Good geeks ...not gook geeks. It's not a racial slight, it's spellchecker not working and I didn't realize I spelled it wrong. My deepest apologies if anyone reads that wrong.
Hisashi T Fujinaka wrote: > On Thu, 17 Sep 2009, Susan Bradley wrote: > >> <jaded mode off> >> >> I know too many of the gook geeks behind Microsoft and I do trust >> that this > ^^^^ ^^^^ > > You do realize this can be read as a racial slight towards Koreans. > >> IS NOT a plot to sell more Win7. Granted the marketing folks spun >> this bulletin WAY WAY TOO much. It is what it is. I do believe the >> architecture in XP just isn't there. It's a 10 year old platform >> that sometimes you can't bolt on this stuff afterwards. Even in >> Vista, it's not truly fixing the issue, merely making the system more >> resilient to attacks. Read the fine print in the patch.. it's just >> making the system kill a session and recover better. >> >> I am not a fan of third party because you bring yourself outside the >> support window of the product. >> >> It is just a DOS. I DOS myself after patch Tuesday sometimes with >> mere patch issues. Also the risk of this appears low, the potential >> for someone coding up an attack low... I have bigger risks from fake >> A/V at me. >> >> Is this truly the risk that one has to take such actions and expect >> such energy? I don't see that it is. Give me more information that >> it is a risk and I may change my mind, but right now, I'm just not >> seeing that it's worth it. >> >> >> >> Aras "Russ" Memisyazici wrote: >>> :) >>> >>> Thank you all for your valuable comments... Indeed I appreciated >>> some of the >>> links/info extended (Susan, Thor and Tom) However, in the end, it >>> sounded >>> like: >>> >>> a) As a sysadmin in charge of maintaining XP systems along with a whole >>> shebang of other mix setups, unless I deploy a "better" firewall >>> solution, I >>> seem to be SOL. >>> >>> b) M$ is trying to boost Win7 sales... whoopd...@#$%#^-doo... As was >>> stated >>> earlier, they did the exact same thing back in Win2K days... Nothing >>> new >>> here... :/ As Larry and Thor pointed out, what sux is that despite M$ >>> "PROMISING" that they would continue supporting XP since they didn't >>> exactly >>> state WHAT they would support, they seem to be legally free to >>> actually get >>> away with this BS *sigh* gotta love insurance-salesman-tactics when >>> it comes >>> to promises... >>> >>> So... with all this commentary, in the end, I still didn't read from >>> the >>> "big'uns" on whether or not a 3rd party open-source patch would be >>> released... I sure miss the days that people back in the day who >>> cared would >>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP >>> stack is required; but does it really have to? Really? >>> >>> How effective is what Tom Grace suggests? Unless I'm >>> misunderstanding, he's >>> suggesting switching to an iptables based protection along with a >>> registry >>> tweak... ahh the good ol' batch firewall :) Would this actually work >>> as a >>> viable work-around? I realize M$ stated this as such, but given their >>> current reputation it's really hard to take their word for anything >>> these >>> days :P >>> >>> What free/cheap client-level-IPS solutions block this current >>> attack? Any >>> suggestions? >>> >>> Thank you for your time and look forward to some more answers. >>> >>> Sincerely, >>> Aras "Russ" Memisyazici >>> arasm {at) vt ^dot^ edu --> I set my return addy to /dev/null >>> for... well >>> you know why! >>> >>> Systems Administrator >>> Virginia Tech >>> >>> -----Original Message----- >>> From: Larry Seltzer [mailto:la...@larryseltzer.com] Sent: Wednesday, >>> September 16, 2009 5:03 PM >>> To: Susan Bradley; Thor (Hammer of God) >>> Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com >>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048? >>> >>> Yes, they used the bulletin to soft-pedal the description, but at the >>> same time I think they send a message about XP users being on shaky >>> ground. Just because they've got 4+ years of Extended Support Period >>> left doesn't mean they're going to get first-class treatment. >>> >>> Larry Seltzer >>> Contributing Editor, PC Magazine >>> larry_selt...