| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6e423ebfcca8efbb6ae039d98dd9c0b2.squirrel@www.slave-tothe-box.net> Date: Wed, 16 Sep 2009 11:34:00 -0600 (MDT) From: "James Lay" <jlay@...ve-tothe-box.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: 3rd party patch for XP for MS09-048? > Reference: > > http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP > > MS claims the patch would require to much overhaul of XP to make it > worth it, and they may be right. Who knows how many applications might > break that were designed for XP if they have to radically change the > TCP/IP stack. Now, I don't know if the MS speak is true, but it > certainly sounds like it is not going to be patched. > > The other side of the MS claim is that a properly-firewalled XP system > would not be vulnerable to a DOS anyway, so a patch shouldn't be > necessary. > > -Eric > Apparently MS either: a) believes that people/employees on a LAN would NEVER EVER do anything naughty or; b) that hostbased firewalls should be enabled on ALL workstations regardless if they are behind corporate firewall/nat/etc... Either way....remote code or DoS, it's still a timebomb. PCI DSS requires these types of things to be patched or mitigated (compensating control) if placed in the cardholder data environment. Looks like no patch means a lot of extra work for companies taking debit/credit and running XP. James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists