[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4AB26EF1.5010706@pacbell.net>
Date: Thu, 17 Sep 2009 10:16:33 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: Hisashi T Fujinaka <htodd@....portland.or.us>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: 3rd party patch for XP for MS09-048?
Good geeks ...not gook geeks.
It's not a racial slight, it's spellchecker not working and I didn't
realize I spelled it wrong. My deepest apologies if anyone reads that
wrong.
Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust
>> that this
> ^^^^ ^^^^
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7. Granted the marketing folks spun
>> this bulletin WAY WAY TOO much. It is what it is. I do believe the
>> architecture in XP just isn't there. It's a 10 year old platform
>> that sometimes you can't bolt on this stuff afterwards. Even in
>> Vista, it's not truly fixing the issue, merely making the system more
>> resilient to attacks. Read the fine print in the patch.. it's just
>> making the system kill a session and recover better.
>>
>> I am not a fan of third party because you bring yourself outside the
>> support window of the product.
>>
>> It is just a DOS. I DOS myself after patch Tuesday sometimes with
>> mere patch issues. Also the risk of this appears low, the potential
>> for someone coding up an attack low... I have bigger risks from fake
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect
>> such energy? I don't see that it is. Give me more information that
>> it is a risk and I may change my mind, but right now, I'm just not
>> seeing that it's worth it.
>>
>>
>>
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@...#^-doo... As was
>>> stated
>>> earlier, they did the exact same thing back in Win2K days... Nothing
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didn't
>>> exactly
>>> state WHAT they would support, they seem to be legally free to
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didn't read from
>>> the
>>> "big'uns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless I'm
>>> misunderstanding, he's
>>> suggesting switching to an iptables based protection along with a
>>> registry
>>> tweak... ahh the good ol' batch firewall :) Would this actually work
>>> as a
>>> viable work-around? I realize M$ stated this as such, but given their
>>> current reputation it's really hard to take their word for anything
>>> these
>>> days :P
>>>
>>> What free/cheap client-level-IPS solutions block this current
>>> attack? Any
>>> suggestions?
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu --> I set my return addy to /dev/null
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@...ryseltzer.com] Sent: Wednesday,
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because they've got 4+ years of Extended Support Period
>>> left doesn't mean they're going to get first-class treatment.
>>>
>>> Larry Seltzer
>>> Contributing Editor, PC Magazine
>>> larry_seltzer@...fdavis.com http://blogs.pcmag.com/securitywatch/
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@...ts.grok.org.uk
>>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Susan
>>> Bradley
>>> Sent: Wednesday, September 16, 2009 2:26 PM
>>> To: Thor (Hammer of God)
>>> Cc: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> It's only "default" for people running XP standalone/consumer that
>>> are not even in a home network settings.
>>>
>>> That kinda slices and dices that default down to a VERY narrow sub
>>> sub sub set of customer base.
>>>
>>> (Bottom line, yes, the marketing team definitely got a hold of that
>>> bulletin)
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> Yeah, I know what it is and what it's for ;) That was just my subtle
>>>>
>>> way of trying to make a point. To be more explicit:
>>>
>>>> 1) If you are publishing a vulnerability for which there is no patch,
>>>>
>>> and for which you have no intention of making a patch for, don't
>>> tell me
>>> it's mitigated by ancient, unusable default firewall settings, and
>>> don't
>>> withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S
>>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't
>>> say
>>> 'you can deploy firewall settings via group policy to mitigate
>>> exposure'
>>> when the firewall obviously must be accepting network connections to
>>> get
>>> the settings in the first place. If all it takes is any listening
>>> service, then you have issues. It's like telling me that "the solution
>>> is to take the letter 'f' out of the word "solution."
>>>
>>>> 2) Think things through. If you are going to try to boot sales of
>>>>
>>> Win7 to corporate customers by providing free XP VM technology and thus
>>> play up how important XP is and how many companies still depend upon it
>>> for business critical application compatibility, don't deploy that
>>> technology in an other-than-default configuration that is subject to a
>>> DoS exploit while downplaying the extent that the exploit may be
>>> leveraged by saying that a "typical" default configuration mitigates it
>>> while choosing not to ever patch it. Seems like simple logic points
>>> to me.
