3rd party patch for XP for MS09-048?

Hello All:

Given that M$ has officially shot-down all current Windows XP users by not
issuing a patch for a DoS level issue, Im now curious to find out whether
or not any brave souls out there are already working or willing to work on
an open-source patch to remediate the issue within XP.

I realize some of you might be tempted to relay the M$ BS about "not being
feasible because its a lot of work" rhetoric... I would just like to hear
the thoughts of the true experts subscribed to these lists :)

No harm in that is there?

Aras "Russ" Memisyazici
Systems Administrator
Virginia Tech



Replies to this exploit:

From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 16:49
Hi Aras,

> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue,
Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP should
be patched for security vulnerabilities until about 2014. Both XP Home
and XP Pros mainstream support ended in 4/2009, but extended support
ends in 4/2014 [2]. Given that we know the end of extended support,
take a look at bullet 17 of [1]:

    17. What is the Security Update policy?

    Security updates will be available through the end of the Extended
    Support phase (five years of Mainstream Support plus five years of
    the Extended Support) at no additional cost for most products.
    Security updates will be posted on the Microsoft Update Web site
    during both the Mainstream and the Extended Support phase.

> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric...
Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@devnull.com> wrote:
> Hello All:
>
> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue, Im now curious to find out whether
> or not any brave souls out there are already working or willing to work on
> an open-source patch to remediate the issue within XP.
>
> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric... I would just like to hear
> the thoughts of the true experts subscribed to these lists :)
>
> No harm in that is there?
>
> Aras "Russ" Memisyazici
> Systems Administrator
> Virginia Tech
>
>


From: Eric Kimminau eak@kimminau.org
Sent: Tue 15. Sep 2009 17:23
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

http://edge.technet.com/Media/MSRC-Monthly-Security-Bulletin-Webcast-September-2009/

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:24
Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
of low impact and thus no patch has been built.

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     
>
>   



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:29
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in 
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

<P><B>If Windows XP is listed as an affected product, why is Microsoft 
not issuing an update for it?</B><BR>By default, Windows XP Service Pack 
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition 
Service Pack 2 do not have a listening service configured in the client 
firewall and are therefore not affected by this vulnerability. Windows 
XP Service Pack 2 and later operating systems include a stateful host 
firewall that provides protection for computers against incoming traffic 
from the Internet or from neighboring network devices on a private 
network. The impact of a denial of service attack is that a system would 
become unresponsive due to memory consumption. However, a successful 
attack requires a sustained flood of specially crafted TCP packets, and 
the system will recover once the flood ceases. This makes the severity 
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. 
Customers running Windows XP are at reduced risk, and Microsoft 
recommends they use the firewall included with the operating system, or 
a network firewall, to block access to the affected ports and limit the 
attack surface from untrusted networks.</P>

Susan Bradley wrote:
> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
> of low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>> Hi Aras,
>>
>>  
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue,
>>>     
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>>     17. What is the Security Update policy?
>>
>>     Security updates will be available through the end of the Extended
>>     Support phase (five years of Mainstream Support plus five years of
>>     the Extended Support) at no additional cost for most products.
>>     Security updates will be posted on the Microsoft Update Web site
>>     during both the Mainstream and the Extended Support phase.
>>
>>  
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>     
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>  
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue, Im now curious to find out 
>>> whether
>>> or not any brave souls out there are already working or willing to 
>>> work on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like 
>>> to hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>     
>>
>>   
>



From: "Eric C. Lukens" eric.lukens@uni.edu
Sent: Tue 15. Sep 2009 16:37
Reference:

http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack.  Now, I dont know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP system
would not be vulnerable to a DOS anyway, so a patch shouldnt be necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@gmail.com>
To: nowhere@devnull.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Date: 9/15/09 3:49 PM
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/





From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 17:52
Hi Susan,

> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
> low impact and thus no patch has been built.
I dont know how I missed that XP/SP2 and above were not being
patched. It appears that my two references are worhtless... I used to
use them in position papers!
* http://support.microsoft.com/gp/lifepolicy
* http://support.microsoft.com/gp/lifeselect

Jeff

On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote=
:
> Read the bulletin. =A0Theres no patch. =A0It is deemed by Microsoft to b=
e of
> low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>>
>> Hi Aras,
>>
>>
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue,
>>>
>>
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>> =A0 =A017. What is the Security Update policy?
>>
>> =A0 =A0Security updates will be available through the end of the Extende=
d
>> =A0 =A0Support phase (five years of Mainstream Support plus five years o=
f
>> =A0 =A0the Extended Support) at no additional cost for most products.
>> =A0 =A0Security updates will be posted on the Microsoft Update Web site
>> =A0 =A0during both the Mainstream and the Extended Support phase.
>>
>>
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>
>>
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>
>>>
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue, Im now curious to find out
>>> whether
>>> or not any brave souls out there are already working or willing to work
>>> on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like to
>>> hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>
>>
>>
>
>


From: Matt Riddell matt@venturevoip.com
Sent: Wed 16. Sep 2009 09:53
On 16/09/09 8:49 AM, Jeffrey Walton wrote:
> Hi Aras,
>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
> Can you cite a reference?

http://tech.slashdot.org/article.pl?sid=09/09/15/0131209

-- 
Cheers,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)


From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:55
Its not that they arent supported per se, just that Microsoft has 
deemed the impact of DOS to be low, the ability to patch that platform 
impossible/difficult and thus have make a risk calculation accordingly.

Sometimes the architecture is what it is.

Jeffrey Walton wrote:
> Hi Susan,
>
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>     
> I dont know how I missed that XP/SP2 and above were not being
> patched. It appears that my two references are worhtless... I used to
> use them in position papers!
> * http://support.microsoft.com/gp/lifepolicy
> * http://support.microsoft.com/gp/lifeselect
>
> Jeff
>
> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote:
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>
>> Jeffrey Walton wrote:
>>     
>>> Hi Aras,
>>>
>>>
>>>       
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue,
>>>>
>>>>         
>>> Can you cite a reference?
>>>
>>> Unless Microsoft has changed their end of life policy [1], XP should
>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>> take a look at bullet 17 of [1]:
>>>
>>>    17. What is the Security Update policy?
>>>
>>>    Security updates will be available through the end of the Extended
>>>    Support phase (five years of Mainstream Support plus five years of
>>>    the Extended Support) at no additional cost for most products.
>>>    Security updates will be posted on the Microsoft Update Web site
>>>    during both the Mainstream and the Extended Support phase.
>>>
>>>
>>>       
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric...
>>>>
>>>>         
>>> Not at all.
>>>
>>> Jeff
>>>
>>> [1] http://support.microsoft.com/gp/lifepolicy
>>> [2] http://support.microsoft.com/gp/lifeselect
>>>
>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>> <nowhere@devnull.com> wrote:
>>>
>>>       
>>>> Hello All:
>>>>
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>> whether
>>>> or not any brave souls out there are already working or willing to work
>>>> on
>>>> an open-source patch to remediate the issue within XP.
>>>>
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>> hear
>>>> the thoughts of the true experts subscribed to these lists :)
>>>>
>>>> No harm in that is there?
>>>>
>>>> Aras "Russ" Memisyazici
>>>> Systems Administrator
>>>> Virginia Tech
>>>>
>>>>
>>>>
>>>>         
>>>       
>>     
>
>   


From: Elizabeth.a.greene@gmail.com
Sent: Tue 15. Sep 2009 21:56
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.

Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."

-eg


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 11:59
Thanks for the link.  The problem here is that not enough information is gi=
ven, and what IS given is obviously watered down to the point of being inef=
fective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts securit=
y team to explain why it wasnt patching XP, or if, in certain scenarios, t=
heir machines might be at risk. "We still use Windows XP and we do not use =
Windows Firewall," read one of the user questions. "We use a third-party ve=
ndor firewall product. Even assuming that we use the Windows Firewall, if t=
here are services listening, such as remote desktop, wouldnt then Windows =
XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall should=
 provide additional protections against external exploits," replied Stone a=
nd Bryant.
</snip>

If an employee managing a product that my company owned gave answers like t=
hat to a public interview with Computerworld, they would be in deep doo.  F=
irst off, my default install of XP Pro SP2 has remote assistance inbound, a=
nd once you join to a domain, you obviously accept necessary domain traffic=
.  This "no inbound traffic by default so you are not vulnerable" line is c=
rap.  It was a direct question - "If RDP is allowed through the firewall, a=
re we vulnerable?" A:"Great question. Yes, servers are the target.  A firew=
all should provide added protection, maybe.  Rumor is thats what they are =
for.  Not sure really.  What was the question again?"

You dont get "trustworthy" by not answering peoples questions, particular=
ly when they are good, obvious questions.  Just be honest about it.  "Yes, =
XP is vulnerable to a DOS.  Your firewall might help, but dont bet on it. =
 XP code is something like 15 years old now, and were not going to change =
it.  Thats the way it is, sorry. Just be glad youre using XP and not 2008=
/vista or youd be patching your arse off right now."=20

If MSFT thinks they are mitigating public opinion issues by side-stepping q=
uestions and not fully exposing the problems, they are wrong.  This just ma=
kes it worse. Thats the long answer.  The short answer is "XP is vulnerabl=
e to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 11:21
I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a "Low" threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have rated it at least Medium. If Im wrong about
that then the "Low" rating is misleading.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link.  The problem here is that not enough information is
given, and what IS given is obviously watered down to the point of being
ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts
security team to explain why it wasnt patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP and
we do not use Windows Firewall," read one of the user questions. "We use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldnt then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo.  First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously accept
necessary domain traffic.  This "no inbound traffic by default so you
are not vulnerable" line is crap.  It was a direct question - "If RDP is
allowed through the firewall, are we vulnerable?" A:"Great question.
Yes, servers are the target.  A firewall should provide added
protection, maybe.  Rumor is thats what they are for.  Not sure really.
What was the question again?"

You dont get "trustworthy" by not answering peoples questions,
particularly when they are good, obvious questions.  Just be honest
about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
but dont bet on it.  XP code is something like 15 years old now, and
were not going to change it.  Thats the way it is, sorry. Just be glad
youre using XP and not 2008/vista or youd be patching your arse off
right now."=20

If MSFT thinks they are mitigating public opinion issues by
side-stepping questions and not fully exposing the problems, they are
wrong.  This just makes it worse. Thats the long answer.  The short
answer is "XP is vulnerable to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications
might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended
support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 12:15
P.S.

Anyone check to see if the default "XP Mode" VM you get for free with Win7 =
hyperv is vulnerable and what the implications are for a host running an XP=
 vm that gets DoSd are? =20

I get the whole "XP code to too old to care" bit, but it seems odd to take =
that "old code" and re-market it around compatibility and re-distribute it =
with free downloads for Win7 while saying "we wont patch old code." =20

t=20

> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.  What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad youre using XP and not 2008/vista or youd be patching your arse
> off right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by side-
> stepping questions and not fully exposing the problems, they are wrong.
> This just makes it worse. Thats the long answer.  The short answer is
> "XP is vulnerable to a DoS, and a patch is not being offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Tom Grace tom@deathbycomputers.co.uk
Sent: Wed 16. Sep 2009 16:57
Is this relevant?
QUOTE---
Protect to 2 for the best protection against SYN attacks. This value 
adds additional delays to connection indications, and TCP connection 
requests quickly timeout when a SYN attack is in progress. This 
parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you 
set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in 
theory, around it... & iirc, "Scalable Windows", via setsockopt API 
calls from an attacker are what the problem is here anyhow & this ought 
to stall it... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize 
settings in the registry in TCP/IP Parameters (see registry path above) 
SHOULD also help here also, for servers that can accept MANY connections 
from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is 
stopped by SynAttackProtect too, so an attacking system/app sending a 
setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, 
just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, 
OR, single systems as well you either ALLOW or DENY to talk to your 
system, still can help also... vs. a DDOS though? SynAttackProtect is 
your best friend here... youd use netstat -b -n tcp to see which are 
held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR 
WAY (or just by doing it in a router or routing table)... takers anyone, 
on these thoughts (especially for Windows 2000)?

Thanks for your time... apk
UNQUOTE--

Source: http://tech.slashdot.org/comments.pl?sid=1368439&cid=29424787

Susan Bradley wrote:
> Its not that they arent supported per se, just that Microsoft has 
> deemed the impact of DOS to be low, the ability to patch that platform 
> impossible/difficult and thus have make a risk calculation accordingly.
> 
> Sometimes the architecture is what it is.
> 
> Jeffrey Walton wrote:
>> Hi Susan,
>>
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>     
>> I dont know how I missed that XP/SP2 and above were not being
>> patched. It appears that my two references are worhtless... I used to
>> use them in position papers!
>> * http://support.microsoft.com/gp/lifepolicy
>> * http://support.microsoft.com/gp/lifeselect
>>
>> Jeff
>>
>> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> 
>> wrote:
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>
>>> Jeffrey Walton wrote:
>>>    
>>>> Hi Aras,
>>>>
>>>>
>>>>      
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>         
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP should
>>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>    17. What is the Security Update policy?
>>>>
>>>>    Security updates will be available through the end of the Extended
>>>>    Support phase (five years of Mainstream Support plus five years of
>>>>    the Extended Support) at no additional cost for most products.
>>>>    Security updates will be posted on the Microsoft Update Web site
>>>>    during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>      
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>         
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>      
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>> whether
>>>>> or not any brave souls out there are already working or willing to 
>>>>> work
>>>>> on
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>>> hear
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>       
>>>     
>>
>>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 09:00
Only if you are a consumer.  In a network we ALL have listening ports 
out there.

Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>   



From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 13:31
Hey Larry- hope everythings going well...=20

When youve got a systemic vulnerability, in this case the TCP/IP stack its=
elf, exploitation information must be explicit and definitive.  Im fine wi=
th risk classification, and I appreciate efforts to categorize risk into ma=
nageable exposure metrics, but we shouldnt have to infer potential vulnera=
bility information from vague disclosure data.  I know many response teams =
base patch paths on the published severity, but one also has to be able to =
make decisions on their own.  For me, no big deal.  But its not that simpl=
e for others.  =20

But theres not enough information for me to make that call.  Is it for ANY=
 "listening service?"  TCP or UPD?  Does the "statefull" firewall introduce=
d in subsequent versions stop it?

The answers are "yes," "yes," and "no."  They should just say that.  Is it =
"low" because the firewall doesnt have any exceptions by default?  If so, =
thats silly.  Everyone using XP for anything has incoming connections for =
something, and well known if on a domain.  I feel sorry for Diebold and NEC=
 with all the ATMs out there running XP, but fortunately, Im not responsib=
le for clients using their systems anymore :)=20

Anyway, the DoS suxx0rz, but Im more irritated with the lack of real, stra=
ight-forward, no-nonsense information and technical sleight of hand.  The i=
nformation should be painfully obvious, not obviously painful.

t=20




> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
> they probably would have rated it at least Medium. If Im wrong about
> that then the "Low" rating is misleading.
>=20
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>=20
>=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, September 16, 2009 11:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is
> given, and what IS given is obviously watered down to the point of
> being
> ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is
> allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.
> What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad
> youre using XP and not 2008/vista or youd be patching your arse off
> right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by
> side-stepping questions and not fully exposing the problems, they are
> wrong.  This just makes it worse. Thats the long answer.  The short
> answer is "XP is vulnerable to a DoS, and a patch is not being
> offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 10:16
Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of 
course its vulnerable to any and all gobs of stuff out there.  But its 
goal and intent is to allow Small shops to deploy Win7.  If you need 
more security, get appv/medv/whateverv or other virtualization.

Its not a security platform.  Its a get the stupid 16 bit line of 
business app working platform.

Thor (Hammer of God) wrote:
> P.S.
>
> Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that gets DoSd are?  
>
> I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we wont patch old code."  
>
> t 
>
>   
>> -----Original Message-----
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Thanks for the link.  The problem here is that not enough information
>> is given, and what IS given is obviously watered down to the point of
>> being ineffective.
>>
>> The quote that stands out most for me:
>> <snip>
>> During the Q&A, however, Windows users repeatedly asked Microsofts
>> security team to explain why it wasnt patching XP, or if, in certain
>> scenarios, their machines might be at risk. "We still use Windows XP
>> and we do not use Windows Firewall," read one of the user questions.
>> "We use a third-party vendor firewall product. Even assuming that we
>> use the Windows Firewall, if there are services listening, such as
>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>
>> "Servers are a more likely target for this attack, and your firewall
>> should provide additional protections against external exploits,"
>> replied Stone and Bryant.
>> </snip>
>>
>> If an employee managing a product that my company owned gave answers
>> like that to a public interview with Computerworld, they would be in
>> deep doo.  First off, my default install of XP Pro SP2 has remote
>> assistance inbound, and once you join to a domain, you obviously accept
>> necessary domain traffic.  This "no inbound traffic by default so you
>> are not vulnerable" line is crap.  It was a direct question - "If RDP
>> is allowed through the firewall, are we vulnerable?" A:"Great question.
>> Yes, servers are the target.  A firewall should provide added
>> protection, maybe.  Rumor is thats what they are for.  Not sure
>> really.  What was the question again?"
>>
>> You dont get "trustworthy" by not answering peoples questions,
>> particularly when they are good, obvious questions.  Just be honest
>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
>> but dont bet on it.  XP code is something like 15 years old now, and
>> were not going to change it.  Thats the way it is, sorry. Just be
>> glad youre using XP and not 2008/vista or youd be patching your arse
>> off right now."
>>
>> If MSFT thinks they are mitigating public opinion issues by side-
>> stepping questions and not fully exposing the problems, they are wrong.
>> This just makes it worse. Thats the long answer.  The short answer is
>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>
>> t
>>
>>
>>
>>     
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>> To: bugtraq@securityfocus.com
>>> Cc: full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Reference:
>>>
>>>
>>>       
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>> hes_for_you_XP
>>>
>>> MS claims the patch would require to much overhaul of XP to make it
>>> worth it, and they may be right.  Who knows how many applications
>>>       
>> might
>>     
>>> break that were designed for XP if they have to radically change the
>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>> certainly sounds like it is not going to be patched.
>>>
>>> The other side of the MS claim is that a properly-firewalled XP
>>>       
>> system
>>     
>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>> necessary.
>>>
>>> -Eric
>>>
>>> -------- Original Message  --------
>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>> From: Jeffrey Walton <noloader@gmail.com>
>>> To: nowhere@devnull.com
>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>> Date: 9/15/09 3:49 PM
>>>       
>>>> Hi Aras,
>>>>
>>>>
>>>>         
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>           
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>         
>> should
>>     
>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>         
>>> Home
>>>       
>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>         
>> support
>>     
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>     17. What is the Security Update policy?
>>>>
>>>>     Security updates will be available through the end of the
>>>>         
>>> Extended
>>>       
>>>>     Support phase (five years of Mainstream Support plus five years
>>>>         
>>> of
>>>       
>>>>     the Extended Support) at no additional cost for most products.
>>>>     Security updates will be posted on the Microsoft Update Web
>>>>         
>> site
>>     
>>>>     during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>         
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>           
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>         
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>>           
>>> whether
>>>       
>>>>> or not any brave souls out there are already working or willing to
>>>>>           
>>> work on
>>>       
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric... I would just like
>>>>>           
>>> to hear
>>>       
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>           
>>> --
>>> Eric C. Lukens
>>> IT Security Policy and Risk Assessment Analyst
>>> ITS-Network Services
>>> Curris Business Building 15
>>> University of Northern Iowa
>>> Cedar Falls, IA 50614-0121
>>> 319-273-7434
>>> http://www.uni.edu/elukens/
>>> http://weblogs.uni.edu/elukens/
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>       
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>
>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 11:25
Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, dont tell me its mitigated by ancient, unusable default firewall settings, and dont withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deploy firewall settings via group policy to mitigate exposure when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues.  Its like telling me that "the solution is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, dont deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it.    Seems like simple logic points to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave answers
>>>> like that to a public interview with Computerworld, they would be in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 15:23
Yeah, I know what it is and what its for ;)  That was just my subtle way o=
f trying to make a point.  To be more explicit:

1)  If you are publishing a vulnerability for which there is no patch, and =
for which you have no intention of making a patch for, dont tell me its m=
itigated by ancient, unusable default firewall settings, and dont withhold=
 explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING W=
E KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deplo=
y firewall settings via group policy to mitigate exposure when the firewal=
l obviously must be accepting network connections to get the settings in th=
e first place. If all it takes is any listening service, then you have issu=
es.  Its like telling me that "the solution is to take the letter f out =
of the word "solution."

