >>>> about it. "Yes, XP is vulnerable to a DOS. Your firewall might >>>> >> help, >> >>>> but don't bet on it. XP code is something like 15 years old now, >>>> >> and >> >>>> we're not going to change it. That's the way it is, sorry. Just be >>>> glad you're using XP and not 2008/vista or you'd be patching your >>>> >> arse >> >>>> off right now." >>>> >>>> If MSFT thinks they are mitigating public opinion issues by side- >>>> stepping questions and not fully exposing the problems, they are >>>> >> wrong. >> >>>> This just makes it worse. That's the long answer. The short answer >>>> >> is >> >>>> "XP is vulnerable to a DoS, and a patch is not being offered." >>>> >>>> t >>>> >>>> >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto:full- >>>>> [email protected]] On Behalf Of Eric C. Lukens >>>>> Sent: Tuesday, September 15, 2009 2:37 PM >>>>> To: [email protected] >>>>> Cc: [email protected] >>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>>>> >>>>> Reference: >>>>> >>>>> >>>>> >>>>> >> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc >> >>>>> hes_for_you_XP >>>>> >>>>> MS claims the patch would require to much overhaul of XP to make it >>>>> worth it, and they may be right. Who knows how many applications >>>>> >>>>> >>>> might >>>> >>>> >>>>> break that were designed for XP if they have to radically change >>>>> >> the >> >>>>> TCP/IP stack. Now, I don't know if the MS speak is true, but it >>>>> certainly sounds like it is not going to be patched. >>>>> >>>>> The other side of the MS claim is that a properly-firewalled XP >>>>> >>>>> >>>> system >>>> >>>> >>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be >>>>> necessary. >>>>> >>>>> -Eric >>>>> >>>>> -------- Original Message -------- >>>>> Subject: Re: 3rd party patch for XP for MS09-048? >>>>> From: Jeffrey Walton <[email protected]> >>>>> To: [email protected] >>>>> Cc: [email protected], [email protected] >>>>> Date: 9/15/09 3:49 PM >>>>> >>>>> >>>>>> Hi Aras, >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Given that M$ has officially shot-down all current Windows XP >>>>>>> >>>>>>> >>>> users >>>> >>>> >>>>> by not >>>>> >>>>> >>>>>>> issuing a patch for a DoS level issue, >>>>>>> >>>>>>> >>>>>>> >>>>>> Can you cite a reference? >>>>>> >>>>>> Unless Microsoft has changed their end of life policy [1], XP >>>>>> >>>>>> >>>> should >>>> >>>> >>>>>> be patched for security vulnerabilities until about 2014. Both XP >>>>>> >>>>>> >>>>> Home >>>>> >>>>> >>>>>> and XP Pro's mainstream support ended in 4/2009, but extended >>>>>> >>>>>> >>>> support >>>> >>>> >>>>>> ends in 4/2014 [2]. Given that we know the end of extended >>>>>> >> support, >> >>>>>> take a look at bullet 17 of [1]: >>>>>> >>>>>> 17. What is the Security Update policy? >>>>>> >>>>>> Security updates will be available through the end of the >>>>>> >>>>>> >>>>> Extended >>>>> >>>>> >>>>>> Support phase (five years of Mainstream Support plus five >>>>>> >> years >> >>>>> of >>>>> >>>>> >>>>>> the Extended Support) at no additional cost for most products. >>>>>> Security updates will be posted on the Microsoft Update Web >>>>>> >>>>>> >>>> site >>>> >>>> >>>>>> during both the Mainstream and the Extended Support phase. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I realize some of you might be tempted to relay the M$ BS about >>>>>>> >>>>>>> >>>> "not >>>> >>>> >>>>> being >>>>> >>>>> >>>>>>> feasible because it's a lot of work" rhetoric... >>>>>>> >>>>>>> >>>>>>> >>>>>> Not at all. >>>>>> >>>>>> Jeff >>>>>> >>>>>> [1] http://support.microsoft.com/gp/lifepolicy >>>>>> [2] http://support.microsoft.com/gp/lifeselect >>>>>> >>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici >>>>>> <[email protected]> wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Hello All: >>>>>>> >>>>>>> Given that M$ has officially shot-down all current Windows XP >>>>>>> >>>>>>> >>>> users >>>> >>>> >>>>> by not >>>>> >>>>> >>>>>>> issuing a patch for a DoS level issue, I'm now curious to find >>>>>>> >> out >> >>>>> whether >>>>> >>>>> >>>>>>> or not any brave souls out there are already working or willing >>>>>>> >> to >> >>>>> work on >>>>> >>>>> >>>>>>> an open-source patch to remediate the issue within XP. >>>>>>> >>>>>>> I realize some of you might be tempted to relay the M$ BS about >>>>>>> >>>>>>> >>>> "not >>>> >>>> >>>>> being >>>>> >>>>> >>>>>>> feasible because it's a lot of work" rhetoric... I would just >>>>>>> >> like >> >>>>> to hear >>>>> >>>>> >>>>>>> the thoughts of the true experts subscribed to these lists :) >>>>>>> >>>>>>> No harm in that is there? >>>>>>> >>>>>>> Aras "Russ" Memisyazici >>>>>>> Systems Administrator >>>>>>> Virginia Tech >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>> Eric C. Lukens >>>>> IT Security Policy and Risk Assessment Analyst >>>>> ITS-Network Services >>>>> Curris Business Building 15 >>>>> University of Northern Iowa >>>>> Cedar Falls, IA 50614-0121 >>>>> 319-273-7434 >>>>> http://www.uni.edu/elukens/ >>>>> http://weblogs.uni.edu/elukens/ >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >>> > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