>>>
>>>> t
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Susan Bradley [mailto:sbradcpa@...bell.net]
>>>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>>>> To: Thor (Hammer of God)
>>>>> Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> It's XP. Running in RDP mode. It's got IE6, and wants antivirus.
>>>>>
>>> Of
>>>
>>>>> course it's vulnerable to any and all gobs of stuff out there. But
>>>>> it's
>>>>> goal and intent is to allow Small shops to deploy Win7. If you need
>>>>> more security, get appv/medv/whateverv or other virtualization.
>>>>>
>>>>> It's not a security platform. It's a get the stupid 16 bit line of
>>>>> business app working platform.
>>>>>
>>>>> Thor (Hammer of God) wrote:
>>>>>
>>>>>> P.S.
>>>>>>
>>>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>>>
>>> with
>>>
>>>>>>
>>>>> Win7 hyperv is vulnerable and what the implications are for a host
>>>>> running an XP vm that get's DoS'd are?
>>>>>
>>>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>>>
>>> to
>>>
>>>>>>
>>>>> take that "old code" and re-market it around compatibility and re-
>>>>> distribute it with free downloads for Win7 while saying "we won't
>>>>>
>>> patch
>>>
>>>>> old code."
>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>>>>>>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>>>
>>>>> God)
>>>>>
>>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>>>> To: Eric C. Lukens; bugtraq@...urityfocus.com
>>>>>>> Cc: full-disclosure@...ts.grok.org.uk
>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>>>
>>>>>>> Thanks for the link. The problem here is that not enough
>>>>>>>
>>>>> information
>>>>>
>>>>>>> is given, and what IS given is obviously watered down to the point
>>>>>>>
>>>>> of
>>>>>
>>>>>>> being ineffective.
>>>>>>>
>>>>>>> The quote that stands out most for me:
>>>>>>> <snip>
>>>>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's
>>>>>>> security team to explain why it wasn't patching XP, or if, in
>>>>>>>
>>>>> certain
>>>>>
>>>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
>>>>>>> use the Windows Firewall, if there are services listening, such as
>>>>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?"
>>>>>>>
>>>>>>> "Servers are a more likely target for this attack, and your
>>>>>>>
>>> firewall
>>>
>>>>>>> should provide additional protections against external exploits,"
>>>>>>> replied Stone and Bryant.
>>>>>>> </snip>
>>>>>>>
>>>>>>> If an employee managing a product that my company owned gave
>>>>>>>
>>> answers
>>>
>>>>>>> like that to a public interview with Computerworld, they would be
>>>>>>>
>>> in
>>>
>>>>>>> deep doo. First off, my default install of XP Pro SP2 has remote
>>>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>>>
>>>>> accept
>>>>>
>>>>>>> necessary domain traffic. This "no inbound traffic by default so
>>>>>>>
>>>>> you
>>>>>
>>>>>>> are not vulnerable" line is crap. It was a direct question - "If
>>>>>>>
>>>>> RDP
>>>>>
>>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>>>
>>>>> question.
>>>>>
>>>>>>> Yes, servers are the target. A firewall should provide added
>>>>>>> protection, maybe. Rumor is that's what they are for. Not sure
>>>>>>> really. What was the question again?"
>>>>>>>
>>>>>>> You don't get "trustworthy" by not answering people's questions,
>>>>>>> particularly when they are good, obvious questions. Just be honest
>>>>>>> about it. "Yes, XP is vulnerable to a DOS. Your firewall might
>>>>>>>
>>>>> help,
>>>>>
>>>>>>> but don't bet on it. XP code is something like 15 years old now,
>>>>>>>
>>>>> and
>>>>>
>>>>>>> we're not going to change it. That's the way it is, sorry. Just be
>>>>>>> glad you're using XP and not 2008/vista or you'd be patching your
>>>>>>>
>>>>> arse
>>>>>
>>>>>>> off right now."
