lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B3293002B1CA03@BE35.exg3.exghost.com>
Date: Wed, 16 Sep 2009 17:02:39 -0400
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "Susan Bradley" <sbradcpa@...bell.net>,
	"Thor (Hammer of God)" <thor@...merofgod.com>
Cc: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?

Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because they've got 4+ years of Extended Support Period
left doesn't mean they're going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@...fdavis.com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

It's only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, don't tell me
it's mitigated by ancient, unusable default firewall settings, and don't
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERE'S
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, don't say
'you can deploy firewall settings via group policy to mitigate exposure'
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  It's like telling me that "the solution
is to take the letter 'f' out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, don't deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@...bell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> It's XP.  Running in RDP mode.  It's got IE6, and wants antivirus.
Of
>> course it's vulnerable to any and all gobs of stuff out there.  But
>> it's
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> It's not a security platform.  It's a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that get's DoS'd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we won't
patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>>>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@...urityfocus.com
>>>> Cc: full-disclosure@...ts.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's
>>>> security team to explain why it wasn't patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is that's what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You don't get "trustworthy" by not answering people's questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but don't bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> we're not going to change it.  That's the way it is, sorry. Just be
>>>> glad you're using XP and not 2008/vista or you'd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. That's the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@...urityfocus.com
>>>>> Cc: full-disclosure@...ts.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I don't know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@...il.com>
>>>>> To: nowhere@...null.com
>>>>> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because it's a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@...null.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because it's a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