@ziffdavis.com http://blogs.pcmag.com/securitywatch/ >>> >>> >>> -----Original Message----- >>> From: full-disclosure-boun...@lists.grok.org.uk >>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Susan >>> Bradley >>> Sent: Wednesday, September 16, 2009 2:26 PM >>> To: Thor (Hammer of God) >>> Cc: full-disclosure@lists.grok.org.uk; bugt...@securityfocus.com >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>> >>> It's only "default" for people running XP standalone/consumer that >>> are not even in a home network settings. >>> >>> That kinda slices and dices that default down to a VERY narrow sub >>> sub sub set of customer base. >>> >>> (Bottom line, yes, the marketing team definitely got a hold of that >>> bulletin) >>> >>> Thor (Hammer of God) wrote: >>> >>>> Yeah, I know what it is and what it's for ;) That was just my subtle >>>> >>> way of trying to make a point. To be more explicit: >>> >>>> 1) If you are publishing a vulnerability for which there is no patch, >>>> >>> and for which you have no intention of making a patch for, don't >>> tell me >>> it's mitigated by ancient, unusable default firewall settings, and >>> don't >>> withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S >>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't >>> say >>> 'you can deploy firewall settings via group policy to mitigate >>> exposure' >>> when the firewall obviously must be accepting network connections to >>> get >>> the settings in the first place. If all it takes is any listening >>> service, then you have issues. It's like telling me that "the solution >>> is to take the letter 'f' out of the word "solution." >>> >>>> 2) Think things through. If you are going to try to boot sales of >>>> >>> Win7 to corporate customers by providing free XP VM technology and thus >>> play up how important XP is and how many companies still depend upon it >>> for business critical application compatibility, don't deploy that >>> technology in an other-than-default configuration that is subject to a >>> DoS exploit while downplaying the extent that the exploit may be >>> leveraged by saying that a "typical" default configuration mitigates it >>> while choosing not to ever patch it. Seems like simple logic points >>> to me. >>> >>>> t >>>> >>>> >>>>> -----Original Message----- >>>>> From: Susan Bradley [mailto:sbrad...@pacbell.net] >>>>> Sent: Wednesday, September 16, 2009 10:16 AM >>>>> To: Thor (Hammer of God) >>>>> Cc: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk >>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>>>> >>>>> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. >>>>> >>> Of >>> >>>>> course it's vulnerable to any and all gobs of stuff out there. But >>>>> it's >>>>> goal and intent is to allow Small shops to deploy Win7. If you need >>>>> more security, get appv/medv/whateverv or other virtualization. >>>>> >>>>> It's not a security platform. It's a get the stupid 16 bit line of >>>>> business app working platform. >>>>> >>>>> Thor (Hammer of God) wrote: >>>>> >>>>>> P.S. >>>>>> >>>>>> Anyone check to see if the default "XP Mode" VM you get for free >>>>>> >>> with >>> >>>>>> >>>>> Win7 hyperv is vulnerable and what the implications are for a host >>>>> running an XP vm that get's DoS'd are? >>>>> >>>>>> I get the whole "XP code to too old to care" bit, but it seems odd >>>>>> >>> to >>> >>>>>> >>>>> take that "old code" and re-market it around compatibility and re- >>>>> distribute it with free downloads for Win7 while saying "we won't >>>>> >>> patch >>> >>>>> old code." >>>>> >>>>>> t >>>>>> >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- >>>>>>> disclosure-boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of >>>>>>> >>>>> God) >>>>> >>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM >>>>>>> To: Eric C. Lukens; bugt...@securityfocus.com >>>>>>> Cc: full-disclosure@lists.grok.org.uk >>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>>>>>> >>>>>>> Thanks for the link. The problem here is that not enough >>>>>>> >>>>> information >>>>> >>>>>>> is given, and what IS given is obviously watered down to the point >>>>>>> >>>>> of >>>>> >>>>>>> being ineffective. >>>>>>> >>>>>>> The quote that stands out most for me: >>>>>>> <snip> >>>>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's >>>>>>> security team to explain why it wasn't patching XP, or if, in >>>>>>> >>>>> certain >>>>> >>>>>>> scenarios, their machines might be at risk. "We still use Windows >>>>>>> >>> XP >>> >>>>>>> and we do not use Windows Firewall," read one of the user >>>>>>> >>> questions. >>> >>>>>>> "We use a third-party vendor firewall product. Even assuming that >>>>>>> >>> we >>> >>>>>>> use the Windows Firewall, if there are services listening, such as >>>>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?" >>>>>>> >>>>>>> "Servers are a more likely target for this attack, and your >>>>>>> >>> firewall >>> >>>>>>> should provide additional protections against external exploits," >>>>>>> replied Stone and Bryant. >>>>>>> </snip> >>>>>>> >>>>>>> If an employee managing a product that my company owned gave >>>>>>> >>> answers >>> >>>>>>> like that to a public interview with Computerworld, they would be >>>>>>> >>> in >>> >>>>>>> deep doo. First off, my default install of XP Pro SP2 has remote >>>>>>> assistance inbound, and once you join to a domain, you obviously >>>>>>> >>>>> accept >>>>> >>>>>>> necessary domain traffic. This "no inbound traffic by default so >>>>>>> >>>>> you >>>>> >>>>>>> are not vulnerable" line is crap. It was a direct question - "If >>>>>>> >>>>> RDP >>>>> >>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great >>>>>>> >>>>> question. >>>>> >>>>>>> Yes, servers are the target. A firewall should provide added >>>>>>> protection, maybe. Rumor is that's what they are for. Not sure >>>>>>> really. What was the question again?" >>>>>>> >>>>>>> You don't get "trustworthy" by not answering people's questions, >>>>>>> particularly when they are good, obvious questions. Just be honest >>>>>>> about it. "Yes, XP is vulnerable to a DOS. Your firewall might >>>>>>> >>>>> help, >>>>> >>>>>>> but don't bet on it. XP code is something like 15 years old now, >>>>>>> >>>>> and >>>>> >>>>>>> we're not going to change it. That's the way it is, sorry. Just be >>>>>>> glad you're using XP and not 2008/vista or you'd be patching your >>>>>>> >>>>> arse >>>>> >>>>>>> off right now." >>>>>>> >>>>>>> If MSFT thinks they are mitigating public opinion issues by side- >>>>>>> stepping questions and not fully exposing the problems, they are >>>>>>> >>>>> wrong. >>>>> >>>>>>> This just makes it worse. That's the long answer. The short answer >>>>>>> >>>>> is >>>>> >>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered." >>>>>>> >>>>>>> t >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- >>>>>>>> disclosure-boun...@lists.grok.org.uk] On Behalf Of Eric C. Lukens >>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM >>>>>>>> To: bugt...@securityfocus.com >>>>>>>> Cc: full-disclosure@lists.grok.org.uk >>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for >>>>>>>> >>> MS09-048? >>> >>>>>>>> Reference: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc >>> >>>>> >>>>>>>> hes_for_you_XP >>>>>>>> >>>>>>>> MS claims the patch would require to much overhaul of XP to make >>>>>>>> >>> it >>> >>>>>>>> worth it, and they may be right. Who knows how many applications >>>>>>>> >>>>>>>> >>>>>>> might >>>>>>> >>>>>>> >>>>>>>> break that were designed for XP if they have to radically change >>>>>>>> >>>>> the >>>>> >>>>>>>> TCP/IP stack. Now, I don't know if the MS speak is true, but it >>>>>>>> certainly sounds like it is not going to be patched. >>>>>>>> >>>>>>>> The other side of the MS claim is that a properly-firewalled XP >>>>>>>> >>>>>>>> >>>>>>> system >>>>>>> >>>>>>> >>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be >>>>>>>> necessary. >>>>>>>> >>>>>>>> -Eric >>>>>>>> >>>>>>>> -------- Original Message -------- >>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048? >>>>>>>> From: Jeffrey Walton <noloa...@gmail.com> >>>>>>>> To: nowh...@devnull.com >>>>>>>> Cc: bugt...@securityfocus.com, full-disclosure@lists.grok.org.uk >>>>>>>> Date: 9/15/09 3:49 PM >>>>>>>> >>>>>>>> >>>>>>>>> Hi Aras, >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Given that M$ has officially shot-down all current Windows XP >>>>>>>>>> >>>>>>>>>> >>>>>>> users >>>>>>> >>>>>>> >>>>>>>> by not >>>>>>>> >>>>>>>> >>>>>>>>>> issuing a patch for a DoS level issue, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Can you cite a reference? >>>>>>>>> >>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP >>>>>>>>> >>>>>>>>> >>>>>>> should >>>>>>> >>>>>>> >>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP >>>>>>>>> >>>>>>>>> >>>>>>>> Home >>>>>>>> >>>>>>>> >>>>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended >>>>>>>>> >>>>>>>>> >>>>>>> support >>>>>>> >>>>>>> >>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended >>>>>>>>> >>>>> support, >>>>> >>>>>>>>> take a look at bullet 17 of [1]: >>>>>>>>> >>>>>>>>> 17. What is the Security Update policy? >>>>>>>>> >>>>>>>>> Security updates will be available through the end of the >>>>>>>>> >>>>>>>>> >>>>>>>> Extended >>>>>>>> >>>>>>>> >>>>>>>>> Support phase (five years of Mainstream Support plus five >>>>>>>>> >>>>> years >>>>> >>>>>>>> of >>>>>>>> >>>>>>>> >>>>>>>>> the Extended Support) at no additional cost for most >>>>>>>>> >>> products. >>> >>>>>>>>> Security updates will be posted on the Microsoft Update Web >>>>>>>>> >>>>>>>>> >>>>>>> site >>>>>>> >>>>>>> >>>>>>>>> during both the Mainstream and the Extended Support phase. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about >>>>>>>>>> >>>>>>>>>> >>>>>>> "not >>>>>>> >>>>>>> >>>>>>>> being >>>>>>>> >>>>>>>> >>>>>>>>>> feasible because it's a lot of work" rhetoric... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Not at all. >>>>>>>>> >>>>>>>>> Jeff >>>>>>>>> >>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy >>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect >>>>>>>>> >>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici >>>>>>>>> <nowh...@devnull.com> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Hello All: >>>>>>>>>> >>>>>>>>>> Given that M$ has officially shot-down all current Windows XP >>>>>>>>>> >>>>>>>>>> >>>>>>> users >>>>>>> >>>>>>> >>>>>>>> by not >>>>>>>> >>>>>>>> >>>>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find >>>>>>>>>> >>>>> out >>>>> >>>>>>>> whether >>>>>>>> >>>>>>>> >>>>>>>>>> or not any brave souls out there are already working or willing >>>>>>>>>> >>>>> to >>>>> >>>>>>>> work on >>>>>>>> >>>>>>>> >>>>>>>>>> an open-source patch to remediate the issue within XP. >>>>>>>>>> >>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about >>>>>>>>>> >>>>>>>>>> >>>>>>> "not >>>>>>> >>>>>>> >>>>>>>> being >>>>>>>> >>>>>>>> >>>>>>>>>> feasible because it's a lot of work" rhetoric... I would just >>>>>>>>>> >>>>> like >>>>> >>>>>>>> to hear >>>>>>>> >>>>>>>> >>>>>>>>>> the thoughts of the true experts subscribed to these lists :) >>>>>>>>>> >>>>>>>>>> No harm in that is there? >>>>>>>>>> >>>>>>>>>> Aras "Russ" Memisyazici >>>>>>>>>> Systems Administrator >>>>>>>>>> Virginia Tech >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> -- >>>>>>>> Eric C. Lukens >>>>>>>> IT Security Policy and Risk Assessment Analyst >>>>>>>> ITS-Network Services >>>>>>>> Curris Business Building 15 >>>>>>>> University of Northern Iowa >>>>>>>> Cedar Falls, IA 50614-0121 >>>>>>>> 319-273-7434 >>>>>>>> http://www.uni.edu/elukens/ >>>>>>>> http://weblogs.uni.edu/elukens/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>> >>>>>>> >>>>>> >>>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/