>>>>>>>
>>>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>>>> stepping questions and not fully exposing the problems, they are
>>>>>>>
>>>>> wrong.
>>>>>
>>>>>>> This just makes it worse. That's the long answer. The short answer
>>>>>>>
>>>>> is
>>>>>
>>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>>>>>>>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>>>> To: bugtraq@...urityfocus.com
>>>>>>>> Cc: full-disclosure@...ts.grok.org.uk
>>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>>>
>>> MS09-048?
>>>
>>>>>>>> Reference:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>
>>>>>>>> hes_for_you_XP
>>>>>>>>
>>>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>>>
>>> it
>>>
>>>>>>>> worth it, and they may be right. Who knows how many applications
>>>>>>>>
>>>>>>>>
>>>>>>> might
>>>>>>>
>>>>>>>
>>>>>>>> break that were designed for XP if they have to radically change
>>>>>>>>
>>>>> the
>>>>>
>>>>>>>> TCP/IP stack. Now, I don't know if the MS speak is true, but it
>>>>>>>> certainly sounds like it is not going to be patched.
>>>>>>>>
>>>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>>>
>>>>>>>>
>>>>>>> system
>>>>>>>
>>>>>>>
>>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be
>>>>>>>> necessary.
>>>>>>>>
>>>>>>>> -Eric
>>>>>>>>
>>>>>>>> -------- Original Message --------
>>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>>>> From: Jeffrey Walton <noloader@...il.com>
>>>>>>>> To: nowhere@...null.com
>>>>>>>> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
>>>>>>>> Date: 9/15/09 3:49 PM
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Aras,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Can you cite a reference?
>>>>>>>>>
>>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>>>
>>>>>>>>>
>>>>>>> should
>>>>>>>
>>>>>>>
>>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Home
>>>>>>>>
>>>>>>>>
>>>>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended
>>>>>>>>>
>>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>
>>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>>>
>>>>> support,
>>>>>
>>>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>>>
>>>>>>>>> 17. What is the Security Update policy?
>>>>>>>>>
>>>>>>>>> Security updates will be available through the end of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Extended
>>>>>>>>
>>>>>>>>
>>>>>>>>> Support phase (five years of Mainstream Support plus five
>>>>>>>>>
>>>>> years
>>>>>
>>>>>>>> of
>>>>>>>>
>>>>>>>>
>>>>>>>>> the Extended Support) at no additional cost for most
>>>>>>>>>
>>> products.
>>>
>>>>>>>>> Security updates will be posted on the Microsoft Update Web
>>>>>>>>>
>>>>>>>>>
>>>>>>> site
>>>>>>>
>>>>>>>
>>>>>>>>> during both the Mainstream and the Extended Support phase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because it's a lot of work" rhetoric...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Not at all.
>>>>>>>>>
>>>>>>>>> Jeff
>>>>>>>>>
>>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>>>
>>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>>>> <nowhere@...null.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello All:
>>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find
>>>>>>>>>>
>>>>> out
>>>>>
>>>>>>>> whether
>>>>>>>>
>>>>>>>>
>>>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>>>
>>>>> to
>>>>>
>>>>>>>> work on
>>>>>>>>
>>>>>>>>
>>>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because it's a lot of work" rhetoric... I would just
>>>>>>>>>>
>>>>> like
>>>>>
>>>>>>>> to hear
>>>>>>>>
>>>>>>>>
>>>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>>>
>>>>>>>>>> No harm in that is there?
>>>>>>>>>>
>>>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>>>> Systems Administrator
>>>>>>>>>> Virginia Tech
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> --
>>>>>>>> Eric C. Lukens
>>>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>>>> ITS-Network Services
>>>>>>>> Curris Business Building 15
>>>>>>>> University of Northern Iowa
>>>>>>>> Cedar Falls, IA 50614-0121
>>>>>>>> 319-273-7434
>>>>>>>> http://www.uni.edu/elukens/
>>>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists