Read the bulletin. There's no patch. It is deemed by Microsoft to be
of low impact and thus no patch has been built.
Jeffrey Walton wrote:
Hi Aras,
Given that M$ has officially shot-down all current Windows XP users by not
issuing a patch for a DoS level issue,
Can you cite a
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
PBIf Windows XP is listed as an affected product, why is Microsoft
not issuing an update for it?/BBRBy
Reference:
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP
MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right. Who knows how many applications might
break that were designed for XP if they have to radically
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-1888-1 secur...@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
September 15, 2009
Hi Yossi,
Are you doing something funky with your IP address, e.g., NAT'ed/short DHCP
lease? The reason I ask is because in 2008, Adrian Pastor stated
authentication in the 3Com Wireless 8760 was linked to the source IP
address [1]. It may well be the case (as you have discovered) that it
Hi Susan,
Read the bulletin. There's no patch. It is deemed by Microsoft to be of
low impact and thus no patch has been built.
I don't know how I missed that XP/SP2 and above were not being
patched. It appears that my two references are worhtless... I used to
use them in position papers!
*
On 16/09/09 8:49 AM, Jeffrey Walton wrote:
Hi Aras,
Given that M$ has officially shot-down all current Windows XP users by not
issuing a patch for a DoS level issue,
Can you cite a reference?
http://tech.slashdot.org/article.pl?sid=09/09/15/0131209
--
Cheers,
Matt Riddell
Director
It's not that they aren't supported per se, just that Microsoft has
deemed the impact of DOS to be low, the ability to patch that platform
impossible/difficult and thus have make a risk calculation accordingly.
Sometimes the architecture is what it is.
Jeffrey Walton wrote:
Hi Susan,
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches
for XP because, by default, it runs no listening services or the windows
firewall can protect it.
Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
If Windows XP is listed as an affected
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01866324
Version: 1
HPSBUX02458 SSRT090104 rev.1 - HP-UX Running bootpd, Remote Denial of Service
(DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon
as
Thanks for the link. The problem here is that not enough information is given,
and what IS given is obviously watered down to the point of being ineffective.
The quote that stands out most for me:
snip
During the QA, however, Windows users repeatedly asked Microsoft's security
team to explain
Hi,
Since I seem to have missed a version, here are the CHANGES for .y .z:
v0.y
fix support for ACS PCSC-2 devices (e.g. ACR 122U)
add writelfx.py - test write LF devices
fix 3DES key setting for ID cards in mrpkey.py
allow missing files to be skipped if running in files mode in
I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a Low threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have
P.S.
Anyone check to see if the default XP Mode VM you get for free with Win7
hyperv is vulnerable and what the implications are for a host running an XP vm
that get's DoS'd are?
I get the whole XP code to too old to care bit, but it seems odd to take that
old code and re-market it around
Exploiting Chrome and Operas inbuilt ATOM/RSS reader with Script Execution
and more
-
For complete post (with images), please visit -
http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomr
Is this relevant?
QUOTE---
Protect to 2 for the best protection against SYN attacks. This value
adds additional delays to connection indications, and TCP connection
requests quickly timeout when a SYN attack is in progress. This
parameter is the recommended setting.
NOTE: The following
Only if you are a consumer. In a network we ALL have listening ports
out there.
elizabeth.a.gre...@gmail.com wrote:
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches
for XP because, by default, it runs no listening services or the windows
firewall can protect
Hey Larry- hope everything's going well...
When you've got a systemic vulnerability, in this case the TCP/IP stack itself,
exploitation information must be explicit and definitive. I'm fine with risk
classification, and I appreciate efforts to categorize risk into manageable
exposure
Iret #GP on pre-commit handling failure: the NetBSD case (CVE-2009-2793)
On the Intel architecture, once an operating system kernel has completed
servicing an interrupt or exception, it will generally return to user
mode
It's only default for people running XP standalone/consumer that are
not even in a home network settings.
That kinda slices and dices that default down to a VERY narrow sub sub
sub set of customer base.
(Bottom line, yes, the marketing team definitely got a hold of that
bulletin)
Thor
Yeah, I know what it is and what it's for ;) That was just my subtle way of
trying to make a point. To be more explicit:
1) If you are publishing a vulnerability for which there is no patch, and for
which you have no intention of making a patch for, don't tell me it's mitigated
by ancient,
It's XP. Running in RDP mode. It's got IE6, and wants antivirus. Of
course it's vulnerable to any and all gobs of stuff out there. But it's
goal and intent is to allow Small shops to deploy Win7. If you need
more security, get appv/medv/whateverv or other virtualization.
It's not a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
Debian Security Advisory DSA-1889-1 secur...@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
September 16, 2009
===
Ubuntu Security Notice USN-832-1 September 16, 2009
freeradius vulnerability
CVE-2009-3111
===
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
This
Susan Bradley wrote:
Only if you are a consumer. In a network we ALL have listening ports
out there.
This is simply Microsofts way of forcing you to upgrade your OS. They
pulled the same shenanigans with Windows 2000, if you do not recall.
I'd have to say, it's time to re-evaluate where you
Cloud option maybe as we go forward but right now today, this is
business making the decisions here.
Desktop, if it were that easy we'd have ripped out desktops years ago.
Businesses have to be realistic. Sometimes there is not plenty of
comparable alternatives out there.
Sometimes the
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because they've got 4+ years of Extended Support Period
left doesn't mean they're going to get first-class treatment.
Larry Seltzer
Contributing
27 matches
Mail list logo