2)  Think things through.  If you are going to try to boot sales of Win7 to=
 corporate customers by providing free XP VM technology and thus play up ho=
w important XP is and how many companies still depend upon it for business =
critical application compatibility, dont deploy that technology in an othe=
r-than-default configuration that is subject to a DoS exploit while downpla=
ying the extent that the exploit may be leveraged by saying that a "typical=
" default configuration mitigates it while choosing not to ever patch it.  =
  Seems like simple logic points to me.

t

> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
> course its vulnerable to any and all gobs of stuff out there.  But
> its
> goal and intent is to allow Small shops to deploy Win7.  If you need
> more security, get appv/medv/whateverv or other virtualization.
>=20
> Its not a security platform.  Its a get the stupid 16 bit line of
> business app working platform.
>=20
> Thor (Hammer of God) wrote:
> > P.S.
> >
> > Anyone check to see if the default "XP Mode" VM you get for free with
> Win7 hyperv is vulnerable and what the implications are for a host
> running an XP vm that gets DoSd are?
> >
> > I get the whole "XP code to too old to care" bit, but it seems odd to
> take that "old code" and re-market it around compatibility and re-
> distribute it with free downloads for Win7 while saying "we wont patch
> old code."
> >
> > t
> >
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
> God)
> >> Sent: Wednesday, September 16, 2009 8:00 AM
> >> To: Eric C. Lukens; bugtraq@securityfocus.com
> >> Cc: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>
> >> Thanks for the link.  The problem here is that not enough
> information
> >> is given, and what IS given is obviously watered down to the point
> of
> >> being ineffective.
> >>
> >> The quote that stands out most for me:
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsofts
> >> security team to explain why it wasnt patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldnt then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> >> should provide additional protections against external exploits,"
> >> replied Stone and Bryant.
> >> </snip>
> >>
> >> If an employee managing a product that my company owned gave answers
> >> like that to a public interview with Computerworld, they would be in
> >> deep doo.  First off, my default install of XP Pro SP2 has remote
> >> assistance inbound, and once you join to a domain, you obviously
> accept
> >> necessary domain traffic.  This "no inbound traffic by default so
> you
> >> are not vulnerable" line is crap.  It was a direct question - "If
> RDP
> >> is allowed through the firewall, are we vulnerable?" A:"Great
> question.
> >> Yes, servers are the target.  A firewall should provide added
> >> protection, maybe.  Rumor is thats what they are for.  Not sure
> >> really.  What was the question again?"
> >>
> >> You dont get "trustworthy" by not answering peoples questions,
> >> particularly when they are good, obvious questions.  Just be honest
> >> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
> help,
> >> but dont bet on it.  XP code is something like 15 years old now,
> and
> >> were not going to change it.  Thats the way it is, sorry. Just be
> >> glad youre using XP and not 2008/vista or youd be patching your
> arse
> >> off right now."
> >>
> >> If MSFT thinks they are mitigating public opinion issues by side-
> >> stepping questions and not fully exposing the problems, they are
> wrong.
> >> This just makes it worse. Thats the long answer.  The short answer
> is
> >> "XP is vulnerable to a DoS, and a patch is not being offered."
> >>
> >> t
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> >>> Sent: Tuesday, September 15, 2009 2:37 PM
> >>> To: bugtraq@securityfocus.com
> >>> Cc: full-disclosure@lists.grok.org.uk
> >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>>
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right.  Who knows how many applications
> >>>
> >> might
> >>
> >>> break that were designed for XP if they have to radically change
> the
> >>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> >>> certainly sounds like it is not going to be patched.
> >>>
> >>> The other side of the MS claim is that a properly-firewalled XP
> >>>
> >> system
> >>
> >>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> >>> necessary.
> >>>
> >>> -Eric
> >>>
> >>> -------- Original Message  --------
> >>> Subject: Re: 3rd party patch for XP for MS09-048?
> >>> From: Jeffrey Walton <noloader@gmail.com>
> >>> To: nowhere@devnull.com
> >>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> >>> Date: 9/15/09 3:49 PM
> >>>
> >>>> Hi Aras,
> >>>>
> >>>>
> >>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue,
> >>>>>
> >>>>>
> >>>> Can you cite a reference?
> >>>>
> >>>> Unless Microsoft has changed their end of life policy [1], XP
> >>>>
> >> should
> >>
> >>>> be patched for security vulnerabilities until about 2014. Both XP
> >>>>
> >>> Home
> >>>
> >>>> and XP Pros mainstream support ended in 4/2009, but extended
> >>>>
> >> support
> >>
> >>>> ends in 4/2014 [2]. Given that we know the end of extended
> support,
> >>>> take a look at bullet 17 of [1]:
> >>>>
> >>>>     17. What is the Security Update policy?
> >>>>
> >>>>     Security updates will be available through the end of the
> >>>>
> >>> Extended
> >>>
> >>>>     Support phase (five years of Mainstream Support plus five
> years
> >>>>
> >>> of
> >>>
> >>>>     the Extended Support) at no additional cost for most products.
> >>>>     Security updates will be posted on the Microsoft Update Web
> >>>>
> >> site
> >>
> >>>>     during both the Mainstream and the Extended Support phase.
> >>>>
> >>>>
> >>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric...
> >>>>>
> >>>>>
> >>>> Not at all.
> >>>>
> >>>> Jeff
> >>>>
> >>>> [1] http://support.microsoft.com/gp/lifepolicy
> >>>> [2] http://support.microsoft.com/gp/lifeselect
> >>>>
> >>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> >>>> <nowhere@devnull.com> wrote:
> >>>>
> >>>>
> >>>>> Hello All:
> >>>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue, Im now curious to find
> out
> >>>>>
> >>> whether
> >>>
> >>>>> or not any brave souls out there are already working or willing
> to
> >>>>>
> >>> work on
> >>>
> >>>>> an open-source patch to remediate the issue within XP.
> >>>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric... I would just
> like
> >>>>>
> >>> to hear
> >>>
> >>>>> the thoughts of the true experts subscribed to these lists :)
> >>>>>
> >>>>> No harm in that is there?
> >>>>>
> >>>>> Aras "Russ" Memisyazici
> >>>>> Systems Administrator
> >>>>> Virginia Tech
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>> --
> >>> Eric C. Lukens
> >>> IT Security Policy and Risk Assessment Analyst
> >>> ITS-Network Services
> >>> Curris Business Building 15
> >>> University of Northern Iowa
> >>> Cedar Falls, IA 50614-0121
> >>> 319-273-7434
> >>> http://www.uni.edu/elukens/
> >>> http://weblogs.uni.edu/elukens/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >


From: Rob Thompson my.security.lists@gmail.com
Sent: Wed 16. Sep 2009 11:24
Susan Bradley wrote:
> Only if you are a consumer.  In a network we ALL have listening ports
> out there.

This is simply Microsofts way of forcing you to upgrade your OS.  They
pulled the same shenanigans with Windows 2000, if you do not recall.

Id have to say, its time to re-evaluate where you are funneling your
$$$.  If the vendor that you PAID your hard earned dollars to is not
supporting their product like they said they would, then its time to
move on.

There are plenty of alternatives out there.  No one says you _have_ to
run Windows.

> 
> Elizabeth.a.greene@gmail.com wrote:
>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>> patches for XP because, by default, it runs no listening services or
>> the windows firewall can protect it.
>>
>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>> "If Windows XP is listed as an affected product, why is Microsoft not
>> issuing an update for it?
>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>> listening service configured in the client firewall and are therefore
>> not affected by this vulnerability. Windows XP Service Pack 2 and
>> later operating systems include a stateful host firewall that provides
>> protection for computers against incoming traffic from the Internet or
>> from neighboring network devices on a private network. ... Customers
>> running Windows XP are at reduced risk, and Microsoft recommends they
>> use the firewall included with the operating system, or a network
>> firewall, to block access to the affected ports and limit the attack
>> surface from untrusted networks."
>>
>> -eg
>>
>>   
> 
> 


-- 
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        /   |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 12:48
Cloud option maybe as we go forward but right now today, this is 
business making the decisions here.

Desktop, if it were that easy wed have ripped out desktops years ago.

Businesses have to be realistic.  Sometimes there is not "plenty of 
comparable alternatives out there".

Sometimes the boss/business needs/line of business apps dictates you run 
windows.

Rob Thompson wrote:
> Susan Bradley wrote:
>   
>> Only if you are a consumer.  In a network we ALL have listening ports
>> out there.
>>     
>
> This is simply Microsofts way of forcing you to upgrade your OS.  They
> pulled the same shenanigans with Windows 2000, if you do not recall.
>
> Id have to say, its time to re-evaluate where you are funneling your
> $$$.  If the vendor that you PAID your hard earned dollars to is not
> supporting their product like they said they would, then its time to
> move on.
>
> There are plenty of alternatives out there.  No one says you _have_ to
> run Windows.
>
>   
>> Elizabeth.a.greene@gmail.com wrote:
>>     
>>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>>> patches for XP because, by default, it runs no listening services or
>>> the windows firewall can protect it.
>>>
>>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>>> "If Windows XP is listed as an affected product, why is Microsoft not
>>> issuing an update for it?
>>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>>> listening service configured in the client firewall and are therefore
>>> not affected by this vulnerability. Windows XP Service Pack 2 and
>>> later operating systems include a stateful host firewall that provides
>>> protection for computers against incoming traffic from the Internet or
>>> from neighboring network devices on a private network. ... Customers
>>> running Windows XP are at reduced risk, and Microsoft recommends they
>>> use the firewall included with the operating system, or a network
>>> firewall, to block access to the affected ports and limit the attack
>>> surface from untrusted networks."
>>>
>>> -eg
>>>
>>>   
>>>       
>>     
>
>
>   



From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 17:02
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are=20
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub=20
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that=20
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>  =20
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>    =20
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>      =20
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>    =20
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>      =20
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>    =20
>>> t
>>>
>>>
>>>      =20
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>        =20
>> God)
>>    =20
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>        =20
>> information
>>    =20
>>>> is given, and what IS given is obviously watered down to the point
>>>>        =20
>> of
>>    =20
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>        =20
>> certain
>>    =20
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>        =20
>> accept
>>    =20
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>        =20
>> you
>>    =20
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>        =20
>> RDP
>>    =20
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>        =20
>> question.
>>    =20
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>        =20
>> help,
>>    =20
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>        =20
>> and
>>    =20
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>        =20
>> arse
>>    =20
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>        =20
>> wrong.
>>    =20
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>        =20
>> is
>>    =20
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>        =20
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>          =20
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>    =20
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>          =20
>>>> might
>>>>
>>>>        =20
>>>>> break that were designed for XP if they have to radically change
>>>>>          =20
>> the
>>    =20
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>          =20
>>>> system
>>>>
>>>>        =20
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>          =20
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>            =20
>>>> should
>>>>
>>>>        =20
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>            =20
>>>>> Home
>>>>>
>>>>>          =20
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>            =20
>>>> support
>>>>
>>>>        =20
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>            =20
>> support,
>>    =20
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>            =20
>>>>> Extended
>>>>>
>>>>>          =20
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>            =20
>> years
>>    =20
>>>>> of
>>>>>
>>>>>          =20
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>            =20
>>>> site
>>>>
>>>>        =20
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>              =20
>> out
>>    =20
>>>>> whether
>>>>>
>>>>>          =20
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>              =20
>> to
>>    =20
>>>>> work on
>>>>>
>>>>>          =20
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>              =20
>> like
>>    =20
>>>>> to hear
>>>>>
>>>>>          =20
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>          =20
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>        =20
>>>      =20
>
>  =20

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Aras "Russ" Memisyazici" nowhere@devnull.com
Sent: Wed 16. Sep 2009 18:39
:)

Thank you all for your valuable comments... Indeed I appreciated some of the
links/info extended (Susan, Thor and Tom) However, in the end, it sounded
like:

a) As a sysadmin in charge of maintaining XP systems along with a whole
shebang of other mix setups, unless I deploy a "better" firewall solution, I
seem to be SOL.

b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
earlier, they did the exact same thing back in Win2K days... Nothing new
here... :/ As Larry and Thor pointed out, what sux is that despite M$
"PROMISING" that they would continue supporting XP since they didnt exactly
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...

So... with all this commentary, in the end, I still didnt read from the
"biguns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?

How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol batch firewall :) Would this actually work as a
viable work-around? I realize M$ stated this as such, but given their
current reputation its really hard to take their word for anything these
days :P

What free/cheap client-level-IPS solutions block this current attack? Any
suggestions?

Thank you for your time and look forward to some more answers.

Sincerely,
Aras "Russ" Memisyazici
arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
you know why!

Systems Administrator
Virginia Tech

-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com] 
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?

Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 07:59
<jaded mode off>

I know too many of the gook geeks behind Microsoft and I do trust that 
this IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
architecture in XP just isnt there.  Its a 10 year old platform that 
sometimes you cant bolt on this stuff afterwards.  Even in Vista, its 
not truly fixing the issue, merely making the system more resilient to 
attacks.  Read the fine print in the patch.. its just making the system 
kill a session and recover better.

I am not a fan of third party because you bring yourself outside the 
support window of the product.

It is just a DOS.  I DOS myself after patch Tuesday sometimes with mere 
patch issues.  Also the risk of this appears low, the potential for 
someone coding up an attack low... I have bigger risks from fake A/V at me.

Is this truly the risk that one has to take such actions and expect such 
energy? 

I dont see that it is.  Give me more information that it is a risk and 
I may change my mind, but right now, Im just not seeing that its worth it.



Aras "Russ" Memisyazici wrote:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com] 
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com 
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are 
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub 
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that 
> bulletin)
>
> Thor (Hammer of God) wrote:
>   
>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>     
> way of trying to make a point.  To be more explicit:
>   
>> 1)  If you are publishing a vulnerability for which there is no patch,
>>     
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues.  Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>   
>> 2)  Think things through.  If you are going to try to boot sales of
>>     
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it.    Seems like simple logic points
> to me.
>   
>> t
>>
>>   
>>     
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>       
> Of
>   
>>> course its vulnerable to any and all gobs of stuff out there.  But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>     
>>>       
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>         
> with
>   
>>>>       
>>>>         
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>     
>>>       
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>         
> to
>   
>>>>       
>>>>         
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
>>>       
> patch
>   
>>> old code."
>>>     
>>>       
>>>> t
>>>>
>>>>
>>>>       
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>         
>>>>>           
>>> God)
>>>     
>>>       
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link.  The problem here is that not enough
>>>>>         
>>>>>           
>>> information
>>>     
>>>       
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>         
>>>>>           
>>> of
>>>     
>>>       
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>         
>>>>>           
>>> certain
>>>     
>>>       
>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>           
> XP
>   
>>>>> and we do not use Windows Firewall," read one of the user
>>>>>           
> questions.
>   
>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>           
> we
>   
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
>>>>>           
> firewall
>   
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
>>>>>           
> answers
>   
>>>>> like that to a public interview with Computerworld, they would be
>>>>>           
> in
>   
>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>         
>>>>>           
>>> accept
>>>     
>>>       
>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>         
>>>>>           
>>> you
>>>     
>>>       
>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>         
>>>>>           
>>> RDP
>>>     
>>>       
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>         
>>>>>           
>>> question.
>>>     
>>>       
>>>>> Yes, servers are the target.  A firewall should provide added
>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>> really.  What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>         
>>>>>           
>>> help,
>>>     
>>>       
>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>         
>>>>>           
>>> and
>>>     
>>>       
>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>         
>>>>>           
>>> arse
>>>     
>>>       
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>         
>>>>>           
>>> wrong.
>>>     
>>>       
>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>         
>>>>>           
>>> is
>>>     
>>>       
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>             
> MS09-048?
>   
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>           
>>>>>>             
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>   
>>>     
>>>       
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>             
> it
>   
>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>
>>>>>>           
>>>>>>             
>>>>> might
>>>>>
>>>>>         
>>>>>           
>>>>>> break that were designed for XP if they have to radically change
>>>>>>           
>>>>>>             
>>> the
>>>     
>>>       
>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>           
>>>>>>             
>>>>> system
>>>>>
>>>>>         
>>>>>           
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message  --------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> should
>>>>>
>>>>>         
>>>>>           
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Home
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> support
>>>>>
>>>>>         
>>>>>           
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>             
>>>>>>>               
>>> support,
>>>     
>>>       
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>>     17. What is the Security Update policy?
>>>>>>>
>>>>>>>     Security updates will be available through the end of the
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Extended
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>             
>>>>>>>               
>>> years
>>>     
>>>       
>>>>>> of
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>               
> products.
>   
>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> site
>>>>>
>>>>>         
>>>>>           
>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>               
>>>>>>>>                 
>>> out
>>>     
>>>       
>>>>>> whether
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>               
>>>>>>>>                 
>>> to
>>>     
>>>       
>>>>>> work on
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>               
>>>>>>>>                 
>>> like
>>>     
>>>       
>>>>>> to hear
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>           
>>>>>>             
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>         
>>>>>           
>>>>       
>>>>         
>>   
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   


From: John Morrison john.morrison101@googlemail.com
Sent: Thu 17. Sep 2009 16:29
On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
arent MS contractually obliged to make this fix available to me?


