lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4AB00900.2070403@uni.edu>
Date: Tue, 15 Sep 2009 16:37:04 -0500
From: "Eric C. Lukens" <eric.lukens@....edu>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: 3rd party patch for XP for MS09-048?

Reference:

http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack.  Now, I don't know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP system
would not be vulnerable to a DOS anyway, so a patch shouldn't be necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@...il.com>
To: nowhere@...null.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Date: 9/15/09 3:49 PM
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pro's mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because it's a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@...null.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, I'm now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because it's a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