2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of =
the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution=
, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stat=
ed
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exac=
tly
> state WHAT they would support, they seem to be legally free to actually g=
et
> away with this BS *sigh* gotta love insurance-salesman-tactics when it co=
mes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared wo=
uld
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, he=
s
> suggesting switching to an iptables based protection along with a registr=
y
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu =A0--> I set my return addy to /dev/null for... w=
ell
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that
> bulletin)
>
> Thor (Hammer of God) wrote:
>> Yeah, I know what it is and what its for ;) =A0That was just my subtle
> way of trying to make a point. =A0To be more explicit:
>>
>> 1) =A0If you are publishing a vulnerability for which there is no patch,
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details. =A0Say "THERE WILL BE NO PATCH, EVER. =A0HERE=
S
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." =A0Also, dont sa=
y
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues. =A0Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>>
>> 2) =A0Think things through. =A0If you are going to try to boot sales of
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it. =A0 =A0Seems like simple logic point=
s
> to me.
>>
>> t
>>
>>
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP. =A0Running in RDP mode. =A0Its got IE6, and wants antivirus.
> Of
>>> course its vulnerable to any and all gobs of stuff out there. =A0But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7. =A0If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform. =A0Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
> with
>>>>
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
> to
>>>>
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
> patch
>>> old code."
>>>
>>>> t
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>
>>> God)
>>>
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link. =A0The problem here is that not enough
>>>>>
>>> information
>>>
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>
>>> of
>>>
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>
>>> certain
>>>
>>>>> scenarios, their machines might be at risk. "We still use Windows
> XP
>>>>> and we do not use Windows Firewall," read one of the user
> questions.
>>>>> "We use a third-party vendor firewall product. Even assuming that
> we
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
> firewall
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
> answers
>>>>> like that to a public interview with Computerworld, they would be
> in
>>>>> deep doo. =A0First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>
>>> accept
>>>
>>>>> necessary domain traffic. =A0This "no inbound traffic by default so
>>>>>
>>> you
>>>
>>>>> are not vulnerable" line is crap. =A0It was a direct question - "If
>>>>>
>>> RDP
>>>
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>
>>> question.
>>>
>>>>> Yes, servers are the target. =A0A firewall should provide added
>>>>> protection, maybe. =A0Rumor is thats what they are for. =A0Not sure
>>>>> really. =A0What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions. =A0Just be honest
>>>>> about it. =A0"Yes, XP is vulnerable to a DOS. =A0Your firewall might
>>>>>
>>> help,
>>>
>>>>> but dont bet on it. =A0XP code is something like 15 years old now,
>>>>>
>>> and
>>>
>>>>> were not going to change it. =A0Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>
>>> arse
>>>
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>
>>> wrong.
>>>
>>>>> This just makes it worse. Thats the long answer. =A0The short answer
>>>>>
>>> is
>>>
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
> MS09-048?
>>>>>>
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
> it
>>>>>> worth it, and they may be right. =A0Who knows how many applications
>>>>>>
>>>>>>
>>>>> might
>>>>>
>>>>>
>>>>>> break that were designed for XP if they have to radically change
>>>>>>
>>> the
>>>
>>>>>> TCP/IP stack. =A0Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>
>>>>> system
>>>>>
>>>>>
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message =A0--------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>
>>>>> should
>>>>>
>>>>>
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>
>>>>>> Home
>>>>>>
>>>>>>
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>
>>>>> support
>>>>>
>>>>>
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>
>>> support,
>>>
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>> =A0 =A0 17. What is the Security Update policy?
>>>>>>>
>>>>>>> =A0 =A0 Security updates will be available through the end of the
>>>>>>>
>>>>>>>
>>>>>> Extended
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 Support phase (five years of Mainstream Support plus five
>>>>>>>
>>> years
>>>
>>>>>> of
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 the Extended Support) at no additional cost for most
> products.
>>>>>>> =A0 =A0 Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>
>>>>> site
>>>>>
>>>>>
>>>>>>> =A0 =A0 during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>
>>> out
>>>
>>>>>> whether
>>>>>>
>>>>>>
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>
>>> to
>>>
>>>>>> work on
>>>>>>
>>>>>>
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>
>>> like
>>>
>>>>>> to hear
>>>>>>
>>>>>>
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 10:16
Good geeks ...not gook geeks.

Its not a racial slight, its spellchecker not working and I didnt 
realize I spelled it wrong.  My deepest apologies if anyone reads that 
wrong.

Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust 
>> that this
>                          ^^^^ ^^^^
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
>> this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
>> architecture in XP just isnt there.  Its a 10 year old platform 
>> that sometimes you cant bolt on this stuff afterwards.  Even in 
>> Vista, its not truly fixing the issue, merely making the system more 
>> resilient to attacks.  Read the fine print in the patch.. its just 
>> making the system kill a session and recover better.
>>
>> I am not a fan of third party because you bring yourself outside the 
>> support window of the product.
>>
>> It is just a DOS.  I DOS myself after patch Tuesday sometimes with 
>> mere patch issues.  Also the risk of this appears low, the potential 
>> for someone coding up an attack low... I have bigger risks from fake 
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect 
>> such energy? I dont see that it is.  Give me more information that 
>> it is a risk and I may change my mind, but right now, Im just not 
>> seeing that its worth it.
>>
>>
>>
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated 
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it 
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall 
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was 
>>> stated
>>> earlier, they did the exact same thing back in Win2K days... Nothing 
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didnt 
>>> exactly
>>> state WHAT they would support, they seem to be legally free to 
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when 
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didnt read from 
>>> the
>>> "biguns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who 
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless Im 
>>> misunderstanding, hes
>>> suggesting switching to an iptables based protection along with a 
>>> registry
>>> tweak... ahh the good ol batch firewall :) Would this actually work 
>>> as a
>>> viable work-around? I realize M$ stated this as such, but given their
>>> current reputation its really hard to take their word for anything 
>>> these
>>> days :P
>>>
>>> What free/cheap client-level-IPS solutions block this current 
>>> attack? Any
>>> suggestions?
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null 
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday, 
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because theyve got 4+ years of Extended Support Period
>>> left doesnt mean theyre going to get first-class treatment.
>>>
>>> Larry Seltzer
>>> Contributing Editor, PC Magazine
>>> larry_seltzer@ziffdavis.com http://blogs.pcmag.com/securitywatch/
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk
>>> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
>>> Bradley
>>> Sent: Wednesday, September 16, 2009 2:26 PM
>>> To: Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its only "default" for people running XP standalone/consumer that 
>>> are not even in a home network settings.
>>>
>>> That kinda slices and dices that default down to a VERY narrow sub 
>>> sub sub set of customer base.
>>>
>>> (Bottom line, yes, the marketing team definitely got a hold of that 
>>> bulletin)
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>>>
>>> way of trying to make a point.  To be more explicit:
>>>
>>>> 1)  If you are publishing a vulnerability for which there is no patch,
>>>>
>>> and for which you have no intention of making a patch for, dont 
>>> tell me
>>> its mitigated by ancient, unusable default firewall settings, and 
>>> dont
>>> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
>>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont 
>>> say
>>> you can deploy firewall settings via group policy to mitigate 
>>> exposure
>>> when the firewall obviously must be accepting network connections to 
>>> get
>>> the settings in the first place. If all it takes is any listening
>>> service, then you have issues.  Its like telling me that "the solution
>>> is to take the letter f out of the word "solution."
>>>
>>>> 2)  Think things through.  If you are going to try to boot sales of
>>>>
>>> Win7 to corporate customers by providing free XP VM technology and thus
>>> play up how important XP is and how many companies still depend upon it
>>> for business critical application compatibility, dont deploy that
>>> technology in an other-than-default configuration that is subject to a
>>> DoS exploit while downplaying the extent that the exploit may be
>>> leveraged by saying that a "typical" default configuration mitigates it
>>> while choosing not to ever patch it.    Seems like simple logic points
>>> to me.
>>>
>>>> t
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>>>> To: Thor (Hammer of God)
>>>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>>>
>>> Of
>>>
>>>>> course its vulnerable to any and all gobs of stuff out there.  But
>>>>> its
>>>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>>>> more security, get appv/medv/whateverv or other virtualization.
>>>>>
>>>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>>>> business app working platform.
>>>>>
>>>>> Thor (Hammer of God) wrote:
>>>>>
>>>>>> P.S.
>>>>>>
>>>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>>>
>>> with
>>>
>>>>>>
>>>>> Win7 hyperv is vulnerable and what the implications are for a host
>>>>> running an XP vm that gets DoSd are?
>>>>>
>>>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>>>
>>> to
>>>
>>>>>>
>>>>> take that "old code" and re-market it around compatibility and re-
>>>>> distribute it with free downloads for Win7 while saying "we wont
>>>>>
>>> patch
>>>
>>>>> old code."
>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>>>
>>>>> God)
>>>>>
>>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>>>
>>>>>>> Thanks for the link.  The problem here is that not enough
>>>>>>>
>>>>> information
>>>>>
>>>>>>> is given, and what IS given is obviously watered down to the point
>>>>>>>
>>>>> of
>>>>>
>>>>>>> being ineffective.
>>>>>>>
>>>>>>> The quote that stands out most for me:
>>>>>>> <snip>
>>>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>>>
>>>>> certain
>>>>>
>>>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
>>>>>>> use the Windows Firewall, if there are services listening, such as
>>>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>>>
>>>>>>> "Servers are a more likely target for this attack, and your
>>>>>>>
>>> firewall
>>>
>>>>>>> should provide additional protections against external exploits,"
>>>>>>> replied Stone and Bryant.
>>>>>>> </snip>
>>>>>>>
>>>>>>> If an employee managing a product that my company owned gave
>>>>>>>
>>> answers
>>>
>>>>>>> like that to a public interview with Computerworld, they would be
>>>>>>>
>>> in
>>>
>>>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>>>
>>>>> accept
>>>>>
>>>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>>>
>>>>> you
>>>>>
>>>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>>>
>>>>> RDP
>>>>>
>>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>>>
>>>>> question.
>>>>>
>>>>>>> Yes, servers are the target.  A firewall should provide added
>>>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>>>> really.  What was the question again?"
>>>>>>>
>>>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>>>
>>>>> help,
>>>>>
>>>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>>>
>>>>> and
>>>>>
>>>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>>>
>>>>> arse
>>>>>
>>>>>>> off right now."
>>>>>>>
>>>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>>>> stepping questions and not fully exposing the problems, they are
>>>>>>>
>>>>> wrong.
>>>>>
>>>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>>>
>>>>> is
>>>>>
>>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>>>> To: bugtraq@securityfocus.com
>>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>>>
>>> MS09-048?
>>>
>>>>>>>> Reference:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>
>>>>>>>> hes_for_you_XP
>>>>>>>>
>>>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>>>
>>> it
>>>
>>>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>>>
>>>>>>>>
>>>>>>> might
>>>>>>>
>>>>>>>
>>>>>>>> break that were designed for XP if they have to radically change
>>>>>>>>
>>>>> the
>>>>>
>>>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>>>> certainly sounds like it is not going to be patched.
>>>>>>>>
>>>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>>>
>>>>>>>>
>>>>>>> system
>>>>>>>
>>>>>>>
>>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>>>> necessary.
>>>>>>>>
>>>>>>>> -Eric
>>>>>>>>
>>>>>>>> -------- Original Message  --------
>>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>>>> To: nowhere@devnull.com
>>>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>>>> Date: 9/15/09 3:49 PM
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Aras,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Can you cite a reference?
>>>>>>>>>
>>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>>>
>>>>>>>>>
>>>>>>> should
>>>>>>>
>>>>>>>
>>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Home
>>>>>>>>
>>>>>>>>
>>>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>>>
>>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>
>>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>>>
>>>>> support,
>>>>>
>>>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>>>
>>>>>>>>>     17. What is the Security Update policy?
>>>>>>>>>
>>>>>>>>>     Security updates will be available through the end of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Extended
>>>>>>>>
>>>>>>>>
>>>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>>>
>>>>> years
>>>>>
>>>>>>>> of
>>>>>>>>
>>>>>>>>
>>>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>>>
>>> products.
>>>
>>>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>>>
>>>>>>>>>
>>>>>>> site
>>>>>>>
>>>>>>>
>>>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Not at all.
>>>>>>>>>
>>>>>>>>> Jeff
>>>>>>>>>
>>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>>>
>>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello All:
>>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>>>
>>>>> out
>>>>>
>>>>>>>> whether
>>>>>>>>
>>>>>>>>
>>>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>>>
>>>>> to
>>>>>
>>>>>>>> work on
>>>>>>>>
>>>>>>>>
>>>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>>>
>>>>> like
>>>>>
>>>>>>>> to hear
>>>>>>>>
>>>>>>>>
>>>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>>>
>>>>>>>>>> No harm in that is there?
>>>>>>>>>>
>>>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>>>> Systems Administrator
>>>>>>>>>> Virginia Tech
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Eric C. Lukens
>>>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>>>> ITS-Network Services
>>>>>>>> Curris Business Building 15
>>>>>>>> University of Northern Iowa
>>>>>>>> Cedar Falls, IA 50614-0121
>>>>>>>> 319-273-7434
>>>>>>>> http://www.uni.edu/elukens/
>>>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>


From: Mailing lists at Core Security Technologies lists@coresecurity.com
Sent: Tue 22. Sep 2009 19:32
Aras "Russ" Memisyazici wrote:
> 
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
> 
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
> 
> Thank you for your time and look forward to some more answers.

Hi,

This _may_ work for you. It include a port to Windows of OpenBSDs PF
firewall which provides stateful filtering with packet scrubing for
inbound and outbound traffic.

http://force.coresecurity.com/index.php?module=base&page=about

*CAVEAT* This is an OLD project that is no longer maintained or
supported. If you use it, you will be on your own.

regards,

-ivan



From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 16:49
Hi Aras,

> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue,
Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP should
be patched for security vulnerabilities until about 2014. Both XP Home
and XP Pros mainstream support ended in 4/2009, but extended support
ends in 4/2014 [2]. Given that we know the end of extended support,
take a look at bullet 17 of [1]:

    17. What is the Security Update policy?

    Security updates will be available through the end of the Extended
    Support phase (five years of Mainstream Support plus five years of
    the Extended Support) at no additional cost for most products.
    Security updates will be posted on the Microsoft Update Web site
    during both the Mainstream and the Extended Support phase.

> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric...
Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@devnull.com> wrote:
> Hello All:
>
> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue, Im now curious to find out whether
> or not any brave souls out there are already working or willing to work on
> an open-source patch to remediate the issue within XP.
>
> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric... I would just like to hear
> the thoughts of the true experts subscribed to these lists :)
>
> No harm in that is there?
>
> Aras "Russ" Memisyazici
> Systems Administrator
> Virginia Tech
>
>


From: Eric Kimminau eak@kimminau.org
Sent: Tue 15. Sep 2009 17:23
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

http://edge.technet.com/Media/MSRC-Monthly-Security-Bulletin-Webcast-September-2009/

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:24
Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
of low impact and thus no patch has been built.

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     
>
>   



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:29
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in 
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

<P><B>If Windows XP is listed as an affected product, why is Microsoft 
not issuing an update for it?</B><BR>By default, Windows XP Service Pack 
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition 
Service Pack 2 do not have a listening service configured in the client 
firewall and are therefore not affected by this vulnerability. Windows 
XP Service Pack 2 and later operating systems include a stateful host 
firewall that provides protection for computers against incoming traffic 
from the Internet or from neighboring network devices on a private 
network. The impact of a denial of service attack is that a system would 
become unresponsive due to memory consumption. However, a successful 
attack requires a sustained flood of specially crafted TCP packets, and 
the system will recover once the flood ceases. This makes the severity 
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. 
Customers running Windows XP are at reduced risk, and Microsoft 
recommends they use the firewall included with the operating system, or 
a network firewall, to block access to the affected ports and limit the 
attack surface from untrusted networks.</P>

Susan Bradley wrote:
> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
> of low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>> Hi Aras,
>>
>>  
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue,
>>>     
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>>     17. What is the Security Update policy?
>>
>>     Security updates will be available through the end of the Extended
>>     Support phase (five years of Mainstream Support plus five years of
>>     the Extended Support) at no additional cost for most products.
>>     Security updates will be posted on the Microsoft Update Web site
>>     during both the Mainstream and the Extended Support phase.
>>
>>  
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>     
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>  
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue, Im now curious to find out 
>>> whether
>>> or not any brave souls out there are already working or willing to 
>>> work on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like 
>>> to hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>     
>>
>>   
>



From: "Eric C. Lukens" eric.lukens@uni.edu
Sent: Tue 15. Sep 2009 16:37
Reference:

http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack.  Now, I dont know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP system
would not be vulnerable to a DOS anyway, so a patch shouldnt be necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@gmail.com>
To: nowhere@devnull.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Date: 9/15/09 3:49 PM
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/





From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 17:52
Hi Susan,

> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
> low impact and thus no patch has been built.
I dont know how I missed that XP/SP2 and above were not being
patched. It appears that my two references are worhtless... I used to
use them in position papers!
* http://support.microsoft.com/gp/lifepolicy
* http://support.microsoft.com/gp/lifeselect

Jeff

On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote=
:
> Read the bulletin. =A0Theres no patch. =A0It is deemed by Microsoft to b=
e of
> low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>>
>> Hi Aras,
>>
>>
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue,
>>>
>>
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>> =A0 =A017. What is the Security Update policy?
>>
>> =A0 =A0Security updates will be available through the end of the Extende=
d
>> =A0 =A0Support phase (five years of Mainstream Support plus five years o=
f
>> =A0 =A0the Extended Support) at no additional cost for most products.
>> =A0 =A0Security updates will be posted on the Microsoft Update Web site
>> =A0 =A0during both the Mainstream and the Extended Support phase.
>>
>>
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>
>>
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>
>>>
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue, Im now curious to find out
>>> whether
>>> or not any brave souls out there are already working or willing to work
>>> on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like to
>>> hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>
>>
>>
>
>


From: Matt Riddell matt@venturevoip.com
Sent: Wed 16. Sep 2009 09:53
On 16/09/09 8:49 AM, Jeffrey Walton wrote:
> Hi Aras,
>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
> Can you cite a reference?

http://tech.slashdot.org/article.pl?sid=09/09/15/0131209

-- 
Cheers,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)


From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:55
Its not that they arent supported per se, just that Microsoft has 
deemed the impact of DOS to be low, the ability to patch that platform 
impossible/difficult and thus have make a risk calculation accordingly.

Sometimes the architecture is what it is.

Jeffrey Walton wrote:
> Hi Susan,
>
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>     
> I dont know how I missed that XP/SP2 and above were not being
> patched. It appears that my two references are worhtless... I used to
> use them in position papers!
> * http://support.microsoft.com/gp/lifepolicy
> * http://support.microsoft.com/gp/lifeselect
>
> Jeff
>
> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote:
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>
>> Jeffrey Walton wrote:
>>     
>>> Hi Aras,
>>>
>>>
>>>       
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue,
>>>>
>>>>         
>>> Can you cite a reference?
>>>
>>> Unless Microsoft has changed their end of life policy [1], XP should
>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>> take a look at bullet 17 of [1]:
>>>
>>>    17. What is the Security Update policy?
>>>
>>>    Security updates will be available through the end of the Extended
>>>    Support phase (five years of Mainstream Support plus five years of
>>>    the Extended Support) at no additional cost for most products.
>>>    Security updates will be posted on the Microsoft Update Web site
>>>    during both the Mainstream and the Extended Support phase.
>>>
>>>
>>>       
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric...
>>>>
>>>>         
>>> Not at all.
>>>
>>> Jeff
>>>
>>> [1] http://support.microsoft.com/gp/lifepolicy
>>> [2] http://support.microsoft.com/gp/lifeselect
>>>
>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>> <nowhere@devnull.com> wrote:
>>>
>>>       
>>>> Hello All:
>>>>
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>> whether
>>>> or not any brave souls out there are already working or willing to work
>>>> on
>>>> an open-source patch to remediate the issue within XP.
>>>>
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>> hear
>>>> the thoughts of the true experts subscribed to these lists :)
>>>>
>>>> No harm in that is there?
>>>>
>>>> Aras "Russ" Memisyazici
>>>> Systems Administrator
>>>> Virginia Tech
>>>>
>>>>
>>>>
>>>>         
>>>       
>>     
>
>   


From: Elizabeth.a.greene@gmail.com
Sent: Tue 15. Sep 2009 21:56
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.

Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."

-eg


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 11:59
Thanks for the link.  The problem here is that not enough information is gi=
ven, and what IS given is obviously watered down to the point of being inef=
fective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts securit=
y team to explain why it wasnt patching XP, or if, in certain scenarios, t=
heir machines might be at risk. "We still use Windows XP and we do not use =
Windows Firewall," read one of the user questions. "We use a third-party ve=
ndor firewall product. Even assuming that we use the Windows Firewall, if t=
here are services listening, such as remote desktop, wouldnt then Windows =
XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall should=
 provide additional protections against external exploits," replied Stone a=
nd Bryant.
</snip>

If an employee managing a product that my company owned gave answers like t=
hat to a public interview with Computerworld, they would be in deep doo.  F=
irst off, my default install of XP Pro SP2 has remote assistance inbound, a=
nd once you join to a domain, you obviously accept necessary domain traffic=
.  This "no inbound traffic by default so you are not vulnerable" line is c=
rap.  It was a direct question - "If RDP is allowed through the firewall, a=
re we vulnerable?" A:"Great question. Yes, servers are the target.  A firew=
all should provide added protection, maybe.  Rumor is thats what they are =
for.  Not sure really.  What was the question again?"

You dont get "trustworthy" by not answering peoples questions, particular=
ly when they are good, obvious questions.  Just be honest about it.  "Yes, =
XP is vulnerable to a DOS.  Your firewall might help, but dont bet on it. =
 XP code is something like 15 years old now, and were not going to change =
it.  Thats the way it is, sorry. Just be glad youre using XP and not 2008=
/vista or youd be patching your arse off right now."=20

If MSFT thinks they are mitigating public opinion issues by side-stepping q=
uestions and not fully exposing the problems, they are wrong.  This just ma=
kes it worse. Thats the long answer.  The short answer is "XP is vulnerabl=
e to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 11:21
I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a "Low" threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have rated it at least Medium. If Im wrong about
that then the "Low" rating is misleading.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link.  The problem here is that not enough information is
given, and what IS given is obviously watered down to the point of being
ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts
security team to explain why it wasnt patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP and
we do not use Windows Firewall," read one of the user questions. "We use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldnt then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo.  First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously accept
necessary domain traffic.  This "no inbound traffic by default so you
are not vulnerable" line is crap.  It was a direct question - "If RDP is
allowed through the firewall, are we vulnerable?" A:"Great question.
Yes, servers are the target.  A firewall should provide added
protection, maybe.  Rumor is thats what they are for.  Not sure really.
What was the question again?"

You dont get "trustworthy" by not answering peoples questions,
particularly when they are good, obvious questions.  Just be honest
about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
but dont bet on it.  XP code is something like 15 years old now, and
were not going to change it.  Thats the way it is, sorry. Just be glad
youre using XP and not 2008/vista or youd be patching your arse off
right now."=20

If MSFT thinks they are mitigating public opinion issues by
side-stepping questions and not fully exposing the problems, they are
wrong.  This just makes it worse. Thats the long answer.  The short
answer is "XP is vulnerable to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications
might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended
support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 12:15
P.S.

Anyone check to see if the default "XP Mode" VM you get for free with Win7 =
hyperv is vulnerable and what the implications are for a host running an XP=
 vm that gets DoSd are? =20

I get the whole "XP code to too old to care" bit, but it seems odd to take =
that "old code" and re-market it around compatibility and re-distribute it =
with free downloads for Win7 while saying "we wont patch old code." =20

t=20

> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.  What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad youre using XP and not 2008/vista or youd be patching your arse
> off right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by side-
> stepping questions and not fully exposing the problems, they are wrong.
> This just makes it worse. Thats the long answer.  The short answer is
> "XP is vulnerable to a DoS, and a patch is not being offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Tom Grace tom@deathbycomputers.co.uk
Sent: Wed 16. Sep 2009 16:57
Is this relevant?
QUOTE---
Protect to 2 for the best protection against SYN attacks. This value 
adds additional delays to connection indications, and TCP connection 
requests quickly timeout when a SYN attack is in progress. This 
parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you 
set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in 
theory, around it... & iirc, "Scalable Windows", via setsockopt API 
calls from an attacker are what the problem is here anyhow & this ought 
to stall it... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize 
settings in the registry in TCP/IP Parameters (see registry path above) 
SHOULD also help here also, for servers that can accept MANY connections 
from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is 
stopped by SynAttackProtect too, so an attacking system/app sending a 
setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, 
just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, 
OR, single systems as well you either ALLOW or DENY to talk to your 
system, still can help also... vs. a DDOS though? SynAttackProtect is 
your best friend here... youd use netstat -b -n tcp to see which are 
held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR 
WAY (or just by doing it in a router or routing table)... takers anyone, 
on these thoughts (especially for Windows 2000)?

Thanks for your time... apk
UNQUOTE--

Source: http://tech.slashdot.org/comments.pl?sid=1368439&cid=29424787

Susan Bradley wrote:
> Its not that they arent supported per se, just that Microsoft has 
> deemed the impact of DOS to be low, the ability to patch that platform 
> impossible/difficult and thus have make a risk calculation accordingly.
> 
> Sometimes the architecture is what it is.
> 
> Jeffrey Walton wrote:
>> Hi Susan,
>>
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>     
>> I dont know how I missed that XP/SP2 and above were not being
>> patched. It appears that my two references are worhtless... I used to
>> use them in position papers!
>> * http://support.microsoft.com/gp/lifepolicy
>> * http://support.microsoft.com/gp/lifeselect
>>
>> Jeff
>>
>> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> 
>> wrote:
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>
>>> Jeffrey Walton wrote:
>>>    
>>>> Hi Aras,
>>>>
>>>>
>>>>      
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>         
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP should
>>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>    17. What is the Security Update policy?
>>>>
>>>>    Security updates will be available through the end of the Extended
>>>>    Support phase (five years of Mainstream Support plus five years of
>>>>    the Extended Support) at no additional cost for most products.
>>>>    Security updates will be posted on the Microsoft Update Web site
>>>>    during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>      
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>         
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>      
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>> whether
>>>>> or not any brave souls out there are already working or willing to 
>>>>> work
>>>>> on
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>>> hear
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>       
>>>     
>>
>>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 09:00
Only if you are a consumer.  In a network we ALL have listening ports 
out there.

Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>   



From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 13:31
Hey Larry- hope everythings going well...=20

When youve got a systemic vulnerability, in this case the TCP/IP stack its=
elf, exploitation information must be explicit and definitive.  Im fine wi=
th risk classification, and I appreciate efforts to categorize risk into ma=
nageable exposure metrics, but we shouldnt have to infer potential vulnera=
bility information from vague disclosure data.  I know many response teams =
base patch paths on the published severity, but one also has to be able to =
make decisions on their own.  For me, no big deal.  But its not that simpl=
e for others.  =20

But theres not enough information for me to make that call.  Is it for ANY=
 "listening service?"  TCP or UPD?  Does the "statefull" firewall introduce=
d in subsequent versions stop it?

The answers are "yes," "yes," and "no."  They should just say that.  Is it =
"low" because the firewall doesnt have any exceptions by default?  If so, =
thats silly.  Everyone using XP for anything has incoming connections for =
something, and well known if on a domain.  I feel sorry for Diebold and NEC=
 with all the ATMs out there running XP, but fortunately, Im not responsib=
le for clients using their systems anymore :)=20

Anyway, the DoS suxx0rz, but Im more irritated with the lack of real, stra=
ight-forward, no-nonsense information and technical sleight of hand.  The i=
nformation should be painfully obvious, not obviously painful.

t=20




> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
> they probably would have rated it at least Medium. If Im wrong about
> that then the "Low" rating is misleading.
>=20
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>=20
>=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, September 16, 2009 11:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is
> given, and what IS given is obviously watered down to the point of
> being
> ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is
> allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.
> What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad
> youre using XP and not 2008/vista or youd be patching your arse off
> right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by
> side-stepping questions and not fully exposing the problems, they are
> wrong.  This just makes it worse. Thats the long answer.  The short
> answer is "XP is vulnerable to a DoS, and a patch is not being
> offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 10:16
Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of 
course its vulnerable to any and all gobs of stuff out there.  But its 
goal and intent is to allow Small shops to deploy Win7.  If you need 
more security, get appv/medv/whateverv or other virtualization.

Its not a security platform.  Its a get the stupid 16 bit line of 
business app working platform.

Thor (Hammer of God) wrote:
> P.S.
>
> Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that gets DoSd are?  
>
> I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we wont patch old code."  
>
> t 
>
>   
>> -----Original Message-----
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Thanks for the link.  The problem here is that not enough information
>> is given, and what IS given is obviously watered down to the point of
>> being ineffective.
>>
>> The quote that stands out most for me:
>> <snip>
>> During the Q&A, however, Windows users repeatedly asked Microsofts
>> security team to explain why it wasnt patching XP, or if, in certain
>> scenarios, their machines might be at risk. "We still use Windows XP
>> and we do not use Windows Firewall," read one of the user questions.
>> "We use a third-party vendor firewall product. Even assuming that we
>> use the Windows Firewall, if there are services listening, such as
>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>
>> "Servers are a more likely target for this attack, and your firewall
>> should provide additional protections against external exploits,"
>> replied Stone and Bryant.
>> </snip>
>>
>> If an employee managing a product that my company owned gave answers
>> like that to a public interview with Computerworld, they would be in
>> deep doo.  First off, my default install of XP Pro SP2 has remote
>> assistance inbound, and once you join to a domain, you obviously accept
>> necessary domain traffic.  This "no inbound traffic by default so you
>> are not vulnerable" line is crap.  It was a direct question - "If RDP
>> is allowed through the firewall, are we vulnerable?" A:"Great question.
>> Yes, servers are the target.  A firewall should provide added
>> protection, maybe.  Rumor is thats what they are for.  Not sure
>> really.  What was the question again?"
>>
>> You dont get "trustworthy" by not answering peoples questions,
>> particularly when they are good, obvious questions.  Just be honest
>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
>> but dont bet on it.  XP code is something like 15 years old now, and
>> were not going to change it.  Thats the way it is, sorry. Just be
>> glad youre using XP and not 2008/vista or youd be patching your arse
>> off right now."
>>
>> If MSFT thinks they are mitigating public opinion issues by side-
>> stepping questions and not fully exposing the problems, they are wrong.
>> This just makes it worse. Thats the long answer.  The short answer is
>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>
>> t
>>
>>
>>
>>     
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>> To: bugtraq@securityfocus.com
>>> Cc: full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Reference:
>>>
>>>
>>>       
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>> hes_for_you_XP
>>>
>>> MS claims the patch would require to much overhaul of XP to make it
>>> worth it, and they may be right.  Who knows how many applications
>>>       
>> might
>>     
>>> break that were designed for XP if they have to radically change the
>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>> certainly sounds like it is not going to be patched.
>>>
>>> The other side of the MS claim is that a properly-firewalled XP
>>>       
>> system
>>     
>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>> necessary.
>>>
>>> -Eric
>>>
>>> -------- Original Message  --------
>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>> From: Jeffrey Walton <noloader@gmail.com>
>>> To: nowhere@devnull.com
>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>> Date: 9/15/09 3:49 PM
>>>       
>>>> Hi Aras,
>>>>
>>>>
>>>>         
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>           
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>         
>> should
>>     
>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>         
>>> Home
>>>       
>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>         
>> support
>>     
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>     17. What is the Security Update policy?
>>>>
>>>>     Security updates will be available through the end of the
>>>>         
>>> Extended
>>>       
>>>>     Support phase (five years of Mainstream Support plus five years
>>>>         
>>> of
>>>       
>>>>     the Extended Support) at no additional cost for most products.
>>>>     Security updates will be posted on the Microsoft Update Web
>>>>         
>> site
>>     
>>>>     during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>         
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>           
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>         
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>>           
>>> whether
>>>       
>>>>> or not any brave souls out there are already working or willing to
>>>>>           
>>> work on
>>>       
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric... I would just like
>>>>>           
>>> to hear
>>>       
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>           
>>> --
>>> Eric C. Lukens
>>> IT Security Policy and Risk Assessment Analyst
>>> ITS-Network Services
>>> Curris Business Building 15
>>> University of Northern Iowa
>>> Cedar Falls, IA 50614-0121
>>> 319-273-7434
>>> http://www.uni.edu/elukens/
>>> http://weblogs.uni.edu/elukens/
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>       
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>
>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 11:25
Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, dont tell me its mitigated by ancient, unusable default firewall settings, and dont withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deploy firewall settings via group policy to mitigate exposure when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues.  Its like telling me that "the solution is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, dont deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it.    Seems like simple logic points to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave answers
>>>> like that to a public interview with Computerworld, they would be in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 15:23
Yeah, I know what it is and what its for ;)  That was just my subtle way o=
f trying to make a point.  To be more explicit:

1)  If you are publishing a vulnerability for which there is no patch, and =
for which you have no intention of making a patch for, dont tell me its m=
itigated by ancient, unusable default firewall settings, and dont withhold=
 explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING W=
E KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deplo=
y firewall settings via group policy to mitigate exposure when the firewal=
l obviously must be accepting network connections to get the settings in th=
e first place. If all it takes is any listening service, then you have issu=
es.  Its like telling me that "the solution is to take the letter f out =
of the word "solution."

2)  Think things through.  If you are going to try to boot sales of Win7 to=
 corporate customers by providing free XP VM technology and thus play up ho=
w important XP is and how many companies still depend upon it for business =
critical application compatibility, dont deploy that technology in an othe=
r-than-default configuration that is subject to a DoS exploit while downpla=
ying the extent that the exploit may be leveraged by saying that a "typical=
" default configuration mitigates it while choosing not to ever patch it.  =
  Seems like simple logic points to me.

t

> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
> course its vulnerable to any and all gobs of stuff out there.  But
> its
> goal and intent is to allow Small shops to deploy Win7.  If you need
> more security, get appv/medv/whateverv or other virtualization.
>=20
> Its not a security platform.  Its a get the stupid 16 bit line of
> business app working platform.
>=20
> Thor (Hammer of God) wrote:
> > P.S.
> >
> > Anyone check to see if the default "XP Mode" VM you get for free with
> Win7 hyperv is vulnerable and what the implications are for a host
> running an XP vm that gets DoSd are?
> >
> > I get the whole "XP code to too old to care" bit, but it seems odd to
> take that "old code" and re-market it around compatibility and re-
> distribute it with free downloads for Win7 while saying "we wont patch
> old code."
> >
> > t
> >
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
> God)
> >> Sent: Wednesday, September 16, 2009 8:00 AM
> >> To: Eric C. Lukens; bugtraq@securityfocus.com
> >> Cc: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>
> >> Thanks for the link.  The problem here is that not enough
> information
> >> is given, and what IS given is obviously watered down to the point
> of
> >> being ineffective.
> >>
> >> The quote that stands out most for me:
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsofts
> >> security team to explain why it wasnt patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldnt then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> >> should provide additional protections against external exploits,"
> >> replied Stone and Bryant.
> >> </snip>
> >>
> >> If an employee managing a product that my company owned gave answers
> >> like that to a public interview with Computerworld, they would be in
> >> deep doo.  First off, my default install of XP Pro SP2 has remote
> >> assistance inbound, and once you join to a domain, you obviously
> accept
> >> necessary domain traffic.  This "no inbound traffic by default so
> you
> >> are not vulnerable" line is crap.  It was a direct question - "If
> RDP
> >> is allowed through the firewall, are we vulnerable?" A:"Great
> question.
> >> Yes, servers are the target.  A firewall should provide added
> >> protection, maybe.  Rumor is thats what they are for.  Not sure
> >> really.  What was the question again?"
> >>
> >> You dont get "trustworthy" by not answering peoples questions,
> >> particularly when they are good, obvious questions.  Just be honest
> >> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
> help,
> >> but dont bet on it.  XP code is something like 15 years old now,
> and
> >> were not going to change it.  Thats the way it is, sorry. Just be
> >> glad youre using XP and not 2008/vista or youd be patching your
> arse
> >> off right now."
> >>
> >> If MSFT thinks they are mitigating public opinion issues by side-
> >> stepping questions and not fully exposing the problems, they are
> wrong.
> >> This just makes it worse. Thats the long answer.  The short answer
> is
> >> "XP is vulnerable to a DoS, and a patch is not being offered."
> >>
> >> t
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> >>> Sent: Tuesday, September 15, 2009 2:37 PM
> >>> To: bugtraq@securityfocus.com
> >>> Cc: full-disclosure@lists.grok.org.uk
> >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>>
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right.  Who knows how many applications
> >>>
> >> might
> >>
> >>> break that were designed for XP if they have to radically change
> the
> >>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> >>> certainly sounds like it is not going to be patched.
> >>>
> >>> The other side of the MS claim is that a properly-firewalled XP
> >>>
> >> system
> >>
> >>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> >>> necessary.
> >>>
> >>> -Eric
> >>>
> >>> -------- Original Message  --------
> >>> Subject: Re: 3rd party patch for XP for MS09-048?
> >>> From: Jeffrey Walton <noloader@gmail.com>
> >>> To: nowhere@devnull.com
> >>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> >>> Date: 9/15/09 3:49 PM
> >>>
> >>>> Hi Aras,
> >>>>
> >>>>
> >>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue,
> >>>>>
> >>>>>
> >>>> Can you cite a reference?
> >>>>
> >>>> Unless Microsoft has changed their end of life policy [1], XP
> >>>>
> >> should
> >>
> >>>> be patched for security vulnerabilities until about 2014. Both XP
> >>>>
> >>> Home
> >>>
> >>>> and XP Pros mainstream support ended in 4/2009, but extended
> >>>>
> >> support
> >>
> >>>> ends in 4/2014 [2]. Given that we know the end of extended
> support,
> >>>> take a look at bullet 17 of [1]:
> >>>>
> >>>>     17. What is the Security Update policy?
> >>>>
> >>>>     Security updates will be available through the end of the
> >>>>
> >>> Extended
> >>>
> >>>>     Support phase (five years of Mainstream Support plus five
> years
> >>>>
> >>> of
> >>>
> >>>>     the Extended Support) at no additional cost for most products.
> >>>>     Security updates will be posted on the Microsoft Update Web
> >>>>
> >> site
> >>
> >>>>     during both the Mainstream and the Extended Support phase.
> >>>>
> >>>>
> >>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric...
> >>>>>
> >>>>>
> >>>> Not at all.
> >>>>
> >>>> Jeff
> >>>>
> >>>> [1] http://support.microsoft.com/gp/lifepolicy
> >>>> [2] http://support.microsoft.com/gp/lifeselect
> >>>>
> >>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> >>>> <nowhere@devnull.com> wrote:
> >>>>
> >>>>
> >>>>> Hello All:
> >>>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue, Im now curious to find
> out
> >>>>>
> >>> whether
> >>>
> >>>>> or not any brave souls out there are already working or willing
> to
> >>>>>
> >>> work on
> >>>
> >>>>> an open-source patch to remediate the issue within XP.
> >>>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric... I would just
> like
> >>>>>
> >>> to hear
> >>>
> >>>>> the thoughts of the true experts subscribed to these lists :)
> >>>>>
> >>>>> No harm in that is there?
> >>>>>
> >>>>> Aras "Russ" Memisyazici
> >>>>> Systems Administrator
> >>>>> Virginia Tech
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>> --
> >>> Eric C. Lukens
> >>> IT Security Policy and Risk Assessment Analyst
> >>> ITS-Network Services
> >>> Curris Business Building 15
> >>> University of Northern Iowa
> >>> Cedar Falls, IA 50614-0121
> >>> 319-273-7434
> >>> http://www.uni.edu/elukens/
> >>> http://weblogs.uni.edu/elukens/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >


From: Rob Thompson my.security.lists@gmail.com
Sent: Wed 16. Sep 2009 11:24
Susan Bradley wrote:
> Only if you are a consumer.  In a network we ALL have listening ports
> out there.

This is simply Microsofts way of forcing you to upgrade your OS.  They
pulled the same shenanigans with Windows 2000, if you do not recall.

Id have to say, its time to re-evaluate where you are funneling your
$$$.  If the vendor that you PAID your hard earned dollars to is not
supporting their product like they said they would, then its time to
move on.

There are plenty of alternatives out there.  No one says you _have_ to
run Windows.

> 
> Elizabeth.a.greene@gmail.com wrote:
>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>> patches for XP because, by default, it runs no listening services or
>> the windows firewall can protect it.
>>
>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>> "If Windows XP is listed as an affected product, why is Microsoft not
>> issuing an update for it?
>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>> listening service configured in the client firewall and are therefore
>> not affected by this vulnerability. Windows XP Service Pack 2 and
>> later operating systems include a stateful host firewall that provides
>> protection for computers against incoming traffic from the Internet or
>> from neighboring network devices on a private network. ... Customers
>> running Windows XP are at reduced risk, and Microsoft recommends they
>> use the firewall included with the operating system, or a network
>> firewall, to block access to the affected ports and limit the attack
>> surface from untrusted networks."
>>
>> -eg
>>
>>   
> 
> 


-- 
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        /   |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 12:48
Cloud option maybe as we go forward but right now today, this is 
business making the decisions here.

Desktop, if it were that easy wed have ripped out desktops years ago.

Businesses have to be realistic.  Sometimes there is not "plenty of 
comparable alternatives out there".

Sometimes the boss/business needs/line of business apps dictates you run 
windows.

Rob Thompson wrote:
> Susan Bradley wrote:
>   
>> Only if you are a consumer.  In a network we ALL have listening ports
>> out there.
>>     
>
> This is simply Microsofts way of forcing you to upgrade your OS.  They
> pulled the same shenanigans with Windows 2000, if you do not recall.
>
> Id have to say, its time to re-evaluate where you are funneling your
> $$$.  If the vendor that you PAID your hard earned dollars to is not
> supporting their product like they said they would, then its time to
> move on.
>
> There are plenty of alternatives out there.  No one says you _have_ to
> run Windows.
>
>   
>> Elizabeth.a.greene@gmail.com wrote:
>>     
>>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>>> patches for XP because, by default, it runs no listening services or
>>> the windows firewall can protect it.
>>>
>>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>>> "If Windows XP is listed as an affected product, why is Microsoft not
>>> issuing an update for it?
>>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>>> listening service configured in the client firewall and are therefore
>>> not affected by this vulnerability. Windows XP Service Pack 2 and
>>> later operating systems include a stateful host firewall that provides
>>> protection for computers against incoming traffic from the Internet or
>>> from neighboring network devices on a private network. ... Customers
>>> running Windows XP are at reduced risk, and Microsoft recommends they
>>> use the firewall included with the operating system, or a network
>>> firewall, to block access to the affected ports and limit the attack
>>> surface from untrusted networks."
>>>
>>> -eg
>>>
>>>   
>>>       
>>     
>
>
>   



From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 17:02
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are=20
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub=20
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that=20
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>  =20
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>    =20
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>      =20
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>    =20
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>      =20
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>    =20
>>> t
>>>
>>>
>>>      =20
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>        =20
>> God)
>>    =20
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>        =20
>> information
>>    =20
>>>> is given, and what IS given is obviously watered down to the point
>>>>        =20
>> of
>>    =20
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>        =20
>> certain
>>    =20
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>        =20
>> accept
>>    =20
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>        =20
>> you
>>    =20
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>        =20
>> RDP
>>    =20
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>        =20
>> question.
>>    =20
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>        =20
>> help,
>>    =20
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>        =20
>> and
>>    =20
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>        =20
>> arse
>>    =20
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>        =20
>> wrong.
>>    =20
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>        =20
>> is
>>    =20
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>        =20
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>          =20
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>    =20
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>          =20
>>>> might
>>>>
>>>>        =20
>>>>> break that were designed for XP if they have to radically change
>>>>>          =20
>> the
>>    =20
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>          =20
>>>> system
>>>>
>>>>        =20
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>          =20
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>            =20
>>>> should
>>>>
>>>>        =20
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>            =20
>>>>> Home
>>>>>
>>>>>          =20
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>            =20
>>>> support
>>>>
>>>>        =20
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>            =20
>> support,
>>    =20
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>            =20
>>>>> Extended
>>>>>
>>>>>          =20
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>            =20
>> years
>>    =20
>>>>> of
>>>>>
>>>>>          =20
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>            =20
>>>> site
>>>>
>>>>        =20
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>              =20
>> out
>>    =20
>>>>> whether
>>>>>
>>>>>          =20
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>              =20
>> to
>>    =20
>>>>> work on
>>>>>
>>>>>          =20
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>              =20
>> like
>>    =20
>>>>> to hear
>>>>>
>>>>>          =20
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>          =20
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>        =20
>>>      =20
>
>  =20

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Aras "Russ" Memisyazici" nowhere@devnull.com
Sent: Wed 16. Sep 2009 18:39
:)

Thank you all for your valuable comments... Indeed I appreciated some of the
links/info extended (Susan, Thor and Tom) However, in the end, it sounded
like:

a) As a sysadmin in charge of maintaining XP systems along with a whole
shebang of other mix setups, unless I deploy a "better" firewall solution, I
seem to be SOL.

b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
earlier, they did the exact same thing back in Win2K days... Nothing new
here... :/ As Larry and Thor pointed out, what sux is that despite M$
"PROMISING" that they would continue supporting XP since they didnt exactly
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...

So... with all this commentary, in the end, I still didnt read from the
"biguns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?

How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol batch firewall :) Would this actually work as a
viable work-around? I realize M$ stated this as such, but given their
current reputation its really hard to take their word for anything these
days :P

What free/cheap client-level-IPS solutions block this current attack? Any
suggestions?

Thank you for your time and look forward to some more answers.

Sincerely,
Aras "Russ" Memisyazici
arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
you know why!

Systems Administrator
Virginia Tech

-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com] 
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?

Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 07:59
<jaded mode off>

I know too many of the gook geeks behind Microsoft and I do trust that 
this IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
architecture in XP just isnt there.  Its a 10 year old platform that 
sometimes you cant bolt on this stuff afterwards.  Even in Vista, its 
not truly fixing the issue, merely making the system more resilient to 
attacks.  Read the fine print in the patch.. its just making the system 
kill a session and recover better.

I am not a fan of third party because you bring yourself outside the 
support window of the product.

It is just a DOS.  I DOS myself after patch Tuesday sometimes with mere 
patch issues.  Also the risk of this appears low, the potential for 
someone coding up an attack low... I have bigger risks from fake A/V at me.

Is this truly the risk that one has to take such actions and expect such 
energy? 

I dont see that it is.  Give me more information that it is a risk and 
I may change my mind, but right now, Im just not seeing that its worth it.



Aras "Russ" Memisyazici wrote:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com] 
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com 
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are 
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub 
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that 
> bulletin)
>
> Thor (Hammer of God) wrote:
>   
>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>     
> way of trying to make a point.  To be more explicit:
>   
>> 1)  If you are publishing a vulnerability for which there is no patch,
>>     
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues.  Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>   
>> 2)  Think things through.  If you are going to try to boot sales of
>>     
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it.    Seems like simple logic points
> to me.
>   
>> t
>>
>>   
>>     
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>       
> Of
>   
>>> course its vulnerable to any and all gobs of stuff out there.  But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>     
>>>       
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>         
> with
>   
>>>>       
>>>>         
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>     
>>>       
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>         
> to
>   
>>>>       
>>>>         
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
>>>       
> patch
>   
>>> old code."
>>>     
>>>       
>>>> t
>>>>
>>>>
>>>>       
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>         
>>>>>           
>>> God)
>>>     
>>>       
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link.  The problem here is that not enough
>>>>>         
>>>>>           
>>> information
>>>     
>>>       
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>         
>>>>>           
>>> of
>>>     
>>>       
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>         
>>>>>           
>>> certain
>>>     
>>>       
>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>           
> XP
>   
>>>>> and we do not use Windows Firewall," read one of the user
>>>>>           
> questions.
>   
>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>           
> we
>   
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
>>>>>           
> firewall
>   
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
>>>>>           
> answers
>   
>>>>> like that to a public interview with Computerworld, they would be
>>>>>           
> in
>   
>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>         
>>>>>           
>>> accept
>>>     
>>>       
>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>         
>>>>>           
>>> you
>>>     
>>>       
>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>         
>>>>>           
>>> RDP
>>>     
>>>       
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>         
>>>>>           
>>> question.
>>>     
>>>       
>>>>> Yes, servers are the target.  A firewall should provide added
>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>> really.  What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>         
>>>>>           
>>> help,
>>>     
>>>       
>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>         
>>>>>           
>>> and
>>>     
>>>       
>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>         
>>>>>           
>>> arse
>>>     
>>>       
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>         
>>>>>           
>>> wrong.
>>>     
>>>       
>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>         
>>>>>           
>>> is
>>>     
>>>       
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>             
> MS09-048?
>   
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>           
>>>>>>             
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>   
>>>     
>>>       
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>             
> it
>   
>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>
>>>>>>           
>>>>>>             
>>>>> might
>>>>>
>>>>>         
>>>>>           
>>>>>> break that were designed for XP if they have to radically change
>>>>>>           
>>>>>>             
>>> the
>>>     
>>>       
>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>           
>>>>>>             
>>>>> system
>>>>>
>>>>>         
>>>>>           
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message  --------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> should
>>>>>
>>>>>         
>>>>>           
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Home
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> support
>>>>>
>>>>>         
>>>>>           
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>             
>>>>>>>               
>>> support,
>>>     
>>>       
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>>     17. What is the Security Update policy?
>>>>>>>
>>>>>>>     Security updates will be available through the end of the
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Extended
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>             
>>>>>>>               
>>> years
>>>     
>>>       
>>>>>> of
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>               
> products.
>   
>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> site
>>>>>
>>>>>         
>>>>>           
>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>               
>>>>>>>>                 
>>> out
>>>     
>>>       
>>>>>> whether
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>               
>>>>>>>>                 
>>> to
>>>     
>>>       
>>>>>> work on
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>               
>>>>>>>>                 
>>> like
>>>     
>>>       
>>>>>> to hear
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>           
>>>>>>             
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>         
>>>>>           
>>>>       
>>>>         
>>   
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   


From: John Morrison john.morrison101@googlemail.com
Sent: Thu 17. Sep 2009 16:29
On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
arent MS contractually obliged to make this fix available to me?


2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of =
the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution=
, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stat=
ed
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exac=
tly
> state WHAT they would support, they seem to be legally free to actually g=
et
> away with this BS *sigh* gotta love insurance-salesman-tactics when it co=
mes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared wo=
uld
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, he=
s
> suggesting switching to an iptables based protection along with a registr=
y
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu =A0--> I set my return addy to /dev/null for... w=
ell
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that
> bulletin)
>
> Thor (Hammer of God) wrote:
>> Yeah, I know what it is and what its for ;) =A0That was just my subtle
> way of trying to make a point. =A0To be more explicit:
>>
>> 1) =A0If you are publishing a vulnerability for which there is no patch,
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details. =A0Say "THERE WILL BE NO PATCH, EVER. =A0HERE=
S
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." =A0Also, dont sa=
y
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues. =A0Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>>
>> 2) =A0Think things through. =A0If you are going to try to boot sales of
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it. =A0 =A0Seems like simple logic point=
s
> to me.
>>
>> t
>>
>>
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP. =A0Running in RDP mode. =A0Its got IE6, and wants antivirus.
> Of
>>> course its vulnerable to any and all gobs of stuff out there. =A0But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7. =A0If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform. =A0Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
> with
>>>>
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
> to
>>>>
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
> patch
>>> old code."
>>>
>>>> t
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>
>>> God)
>>>
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link. =A0The problem here is that not enough
>>>>>
>>> information
>>>
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>
>>> of
>>>
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>
>>> certain
>>>
>>>>> scenarios, their machines might be at risk. "We still use Windows
> XP
>>>>> and we do not use Windows Firewall," read one of the user
> questions.
>>>>> "We use a third-party vendor firewall product. Even assuming that
> we
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
> firewall
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
> answers
>>>>> like that to a public interview with Computerworld, they would be
> in
>>>>> deep doo. =A0First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>
>>> accept
>>>
>>>>> necessary domain traffic. =A0This "no inbound traffic by default so
>>>>>
>>> you
>>>
>>>>> are not vulnerable" line is crap. =A0It was a direct question - "If
>>>>>
>>> RDP
>>>
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>
>>> question.
>>>
>>>>> Yes, servers are the target. =A0A firewall should provide added
>>>>> protection, maybe. =A0Rumor is thats what they are for. =A0Not sure
>>>>> really. =A0What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions. =A0Just be honest
>>>>> about it. =A0"Yes, XP is vulnerable to a DOS. =A0Your firewall might
>>>>>
>>> help,
>>>
>>>>> but dont bet on it. =A0XP code is something like 15 years old now,
>>>>>
>>> and
>>>
>>>>> were not going to change it. =A0Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>
>>> arse
>>>
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>
>>> wrong.
>>>
>>>>> This just makes it worse. Thats the long answer. =A0The short answer
>>>>>
>>> is
>>>
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
> MS09-048?
>>>>>>
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
> it
>>>>>> worth it, and they may be right. =A0Who knows how many applications
>>>>>>
>>>>>>
>>>>> might
>>>>>
>>>>>
>>>>>> break that were designed for XP if they have to radically change
>>>>>>
>>> the
>>>
>>>>>> TCP/IP stack. =A0Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>
>>>>> system
>>>>>
>>>>>
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message =A0--------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>
>>>>> should
>>>>>
>>>>>
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>
>>>>>> Home
>>>>>>
>>>>>>
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>
>>>>> support
>>>>>
>>>>>
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>
>>> support,
>>>
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>> =A0 =A0 17. What is the Security Update policy?
>>>>>>>
>>>>>>> =A0 =A0 Security updates will be available through the end of the
>>>>>>>
>>>>>>>
>>>>>> Extended
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 Support phase (five years of Mainstream Support plus five
>>>>>>>
>>> years
>>>
>>>>>> of
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 the Extended Support) at no additional cost for most
> products.
>>>>>>> =A0 =A0 Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>
>>>>> site
>>>>>
>>>>>
>>>>>>> =A0 =A0 during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>
>>> out
>>>
>>>>>> whether
>>>>>>
>>>>>>
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>
>>> to
>>>
>>>>>> work on
>>>>>>
>>>>>>
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>
>>> like
>>>
>>>>>> to hear
>>>>>>
>>>>>>
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 10:16
Good geeks ...not gook geeks.

Its not a racial slight, its spellchecker not working and I didnt 
realize I spelled it wrong.  My deepest apologies if anyone reads that 
wrong.

Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust 
>> that this
>                          ^^^^ ^^^^
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
>> this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
>> architecture in XP just isnt there.  Its a 10 year old platform 
>> that sometimes you cant bolt on this stuff afterwards.  Even in 
>> Vista, its not truly fixing the issue, merely making the system more 
>> resilient to attacks.  Read the fine print in the patch.. its just 
>> making the system kill a session and recover better.
>>
>> I am not a fan of third party because you bring yourself outside the 
>> support window of the product.
>>
>> It is just a DOS.  I DOS myself after patch Tuesday sometimes with 
>> mere patch issues.  Also the risk of this appears low, the potential 
>> for someone coding up an attack low... I have bigger risks from fake 
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect 
>> such energy? I dont see that it is.  Give me more information that 
>> it is a risk and I may change my mind, but right now, Im just not 
>> seeing that its worth it.
>>
>>
>>
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated 
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it 
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall 
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was 
>>> stated
>>> earlier, they did the exact same thing back in Win2K days... Nothing 
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didnt 
>>> exactly
>>> state WHAT they would support, they seem to be legally free to 
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when 
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didnt read from 
>>> the
>>> "biguns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who 
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless Im 
>>> misunderstanding, hes
>>> suggesting switching to an iptables based protection along with a 
>>> registry
>>> tweak... ahh the good ol batch firewall :) Would this actually work 
>>> as a
>>> viable work-around? I realize M$ stated this as such, but given their
>>> current reputation its really hard to take their word for anything 
>>> these
>>> days :P
>>>
>>> What free/cheap client-level-IPS solutions block this current 
>>> attack? Any
>>> suggestions?
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null 
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday, 
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because theyve got 4+ years of Extended Support Period
>>> left doesnt mean theyre going to get first-class treatment.
>>>
>>> Larry Seltzer
>>> Contributing Editor, PC Magazine
>>> larry_seltzer@ziffdavis.com http://blogs.pcmag.com/securitywatch/
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk
>>> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
>>> Bradley
>>> Sent: Wednesday, September 16, 2009 2:26 PM
>>> To: Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its only "default" for people running XP standalone/consumer that 
>>> are not even in a home network settings.
>>>
>>> That kinda slices and dices that default down to a VERY narrow sub 
>>> sub sub set of customer base.
>>>
>>> (Bottom line, yes, the marketing team definitely got a hold of that 
>>> bulletin)
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>>>
>>> way of trying to make a point.  To be more explicit:
>>>
>>>> 1)  If you are publishing a vulnerability for which there is no patch,
>>>>
>>> and for which you have no intention of making a patch for, dont 
>>> tell me
>>> its mitigated by ancient, unusable default firewall settings, and 
>>> dont
>>> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
>>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont 
>>> say
>>> you can deploy firewall settings via group policy to mitigate 
>>> exposure
>>> when the firewall obviously must be accepting network connections to 
>>> get
>>> the settings in the first place. If all it takes is any listening
>>> service, then you have issues.  Its like telling me that "the solution
>>> is to take the letter f out of the word "solution."
>>>
>>>> 2)  Think things through.  If you are going to try to boot sales of
>>>>
>>> Win7 to corporate customers by providing free XP VM technology and thus
>>> play up how important XP is and how many companies still depend upon it
>>> for business critical application compatibility, dont deploy that
>>> technology in an other-than-default configuration that is subject to a
>>> DoS exploit while downplaying the extent that the exploit may be
>>> leveraged by saying that a "typical" default configuration mitigates it
>>> while choosing not to ever patch it.    Seems like simple logic points
>>> to me.
>>>
>>>> t
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>>>> To: Thor (Hammer of God)
>>>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>>>
>>> Of
>>>
>>>>> course its vulnerable to any and all gobs of stuff out there.  But
>>>>> its
>>>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>>>> more security, get appv/medv/whateverv or other virtualization.
>>>>>
>>>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>>>> business app working platform.
>>>>>
>>>>> Thor (Hammer of God) wrote:
>>>>>
>>>>>> P.S.
>>>>>>
>>>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>>>
>>> with
>>>
>>>>>>
>>>>> Win7 hyperv is vulnerable and what the implications are for a host
>>>>> running an XP vm that gets DoSd are?
>>>>>
>>>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>>>
>>> to
>>>
>>>>>>
>>>>> take that "old code" and re-market it around compatibility and re-
>>>>> distribute it with free downloads for Win7 while saying "we wont
>>>>>
>>> patch
>>>
>>>>> old code."
>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>>>
>>>>> God)
>>>>>
>>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>>>
>>>>>>> Thanks for the link.  The problem here is that not enough
>>>>>>>
>>>>> information
>>>>>
>>>>>>> is given, and what IS given is obviously watered down to the point
>>>>>>>
>>>>> of
>>>>>
>>>>>>> being ineffective.
>>>>>>>
>>>>>>> The quote that stands out most for me:
>>>>>>> <snip>
>>>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>>>
>>>>> certain
>>>>>
>>>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
>>>>>>> use the Windows Firewall, if there are services listening, such as
>>>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>>>
>>>>>>> "Servers are a more likely target for this attack, and your
>>>>>>>
>>> firewall
>>>
>>>>>>> should provide additional protections against external exploits,"
>>>>>>> replied Stone and Bryant.
>>>>>>> </snip>
>>>>>>>
>>>>>>> If an employee managing a product that my company owned gave
>>>>>>>
>>> answers
>>>
>>>>>>> like that to a public interview with Computerworld, they would be
>>>>>>>
>>> in
>>>
>>>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>>>
>>>>> accept
>>>>>
>>>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>>>
>>>>> you
>>>>>
>>>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>>>
>>>>> RDP
>>>>>
>>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>>>
>>>>> question.
>>>>>
>>>>>>> Yes, servers are the target.  A firewall should provide added
>>>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>>>> really.  What was the question again?"
>>>>>>>
>>>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>>>
>>>>> help,
>>>>>
>>>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>>>
>>>>> and
>>>>>
>>>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>>>
>>>>> arse
>>>>>
>>>>>>> off right now."
>>>>>>>
>>>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>>>> stepping questions and not fully exposing the problems, they are
>>>>>>>
>>>>> wrong.
>>>>>
>>>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>>>
>>>>> is
>>>>>
>>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>>>> To: bugtraq@securityfocus.com
>>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>>>
>>> MS09-048?
>>>
>>>>>>>> Reference:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>
>>>>>>>> hes_for_you_XP
>>>>>>>>
>>>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>>>
>>> it
>>>
>>>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>>>
>>>>>>>>
>>>>>>> might
>>>>>>>
>>>>>>>
>>>>>>>> break that were designed for XP if they have to radically change
>>>>>>>>
>>>>> the
>>>>>
>>>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>>>> certainly sounds like it is not going to be patched.
>>>>>>>>
>>>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>>>
>>>>>>>>
>>>>>>> system
>>>>>>>
>>>>>>>
>>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>>>> necessary.
>>>>>>>>
>>>>>>>> -Eric
>>>>>>>>
>>>>>>>> -------- Original Message  --------
>>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>>>> To: nowhere@devnull.com
>>>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>>>> Date: 9/15/09 3:49 PM
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Aras,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Can you cite a reference?
>>>>>>>>>
>>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>>>
>>>>>>>>>
>>>>>>> should
>>>>>>>
>>>>>>>
>>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Home
>>>>>>>>
>>>>>>>>
>>>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>>>
>>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>
>>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>>>
>>>>> support,
>>>>>
>>>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>>>
>>>>>>>>>     17. What is the Security Update policy?
>>>>>>>>>
>>>>>>>>>     Security updates will be available through the end of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Extended
>>>>>>>>
>>>>>>>>
>>>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>>>
>>>>> years
>>>>>
>>>>>>>> of
>>>>>>>>
>>>>>>>>
>>>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>>>
>>> products.
>>>
>>>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>>>
>>>>>>>>>
>>>>>>> site
>>>>>>>
>>>>>>>
>>>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Not at all.
>>>>>>>>>
>>>>>>>>> Jeff
>>>>>>>>>
>>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>>>
>>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello All:
>>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>>>
>>>>> out
>>>>>
>>>>>>>> whether
>>>>>>>>
>>>>>>>>
>>>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>>>
>>>>> to
>>>>>
>>>>>>>> work on
>>>>>>>>
>>>>>>>>
>>>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>>>
>>>>> like
>>>>>
>>>>>>>> to hear
>>>>>>>>
>>>>>>>>
>>>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>>>
>>>>>>>>>> No harm in that is there?
>>>>>>>>>>
>>>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>>>> Systems Administrator
>>>>>>>>>> Virginia Tech
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Eric C. Lukens
>>>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>>>> ITS-Network Services
>>>>>>>> Curris Business Building 15
>>>>>>>> University of Northern Iowa
>>>>>>>> Cedar Falls, IA 50614-0121
>>>>>>>> 319-273-7434
>>>>>>>> http://www.uni.edu/elukens/
>>>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>


From: Mailing lists at Core Security Technologies lists@coresecurity.com
Sent: Tue 22. Sep 2009 19:32
Aras "Russ" Memisyazici wrote:
> 
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
> 
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
> 
> Thank you for your time and look forward to some more answers.

Hi,

This _may_ work for you. It include a port to Windows of OpenBSDs PF
firewall which provides stateful filtering with packet scrubing for
inbound and outbound traffic.

http://force.coresecurity.com/index.php?module=base&page=about

*CAVEAT* This is an OLD project that is no longer maintained or
supported. If you use it, you will be on your own.

regards,

-ivan



From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 16:49
Hi Aras,

> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue,
Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP should
be patched for security vulnerabilities until about 2014. Both XP Home
and XP Pros mainstream support ended in 4/2009, but extended support
ends in 4/2014 [2]. Given that we know the end of extended support,
take a look at bullet 17 of [1]:

    17. What is the Security Update policy?

    Security updates will be available through the end of the Extended
    Support phase (five years of Mainstream Support plus five years of
    the Extended Support) at no additional cost for most products.
    Security updates will be posted on the Microsoft Update Web site
    during both the Mainstream and the Extended Support phase.

> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric...
Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@devnull.com> wrote:
> Hello All:
>
> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue, Im now curious to find out whether
> or not any brave souls out there are already working or willing to work on
> an open-source patch to remediate the issue within XP.
>
> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric... I would just like to hear
> the thoughts of the true experts subscribed to these lists :)
>
> No harm in that is there?
>
> Aras "Russ" Memisyazici
> Systems Administrator
> Virginia Tech
>
>


From: Eric Kimminau eak@kimminau.org
Sent: Tue 15. Sep 2009 17:23
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

http://edge.technet.com/Media/MSRC-Monthly-Security-Bulletin-Webcast-September-2009/

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:24
Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
of low impact and thus no patch has been built.

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     
>
>   



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:29
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in 
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

<P><B>If Windows XP is listed as an affected product, why is Microsoft 
not issuing an update for it?</B><BR>By default, Windows XP Service Pack 
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition 
Service Pack 2 do not have a listening service configured in the client 
firewall and are therefore not affected by this vulnerability. Windows 
XP Service Pack 2 and later operating systems include a stateful host 
firewall that provides protection for computers against incoming traffic 
from the Internet or from neighboring network devices on a private 
network. The impact of a denial of service attack is that a system would 
become unresponsive due to memory consumption. However, a successful 
attack requires a sustained flood of specially crafted TCP packets, and 
the system will recover once the flood ceases. This makes the severity 
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. 
Customers running Windows XP are at reduced risk, and Microsoft 
recommends they use the firewall included with the operating system, or 
a network firewall, to block access to the affected ports and limit the 
attack surface from untrusted networks.</P>

Susan Bradley wrote:
> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
> of low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>> Hi Aras,
>>
>>  
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue,
>>>     
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>>     17. What is the Security Update policy?
>>
>>     Security updates will be available through the end of the Extended
>>     Support phase (five years of Mainstream Support plus five years of
>>     the Extended Support) at no additional cost for most products.
>>     Security updates will be posted on the Microsoft Update Web site
>>     during both the Mainstream and the Extended Support phase.
>>
>>  
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>     
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>  
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue, Im now curious to find out 
>>> whether
>>> or not any brave souls out there are already working or willing to 
>>> work on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like 
>>> to hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>     
>>
>>   
>



From: "Eric C. Lukens" eric.lukens@uni.edu
Sent: Tue 15. Sep 2009 16:37
Reference:

http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack.  Now, I dont know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP system
would not be vulnerable to a DOS anyway, so a patch shouldnt be necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@gmail.com>
To: nowhere@devnull.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Date: 9/15/09 3:49 PM
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/





From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 17:52
Hi Susan,

> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
> low impact and thus no patch has been built.
I dont know how I missed that XP/SP2 and above were not being
patched. It appears that my two references are worhtless... I used to
use them in position papers!
* http://support.microsoft.com/gp/lifepolicy
* http://support.microsoft.com/gp/lifeselect

Jeff

On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote=
:
> Read the bulletin. =A0Theres no patch. =A0It is deemed by Microsoft to b=
e of
> low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>>
>> Hi Aras,
>>
>>
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue,
>>>
>>
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>> =A0 =A017. What is the Security Update policy?
>>
>> =A0 =A0Security updates will be available through the end of the Extende=
d
>> =A0 =A0Support phase (five years of Mainstream Support plus five years o=
f
>> =A0 =A0the Extended Support) at no additional cost for most products.
>> =A0 =A0Security updates will be posted on the Microsoft Update Web site
>> =A0 =A0during both the Mainstream and the Extended Support phase.
>>
>>
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>
>>
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>
>>>
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue, Im now curious to find out
>>> whether
>>> or not any brave souls out there are already working or willing to work
>>> on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like to
>>> hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>
>>
>>
>
>


From: Matt Riddell matt@venturevoip.com
Sent: Wed 16. Sep 2009 09:53
On 16/09/09 8:49 AM, Jeffrey Walton wrote:
> Hi Aras,
>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
> Can you cite a reference?

http://tech.slashdot.org/article.pl?sid=09/09/15/0131209

-- 
Cheers,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)


From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:55
Its not that they arent supported per se, just that Microsoft has 
deemed the impact of DOS to be low, the ability to patch that platform 
impossible/difficult and thus have make a risk calculation accordingly.

Sometimes the architecture is what it is.

Jeffrey Walton wrote:
> Hi Susan,
>
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>     
> I dont know how I missed that XP/SP2 and above were not being
> patched. It appears that my two references are worhtless... I used to
> use them in position papers!
> * http://support.microsoft.com/gp/lifepolicy
> * http://support.microsoft.com/gp/lifeselect
>
> Jeff
>
> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote:
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>
>> Jeffrey Walton wrote:
>>     
>>> Hi Aras,
>>>
>>>
>>>       
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue,
>>>>
>>>>         
>>> Can you cite a reference?
>>>
>>> Unless Microsoft has changed their end of life policy [1], XP should
>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>> take a look at bullet 17 of [1]:
>>>
>>>    17. What is the Security Update policy?
>>>
>>>    Security updates will be available through the end of the Extended
>>>    Support phase (five years of Mainstream Support plus five years of
>>>    the Extended Support) at no additional cost for most products.
>>>    Security updates will be posted on the Microsoft Update Web site
>>>    during both the Mainstream and the Extended Support phase.
>>>
>>>
>>>       
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric...
>>>>
>>>>         
>>> Not at all.
>>>
>>> Jeff
>>>
>>> [1] http://support.microsoft.com/gp/lifepolicy
>>> [2] http://support.microsoft.com/gp/lifeselect
>>>
>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>> <nowhere@devnull.com> wrote:
>>>
>>>       
>>>> Hello All:
>>>>
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>> whether
>>>> or not any brave souls out there are already working or willing to work
>>>> on
>>>> an open-source patch to remediate the issue within XP.
>>>>
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>> hear
>>>> the thoughts of the true experts subscribed to these lists :)
>>>>
>>>> No harm in that is there?
>>>>
>>>> Aras "Russ" Memisyazici
>>>> Systems Administrator
>>>> Virginia Tech
>>>>
>>>>
>>>>
>>>>         
>>>       
>>     
>
>   


From: Elizabeth.a.greene@gmail.com
Sent: Tue 15. Sep 2009 21:56
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.

Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."

-eg


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 11:59
Thanks for the link.  The problem here is that not enough information is gi=
ven, and what IS given is obviously watered down to the point of being inef=
fective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts securit=
y team to explain why it wasnt patching XP, or if, in certain scenarios, t=
heir machines might be at risk. "We still use Windows XP and we do not use =
Windows Firewall," read one of the user questions. "We use a third-party ve=
ndor firewall product. Even assuming that we use the Windows Firewall, if t=
here are services listening, such as remote desktop, wouldnt then Windows =
XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall should=
 provide additional protections against external exploits," replied Stone a=
nd Bryant.
</snip>

If an employee managing a product that my company owned gave answers like t=
hat to a public interview with Computerworld, they would be in deep doo.  F=
irst off, my default install of XP Pro SP2 has remote assistance inbound, a=
nd once you join to a domain, you obviously accept necessary domain traffic=
.  This "no inbound traffic by default so you are not vulnerable" line is c=
rap.  It was a direct question - "If RDP is allowed through the firewall, a=
re we vulnerable?" A:"Great question. Yes, servers are the target.  A firew=
all should provide added protection, maybe.  Rumor is thats what they are =
for.  Not sure really.  What was the question again?"

You dont get "trustworthy" by not answering peoples questions, particular=
ly when they are good, obvious questions.  Just be honest about it.  "Yes, =
XP is vulnerable to a DOS.  Your firewall might help, but dont bet on it. =
 XP code is something like 15 years old now, and were not going to change =
it.  Thats the way it is, sorry. Just be glad youre using XP and not 2008=
/vista or youd be patching your arse off right now."=20

If MSFT thinks they are mitigating public opinion issues by side-stepping q=
uestions and not fully exposing the problems, they are wrong.  This just ma=
kes it worse. Thats the long answer.  The short answer is "XP is vulnerabl=
e to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 11:21
I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a "Low" threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have rated it at least Medium. If Im wrong about
that then the "Low" rating is misleading.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link.  The problem here is that not enough information is
given, and what IS given is obviously watered down to the point of being
ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts
security team to explain why it wasnt patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP and
we do not use Windows Firewall," read one of the user questions. "We use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldnt then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo.  First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously accept
necessary domain traffic.  This "no inbound traffic by default so you
are not vulnerable" line is crap.  It was a direct question - "If RDP is
allowed through the firewall, are we vulnerable?" A:"Great question.
Yes, servers are the target.  A firewall should provide added
protection, maybe.  Rumor is thats what they are for.  Not sure really.
What was the question again?"

You dont get "trustworthy" by not answering peoples questions,
particularly when they are good, obvious questions.  Just be honest
about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
but dont bet on it.  XP code is something like 15 years old now, and
were not going to change it.  Thats the way it is, sorry. Just be glad
youre using XP and not 2008/vista or youd be patching your arse off
right now."=20

If MSFT thinks they are mitigating public opinion issues by
side-stepping questions and not fully exposing the problems, they are
wrong.  This just makes it worse. Thats the long answer.  The short
answer is "XP is vulnerable to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications
might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended
support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 12:15
P.S.

Anyone check to see if the default "XP Mode" VM you get for free with Win7 =
hyperv is vulnerable and what the implications are for a host running an XP=
 vm that gets DoSd are? =20

I get the whole "XP code to too old to care" bit, but it seems odd to take =
that "old code" and re-market it around compatibility and re-distribute it =
with free downloads for Win7 while saying "we wont patch old code." =20

t=20

> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.  What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad youre using XP and not 2008/vista or youd be patching your arse
> off right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by side-
> stepping questions and not fully exposing the problems, they are wrong.
> This just makes it worse. Thats the long answer.  The short answer is
> "XP is vulnerable to a DoS, and a patch is not being offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Tom Grace tom@deathbycomputers.co.uk
Sent: Wed 16. Sep 2009 16:57
Is this relevant?
QUOTE---
Protect to 2 for the best protection against SYN attacks. This value 
adds additional delays to connection indications, and TCP connection 
requests quickly timeout when a SYN attack is in progress. This 
parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you 
set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in 
theory, around it... & iirc, "Scalable Windows", via setsockopt API 
calls from an attacker are what the problem is here anyhow & this ought 
to stall it... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize 
settings in the registry in TCP/IP Parameters (see registry path above) 
SHOULD also help here also, for servers that can accept MANY connections 
from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is 
stopped by SynAttackProtect too, so an attacking system/app sending a 
setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, 
just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, 
OR, single systems as well you either ALLOW or DENY to talk to your 
system, still can help also... vs. a DDOS though? SynAttackProtect is 
your best friend here... youd use netstat -b -n tcp to see which are 
held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR 
WAY (or just by doing it in a router or routing table)... takers anyone, 
on these thoughts (especially for Windows 2000)?

Thanks for your time... apk
UNQUOTE--

Source: http://tech.slashdot.org/comments.pl?sid=1368439&cid=29424787

Susan Bradley wrote:
> Its not that they arent supported per se, just that Microsoft has 
> deemed the impact of DOS to be low, the ability to patch that platform 
> impossible/difficult and thus have make a risk calculation accordingly.
> 
> Sometimes the architecture is what it is.
> 
> Jeffrey Walton wrote:
>> Hi Susan,
>>
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>     
>> I dont know how I missed that XP/SP2 and above were not being
>> patched. It appears that my two references are worhtless... I used to
>> use them in position papers!
>> * http://support.microsoft.com/gp/lifepolicy
>> * http://support.microsoft.com/gp/lifeselect
>>
>> Jeff
>>
>> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> 
>> wrote:
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>
>>> Jeffrey Walton wrote:
>>>    
>>>> Hi Aras,
>>>>
>>>>
>>>>      
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>         
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP should
>>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>    17. What is the Security Update policy?
>>>>
>>>>    Security updates will be available through the end of the Extended
>>>>    Support phase (five years of Mainstream Support plus five years of
>>>>    the Extended Support) at no additional cost for most products.
>>>>    Security updates will be posted on the Microsoft Update Web site
>>>>    during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>      
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>         
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>      
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>> whether
>>>>> or not any brave souls out there are already working or willing to 
>>>>> work
>>>>> on
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>>> hear
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>       
>>>     
>>
>>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 09:00
Only if you are a consumer.  In a network we ALL have listening ports 
out there.

Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>   



From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 13:31
Hey Larry- hope everythings going well...=20

When youve got a systemic vulnerability, in this case the TCP/IP stack its=
elf, exploitation information must be explicit and definitive.  Im fine wi=
th risk classification, and I appreciate efforts to categorize risk into ma=
nageable exposure metrics, but we shouldnt have to infer potential vulnera=
bility information from vague disclosure data.  I know many response teams =
base patch paths on the published severity, but one also has to be able to =
make decisions on their own.  For me, no big deal.  But its not that simpl=
e for others.  =20

But theres not enough information for me to make that call.  Is it for ANY=
 "listening service?"  TCP or UPD?  Does the "statefull" firewall introduce=
d in subsequent versions stop it?

The answers are "yes," "yes," and "no."  They should just say that.  Is it =
"low" because the firewall doesnt have any exceptions by default?  If so, =
thats silly.  Everyone using XP for anything has incoming connections for =
something, and well known if on a domain.  I feel sorry for Diebold and NEC=
 with all the ATMs out there running XP, but fortunately, Im not responsib=
le for clients using their systems anymore :)=20

Anyway, the DoS suxx0rz, but Im more irritated with the lack of real, stra=
ight-forward, no-nonsense information and technical sleight of hand.  The i=
nformation should be painfully obvious, not obviously painful.

t=20




> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
> they probably would have rated it at least Medium. If Im wrong about
> that then the "Low" rating is misleading.
>=20
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>=20
>=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, September 16, 2009 11:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is
> given, and what IS given is obviously watered down to the point of
> being
> ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is
> allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.
> What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad
> youre using XP and not 2008/vista or youd be patching your arse off
> right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by
> side-stepping questions and not fully exposing the problems, they are
> wrong.  This just makes it worse. Thats the long answer.  The short
> answer is "XP is vulnerable to a DoS, and a patch is not being
> offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 10:16
Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of 
course its vulnerable to any and all gobs of stuff out there.  But its 
goal and intent is to allow Small shops to deploy Win7.  If you need 
more security, get appv/medv/whateverv or other virtualization.

Its not a security platform.  Its a get the stupid 16 bit line of 
business app working platform.

Thor (Hammer of God) wrote:
> P.S.
>
> Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that gets DoSd are?  
>
> I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we wont patch old code."  
>
> t 
>
>   
>> -----Original Message-----
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Thanks for the link.  The problem here is that not enough information
>> is given, and what IS given is obviously watered down to the point of
>> being ineffective.
>>
>> The quote that stands out most for me:
>> <snip>
>> During the Q&A, however, Windows users repeatedly asked Microsofts
>> security team to explain why it wasnt patching XP, or if, in certain
>> scenarios, their machines might be at risk. "We still use Windows XP
>> and we do not use Windows Firewall," read one of the user questions.
>> "We use a third-party vendor firewall product. Even assuming that we
>> use the Windows Firewall, if there are services listening, such as
>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>
>> "Servers are a more likely target for this attack, and your firewall
>> should provide additional protections against external exploits,"
>> replied Stone and Bryant.
>> </snip>
>>
>> If an employee managing a product that my company owned gave answers
>> like that to a public interview with Computerworld, they would be in
>> deep doo.  First off, my default install of XP Pro SP2 has remote
>> assistance inbound, and once you join to a domain, you obviously accept
>> necessary domain traffic.  This "no inbound traffic by default so you
>> are not vulnerable" line is crap.  It was a direct question - "If RDP
>> is allowed through the firewall, are we vulnerable?" A:"Great question.
>> Yes, servers are the target.  A firewall should provide added
>> protection, maybe.  Rumor is thats what they are for.  Not sure
>> really.  What was the question again?"
>>
>> You dont get "trustworthy" by not answering peoples questions,
>> particularly when they are good, obvious questions.  Just be honest
>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
>> but dont bet on it.  XP code is something like 15 years old now, and
>> were not going to change it.  Thats the way it is, sorry. Just be
>> glad youre using XP and not 2008/vista or youd be patching your arse
>> off right now."
>>
>> If MSFT thinks they are mitigating public opinion issues by side-
>> stepping questions and not fully exposing the problems, they are wrong.
>> This just makes it worse. Thats the long answer.  The short answer is
>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>
>> t
>>
>>
>>
>>     
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>> To: bugtraq@securityfocus.com
>>> Cc: full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Reference:
>>>
>>>
>>>       
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>> hes_for_you_XP
>>>
>>> MS claims the patch would require to much overhaul of XP to make it
>>> worth it, and they may be right.  Who knows how many applications
>>>       
>> might
>>     
>>> break that were designed for XP if they have to radically change the
>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>> certainly sounds like it is not going to be patched.
>>>
>>> The other side of the MS claim is that a properly-firewalled XP
>>>       
>> system
>>     
>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>> necessary.
>>>
>>> -Eric
>>>
>>> -------- Original Message  --------
>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>> From: Jeffrey Walton <noloader@gmail.com>
>>> To: nowhere@devnull.com
>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>> Date: 9/15/09 3:49 PM
>>>       
>>>> Hi Aras,
>>>>
>>>>
>>>>         
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>           
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>         
>> should
>>     
>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>         
>>> Home
>>>       
>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>         
>> support
>>     
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>     17. What is the Security Update policy?
>>>>
>>>>     Security updates will be available through the end of the
>>>>         
>>> Extended
>>>       
>>>>     Support phase (five years of Mainstream Support plus five years
>>>>         
>>> of
>>>       
>>>>     the Extended Support) at no additional cost for most products.
>>>>     Security updates will be posted on the Microsoft Update Web
>>>>         
>> site
>>     
>>>>     during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>         
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>           
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>         
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>>           
>>> whether
>>>       
>>>>> or not any brave souls out there are already working or willing to
>>>>>           
>>> work on
>>>       
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric... I would just like
>>>>>           
>>> to hear
>>>       
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>           
>>> --
>>> Eric C. Lukens
>>> IT Security Policy and Risk Assessment Analyst
>>> ITS-Network Services
>>> Curris Business Building 15
>>> University of Northern Iowa
>>> Cedar Falls, IA 50614-0121
>>> 319-273-7434
>>> http://www.uni.edu/elukens/
>>> http://weblogs.uni.edu/elukens/
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>       
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>
>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 11:25
Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, dont tell me its mitigated by ancient, unusable default firewall settings, and dont withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deploy firewall settings via group policy to mitigate exposure when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues.  Its like telling me that "the solution is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, dont deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it.    Seems like simple logic points to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave answers
>>>> like that to a public interview with Computerworld, they would be in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 15:23
Yeah, I know what it is and what its for ;)  That was just my subtle way o=
f trying to make a point.  To be more explicit:

1)  If you are publishing a vulnerability for which there is no patch, and =
for which you have no intention of making a patch for, dont tell me its m=
itigated by ancient, unusable default firewall settings, and dont withhold=
 explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING W=
E KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deplo=
y firewall settings via group policy to mitigate exposure when the firewal=
l obviously must be accepting network connections to get the settings in th=
e first place. If all it takes is any listening service, then you have issu=
es.  Its like telling me that "the solution is to take the letter f out =
of the word "solution."

2)  Think things through.  If you are going to try to boot sales of Win7 to=
 corporate customers by providing free XP VM technology and thus play up ho=
w important XP is and how many companies still depend upon it for business =
critical application compatibility, dont deploy that technology in an othe=
r-than-default configuration that is subject to a DoS exploit while downpla=
ying the extent that the exploit may be leveraged by saying that a "typical=
" default configuration mitigates it while choosing not to ever patch it.  =
  Seems like simple logic points to me.

t

> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
> course its vulnerable to any and all gobs of stuff out there.  But
> its
> goal and intent is to allow Small shops to deploy Win7.  If you need
> more security, get appv/medv/whateverv or other virtualization.
>=20
> Its not a security platform.  Its a get the stupid 16 bit line of
> business app working platform.
>=20
> Thor (Hammer of God) wrote:
> > P.S.
> >
> > Anyone check to see if the default "XP Mode" VM you get for free with
> Win7 hyperv is vulnerable and what the implications are for a host
> running an XP vm that gets DoSd are?
> >
> > I get the whole "XP code to too old to care" bit, but it seems odd to
> take that "old code" and re-market it around compatibility and re-
> distribute it with free downloads for Win7 while saying "we wont patch
> old code."
> >
> > t
> >
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
> God)
> >> Sent: Wednesday, September 16, 2009 8:00 AM
> >> To: Eric C. Lukens; bugtraq@securityfocus.com
> >> Cc: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>
> >> Thanks for the link.  The problem here is that not enough
> information
> >> is given, and what IS given is obviously watered down to the point
> of
> >> being ineffective.
> >>
> >> The quote that stands out most for me:
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsofts
> >> security team to explain why it wasnt patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldnt then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> >> should provide additional protections against external exploits,"
> >> replied Stone and Bryant.
> >> </snip>
> >>
> >> If an employee managing a product that my company owned gave answers
> >> like that to a public interview with Computerworld, they would be in
> >> deep doo.  First off, my default install of XP Pro SP2 has remote
> >> assistance inbound, and once you join to a domain, you obviously
> accept
> >> necessary domain traffic.  This "no inbound traffic by default so
> you
> >> are not vulnerable" line is crap.  It was a direct question - "If
> RDP
> >> is allowed through the firewall, are we vulnerable?" A:"Great
> question.
> >> Yes, servers are the target.  A firewall should provide added
> >> protection, maybe.  Rumor is thats what they are for.  Not sure
> >> really.  What was the question again?"
> >>
> >> You dont get "trustworthy" by not answering peoples questions,
> >> particularly when they are good, obvious questions.  Just be honest
> >> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
> help,
> >> but dont bet on it.  XP code is something like 15 years old now,
> and
> >> were not going to change it.  Thats the way it is, sorry. Just be
> >> glad youre using XP and not 2008/vista or youd be patching your
> arse
> >> off right now."
> >>
> >> If MSFT thinks they are mitigating public opinion issues by side-
> >> stepping questions and not fully exposing the problems, they are
> wrong.
> >> This just makes it worse. Thats the long answer.  The short answer
> is
> >> "XP is vulnerable to a DoS, and a patch is not being offered."
> >>
> >> t
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> >>> Sent: Tuesday, September 15, 2009 2:37 PM
> >>> To: bugtraq@securityfocus.com
> >>> Cc: full-disclosure@lists.grok.org.uk
> >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>>
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right.  Who knows how many applications
> >>>
> >> might
> >>
> >>> break that were designed for XP if they have to radically change
> the
> >>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> >>> certainly sounds like it is not going to be patched.
> >>>
> >>> The other side of the MS claim is that a properly-firewalled XP
> >>>
> >> system
> >>
> >>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> >>> necessary.
> >>>
> >>> -Eric
> >>>
> >>> -------- Original Message  --------
> >>> Subject: Re: 3rd party patch for XP for MS09-048?
> >>> From: Jeffrey Walton <noloader@gmail.com>
> >>> To: nowhere@devnull.com
> >>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> >>> Date: 9/15/09 3:49 PM
> >>>
> >>>> Hi Aras,
> >>>>
> >>>>
> >>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue,
> >>>>>
> >>>>>
> >>>> Can you cite a reference?
> >>>>
> >>>> Unless Microsoft has changed their end of life policy [1], XP
> >>>>
> >> should
> >>
> >>>> be patched for security vulnerabilities until about 2014. Both XP
> >>>>
> >>> Home
> >>>
> >>>> and XP Pros mainstream support ended in 4/2009, but extended
> >>>>
> >> support
> >>
> >>>> ends in 4/2014 [2]. Given that we know the end of extended
> support,
> >>>> take a look at bullet 17 of [1]:
> >>>>
> >>>>     17. What is the Security Update policy?
> >>>>
> >>>>     Security updates will be available through the end of the
> >>>>
> >>> Extended
> >>>
> >>>>     Support phase (five years of Mainstream Support plus five
> years
> >>>>
> >>> of
> >>>
> >>>>     the Extended Support) at no additional cost for most products.
> >>>>     Security updates will be posted on the Microsoft Update Web
> >>>>
> >> site
> >>
> >>>>     during both the Mainstream and the Extended Support phase.
> >>>>
> >>>>
> >>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric...
> >>>>>
> >>>>>
> >>>> Not at all.
> >>>>
> >>>> Jeff
> >>>>
> >>>> [1] http://support.microsoft.com/gp/lifepolicy
> >>>> [2] http://support.microsoft.com/gp/lifeselect
> >>>>
> >>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> >>>> <nowhere@devnull.com> wrote:
> >>>>
> >>>>
> >>>>> Hello All:
> >>>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue, Im now curious to find
> out
> >>>>>
> >>> whether
> >>>
> >>>>> or not any brave souls out there are already working or willing
> to
> >>>>>
> >>> work on
> >>>
> >>>>> an open-source patch to remediate the issue within XP.
> >>>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric... I would just
> like
> >>>>>
> >>> to hear
> >>>
> >>>>> the thoughts of the true experts subscribed to these lists :)
> >>>>>
> >>>>> No harm in that is there?
> >>>>>
> >>>>> Aras "Russ" Memisyazici
> >>>>> Systems Administrator
> >>>>> Virginia Tech
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>> --
> >>> Eric C. Lukens
> >>> IT Security Policy and Risk Assessment Analyst
> >>> ITS-Network Services
> >>> Curris Business Building 15
> >>> University of Northern Iowa
> >>> Cedar Falls, IA 50614-0121
> >>> 319-273-7434
> >>> http://www.uni.edu/elukens/
> >>> http://weblogs.uni.edu/elukens/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >


From: Rob Thompson my.security.lists@gmail.com
Sent: Wed 16. Sep 2009 11:24
Susan Bradley wrote:
> Only if you are a consumer.  In a network we ALL have listening ports
> out there.

This is simply Microsofts way of forcing you to upgrade your OS.  They
pulled the same shenanigans with Windows 2000, if you do not recall.

Id have to say, its time to re-evaluate where you are funneling your
$$$.  If the vendor that you PAID your hard earned dollars to is not
supporting their product like they said they would, then its time to
move on.

There are plenty of alternatives out there.  No one says you _have_ to
run Windows.

> 
> Elizabeth.a.greene@gmail.com wrote:
>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>> patches for XP because, by default, it runs no listening services or
>> the windows firewall can protect it.
>>
>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>> "If Windows XP is listed as an affected product, why is Microsoft not
>> issuing an update for it?
>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>> listening service configured in the client firewall and are therefore
>> not affected by this vulnerability. Windows XP Service Pack 2 and
>> later operating systems include a stateful host firewall that provides
>> protection for computers against incoming traffic from the Internet or
>> from neighboring network devices on a private network. ... Customers
>> running Windows XP are at reduced risk, and Microsoft recommends they
>> use the firewall included with the operating system, or a network
>> firewall, to block access to the affected ports and limit the attack
>> surface from untrusted networks."
>>
>> -eg
>>
>>   
> 
> 


-- 
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        /   |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 12:48
Cloud option maybe as we go forward but right now today, this is 
business making the decisions here.

Desktop, if it were that easy wed have ripped out desktops years ago.

Businesses have to be realistic.  Sometimes there is not "plenty of 
comparable alternatives out there".

Sometimes the boss/business needs/line of business apps dictates you run 
windows.

Rob Thompson wrote:
> Susan Bradley wrote:
>   
>> Only if you are a consumer.  In a network we ALL have listening ports
>> out there.
>>     
>
> This is simply Microsofts way of forcing you to upgrade your OS.  They
> pulled the same shenanigans with Windows 2000, if you do not recall.
>
> Id have to say, its time to re-evaluate where you are funneling your
> $$$.  If the vendor that you PAID your hard earned dollars to is not
> supporting their product like they said they would, then its time to
> move on.
>
> There are plenty of alternatives out there.  No one says you _have_ to
> run Windows.
>
>   
>> Elizabeth.a.greene@gmail.com wrote:
>>     
>>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>>> patches for XP because, by default, it runs no listening services or
>>> the windows firewall can protect it.
>>>
>>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>>> "If Windows XP is listed as an affected product, why is Microsoft not
>>> issuing an update for it?
>>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>>> listening service configured in the client firewall and are therefore
>>> not affected by this vulnerability. Windows XP Service Pack 2 and
>>> later operating systems include a stateful host firewall that provides
>>> protection for computers against incoming traffic from the Internet or
>>> from neighboring network devices on a private network. ... Customers
>>> running Windows XP are at reduced risk, and Microsoft recommends they
>>> use the firewall included with the operating system, or a network
>>> firewall, to block access to the affected ports and limit the attack
>>> surface from untrusted networks."
>>>
>>> -eg
>>>
>>>   
>>>       
>>     
>
>
>   



From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 17:02
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are=20
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub=20
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that=20
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>  =20
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>    =20
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>      =20
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>    =20
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>      =20
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>    =20
>>> t
>>>
>>>
>>>      =20
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>        =20
>> God)
>>    =20
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>        =20
>> information
>>    =20
>>>> is given, and what IS given is obviously watered down to the point
>>>>        =20
>> of
>>    =20
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>        =20
>> certain
>>    =20
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>        =20
>> accept
>>    =20
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>        =20
>> you
>>    =20
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>        =20
>> RDP
>>    =20
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>        =20
>> question.
>>    =20
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>        =20
>> help,
>>    =20
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>        =20
>> and
>>    =20
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>        =20
>> arse
>>    =20
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>        =20
>> wrong.
>>    =20
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>        =20
>> is
>>    =20
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>        =20
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>          =20
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>    =20
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>          =20
>>>> might
>>>>
>>>>        =20
>>>>> break that were designed for XP if they have to radically change
>>>>>          =20
>> the
>>    =20
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>          =20
>>>> system
>>>>
>>>>        =20
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>          =20
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>            =20
>>>> should
>>>>
>>>>        =20
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>            =20
>>>>> Home
>>>>>
>>>>>          =20
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>            =20
>>>> support
>>>>
>>>>        =20
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>            =20
>> support,
>>    =20
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>            =20
>>>>> Extended
>>>>>
>>>>>          =20
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>            =20
>> years
>>    =20
>>>>> of
>>>>>
>>>>>          =20
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>            =20
>>>> site
>>>>
>>>>        =20
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>              =20
>> out
>>    =20
>>>>> whether
>>>>>
>>>>>          =20
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>              =20
>> to
>>    =20
>>>>> work on
>>>>>
>>>>>          =20
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>              =20
>> like
>>    =20
>>>>> to hear
>>>>>
>>>>>          =20
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>          =20
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>        =20
>>>      =20
>
>  =20

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Aras "Russ" Memisyazici" nowhere@devnull.com
Sent: Wed 16. Sep 2009 18:39
:)

Thank you all for your valuable comments... Indeed I appreciated some of the
links/info extended (Susan, Thor and Tom) However, in the end, it sounded
like:

a) As a sysadmin in charge of maintaining XP systems along with a whole
shebang of other mix setups, unless I deploy a "better" firewall solution, I
seem to be SOL.

b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
earlier, they did the exact same thing back in Win2K days... Nothing new
here... :/ As Larry and Thor pointed out, what sux is that despite M$
"PROMISING" that they would continue supporting XP since they didnt exactly
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...

So... with all this commentary, in the end, I still didnt read from the
"biguns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?

How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol batch firewall :) Would this actually work as a
viable work-around? I realize M$ stated this as such, but given their
current reputation its really hard to take their word for anything these
days :P

What free/cheap client-level-IPS solutions block this current attack? Any
suggestions?

Thank you for your time and look forward to some more answers.

Sincerely,
Aras "Russ" Memisyazici
arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
you know why!

Systems Administrator
Virginia Tech

-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com] 
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?

Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 07:59
<jaded mode off>

I know too many of the gook geeks behind Microsoft and I do trust that 
this IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
architecture in XP just isnt there.  Its a 10 year old platform that 
sometimes you cant bolt on this stuff afterwards.  Even in Vista, its 
not truly fixing the issue, merely making the system more resilient to 
attacks.  Read the fine print in the patch.. its just making the system 
kill a session and recover better.

I am not a fan of third party because you bring yourself outside the 
support window of the product.

It is just a DOS.  I DOS myself after patch Tuesday sometimes with mere 
patch issues.  Also the risk of this appears low, the potential for 
someone coding up an attack low... I have bigger risks from fake A/V at me.

Is this truly the risk that one has to take such actions and expect such 
energy? 

I dont see that it is.  Give me more information that it is a risk and 
I may change my mind, but right now, Im just not seeing that its worth it.



Aras "Russ" Memisyazici wrote:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com] 
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com 
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are 
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub 
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that 
> bulletin)
>
> Thor (Hammer of God) wrote:
>   
>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>     
> way of trying to make a point.  To be more explicit:
>   
>> 1)  If you are publishing a vulnerability for which there is no patch,
>>     
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues.  Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>   
>> 2)  Think things through.  If you are going to try to boot sales of
>>     
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it.    Seems like simple logic points
> to me.
>   
>> t
>>
>>   
>>     
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>       
> Of
>   
>>> course its vulnerable to any and all gobs of stuff out there.  But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>     
>>>       
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>         
> with
>   
>>>>       
>>>>         
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>     
>>>       
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>         
> to
>   
>>>>       
>>>>         
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
>>>       
> patch
>   
>>> old code."
>>>     
>>>       
>>>> t
>>>>
>>>>
>>>>       
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>         
>>>>>           
>>> God)
>>>     
>>>       
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link.  The problem here is that not enough
>>>>>         
>>>>>           
>>> information
>>>     
>>>       
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>         
>>>>>           
>>> of
>>>     
>>>       
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>         
>>>>>           
>>> certain
>>>     
>>>       
>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>           
> XP
>   
>>>>> and we do not use Windows Firewall," read one of the user
>>>>>           
> questions.
>   
>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>           
> we
>   
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
>>>>>           
> firewall
>   
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
>>>>>           
> answers
>   
>>>>> like that to a public interview with Computerworld, they would be
>>>>>           
> in
>   
>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>         
>>>>>           
>>> accept
>>>     
>>>       
>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>         
>>>>>           
>>> you
>>>     
>>>       
>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>         
>>>>>           
>>> RDP
>>>     
>>>       
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>         
>>>>>           
>>> question.
>>>     
>>>       
>>>>> Yes, servers are the target.  A firewall should provide added
>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>> really.  What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>         
>>>>>           
>>> help,
>>>     
>>>       
>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>         
>>>>>           
>>> and
>>>     
>>>       
>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>         
>>>>>           
>>> arse
>>>     
>>>       
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>         
>>>>>           
>>> wrong.
>>>     
>>>       
>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>         
>>>>>           
>>> is
>>>     
>>>       
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>             
> MS09-048?
>   
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>           
>>>>>>             
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>   
>>>     
>>>       
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>             
> it
>   
>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>
>>>>>>           
>>>>>>             
>>>>> might
>>>>>
>>>>>         
>>>>>           
>>>>>> break that were designed for XP if they have to radically change
>>>>>>           
>>>>>>             
>>> the
>>>     
>>>       
>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>           
>>>>>>             
>>>>> system
>>>>>
>>>>>         
>>>>>           
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message  --------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> should
>>>>>
>>>>>         
>>>>>           
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Home
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> support
>>>>>
>>>>>         
>>>>>           
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>             
>>>>>>>               
>>> support,
>>>     
>>>       
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>>     17. What is the Security Update policy?
>>>>>>>
>>>>>>>     Security updates will be available through the end of the
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Extended
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>             
>>>>>>>               
>>> years
>>>     
>>>       
>>>>>> of
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>               
> products.
>   
>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> site
>>>>>
>>>>>         
>>>>>           
>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>               
>>>>>>>>                 
>>> out
>>>     
>>>       
>>>>>> whether
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>               
>>>>>>>>                 
>>> to
>>>     
>>>       
>>>>>> work on
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>               
>>>>>>>>                 
>>> like
>>>     
>>>       
>>>>>> to hear
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>           
>>>>>>             
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>         
>>>>>           
>>>>       
>>>>         
>>   
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   


From: John Morrison john.morrison101@googlemail.com
Sent: Thu 17. Sep 2009 16:29
On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
arent MS contractually obliged to make this fix available to me?


2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of =
the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution=
, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stat=
ed
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exac=
tly
> state WHAT they would support, they seem to be legally free to actually g=
et
> away with this BS *sigh* gotta love insurance-salesman-tactics when it co=
mes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared wo=
uld
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, he=
s
> suggesting switching to an iptables based protection along with a registr=
y
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu =A0--> I set my return addy to /dev/null for... w=
ell
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that
> bulletin)
>
> Thor (Hammer of God) wrote:
>> Yeah, I know what it is and what its for ;) =A0That was just my subtle
> way of trying to make a point. =A0To be more explicit:
>>
>> 1) =A0If you are publishing a vulnerability for which there is no patch,
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details. =A0Say "THERE WILL BE NO PATCH, EVER. =A0HERE=
S
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." =A0Also, dont sa=
y
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues. =A0Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>>
>> 2) =A0Think things through. =A0If you are going to try to boot sales of
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it. =A0 =A0Seems like simple logic point=
s
> to me.
>>
>> t
>>
>>
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP. =A0Running in RDP mode. =A0Its got IE6, and wants antivirus.
> Of
>>> course its vulnerable to any and all gobs of stuff out there. =A0But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7. =A0If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform. =A0Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
> with
>>>>
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
> to
>>>>
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
> patch
>>> old code."
>>>
>>>> t
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>
>>> God)
>>>
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link. =A0The problem here is that not enough
>>>>>
>>> information
>>>
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>
>>> of
>>>
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>
>>> certain
>>>
>>>>> scenarios, their machines might be at risk. "We still use Windows
> XP
>>>>> and we do not use Windows Firewall," read one of the user
> questions.
>>>>> "We use a third-party vendor firewall product. Even assuming that
> we
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
> firewall
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
> answers
>>>>> like that to a public interview with Computerworld, they would be
> in
>>>>> deep doo. =A0First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>
>>> accept
>>>
>>>>> necessary domain traffic. =A0This "no inbound traffic by default so
>>>>>
>>> you
>>>
>>>>> are not vulnerable" line is crap. =A0It was a direct question - "If
>>>>>
>>> RDP
>>>
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>
>>> question.
>>>
>>>>> Yes, servers are the target. =A0A firewall should provide added
>>>>> protection, maybe. =A0Rumor is thats what they are for. =A0Not sure
>>>>> really. =A0What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions. =A0Just be honest
>>>>> about it. =A0"Yes, XP is vulnerable to a DOS. =A0Your firewall might
>>>>>
>>> help,
>>>
>>>>> but dont bet on it. =A0XP code is something like 15 years old now,
>>>>>
>>> and
>>>
>>>>> were not going to change it. =A0Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>
>>> arse
>>>
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>
>>> wrong.
>>>
>>>>> This just makes it worse. Thats the long answer. =A0The short answer
>>>>>
>>> is
>>>
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
> MS09-048?
>>>>>>
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
> it
>>>>>> worth it, and they may be right. =A0Who knows how many applications
>>>>>>
>>>>>>
>>>>> might
>>>>>
>>>>>
>>>>>> break that were designed for XP if they have to radically change
>>>>>>
>>> the
>>>
>>>>>> TCP/IP stack. =A0Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>
>>>>> system
>>>>>
>>>>>
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message =A0--------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>
>>>>> should
>>>>>
>>>>>
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>
>>>>>> Home
>>>>>>
>>>>>>
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>
>>>>> support
>>>>>
>>>>>
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>
>>> support,
>>>
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>> =A0 =A0 17. What is the Security Update policy?
>>>>>>>
>>>>>>> =A0 =A0 Security updates will be available through the end of the
>>>>>>>
>>>>>>>
>>>>>> Extended
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 Support phase (five years of Mainstream Support plus five
>>>>>>>
>>> years
>>>
>>>>>> of
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 the Extended Support) at no additional cost for most
> products.
>>>>>>> =A0 =A0 Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>
>>>>> site
>>>>>
>>>>>
>>>>>>> =A0 =A0 during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>
>>> out
>>>
>>>>>> whether
>>>>>>
>>>>>>
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>
>>> to
>>>
>>>>>> work on
>>>>>>
>>>>>>
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>
>>> like
>>>
>>>>>> to hear
>>>>>>
>>>>>>
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 10:16
Good geeks ...not gook geeks.

Its not a racial slight, its spellchecker not working and I didnt 
realize I spelled it wrong.  My deepest apologies if anyone reads that 
wrong.

Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust 
>> that this
>                          ^^^^ ^^^^
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
>> this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
>> architecture in XP just isnt there.  Its a 10 year old platform 
>> that sometimes you cant bolt on this stuff afterwards.  Even in 
>> Vista, its not truly fixing the issue, merely making the system more 
>> resilient to attacks.  Read the fine print in the patch.. its just 
>> making the system kill a session and recover better.
>>
>> I am not a fan of third party because you bring yourself outside the 
>> support window of the product.
>>
>> It is just a DOS.  I DOS myself after patch Tuesday sometimes with 
>> mere patch issues.  Also the risk of this appears low, the potential 
>> for someone coding up an attack low... I have bigger risks from fake 
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect 
>> such energy? I dont see that it is.  Give me more information that 
>> it is a risk and I may change my mind, but right now, Im just not 
>> seeing that its worth it.
>>
>>
>>
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated 
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it 
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall 
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was 
>>> stated
>>> earlier, they did the exact same thing back in Win2K days... Nothing 
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didnt 
>>> exactly
>>> state WHAT they would support, they seem to be legally free to 
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when 
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didnt read from 
>>> the
>>> "biguns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who 
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless Im 
>>> misunderstanding, hes
>>> suggesting switching to an iptables based protection along with a 
>>> registry
>>> tweak... ahh the good ol batch firewall :) Would this actually work 
>>> as a
>>> viable work-around? I realize M$ stated this as such, but given their
>>> current reputation its really hard to take their word for anything 
>>> these
>>> days :P
>>>
>>> What free/cheap client-level-IPS solutions block this current 
>>> attack? Any
>>> suggestions?
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null 
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday, 
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because theyve got 4+ years of Extended Support Period
>>> left doesnt mean theyre going to get first-class treatment.
>>>
>>> Larry Seltzer
>>> Contributing Editor, PC Magazine
>>> larry_seltzer@ziffdavis.com http://blogs.pcmag.com/securitywatch/
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk
>>> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
>>> Bradley
>>> Sent: Wednesday, September 16, 2009 2:26 PM
>>> To: Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its only "default" for people running XP standalone/consumer that 
>>> are not even in a home network settings.
>>>
>>> That kinda slices and dices that default down to a VERY narrow sub 
>>> sub sub set of customer base.
>>>
>>> (Bottom line, yes, the marketing team definitely got a hold of that 
>>> bulletin)
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>>>
>>> way of trying to make a point.  To be more explicit:
>>>
>>>> 1)  If you are publishing a vulnerability for which there is no patch,
>>>>
>>> and for which you have no intention of making a patch for, dont 
>>> tell me
>>> its mitigated by ancient, unusable default firewall settings, and 
>>> dont
>>> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
>>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont 
>>> say
>>> you can deploy firewall settings via group policy to mitigate 
>>> exposure
>>> when the firewall obviously must be accepting network connections to 
>>> get
>>> the settings in the first place. If all it takes is any listening
>>> service, then you have issues.  Its like telling me that "the solution
>>> is to take the letter f out of the word "solution."
>>>
>>>> 2)  Think things through.  If you are going to try to boot sales of
>>>>
>>> Win7 to corporate customers by providing free XP VM technology and thus
>>> play up how important XP is and how many companies still depend upon it
>>> for business critical application compatibility, dont deploy that
>>> technology in an other-than-default configuration that is subject to a
>>> DoS exploit while downplaying the extent that the exploit may be
>>> leveraged by saying that a "typical" default configuration mitigates it
>>> while choosing not to ever patch it.    Seems like simple logic points
>>> to me.
>>>
>>>> t
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>>>> To: Thor (Hammer of God)
>>>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>>>
>>> Of
>>>
>>>>> course its vulnerable to any and all gobs of stuff out there.  But
>>>>> its
>>>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>>>> more security, get appv/medv/whateverv or other virtualization.
>>>>>
>>>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>>>> business app working platform.
>>>>>
>>>>> Thor (Hammer of God) wrote:
>>>>>
>>>>>> P.S.
>>>>>>
>>>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>>>
>>> with
>>>
>>>>>>
>>>>> Win7 hyperv is vulnerable and what the implications are for a host
>>>>> running an XP vm that gets DoSd are?
>>>>>
>>>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>>>
>>> to
>>>
>>>>>>
>>>>> take that "old code" and re-market it around compatibility and re-
>>>>> distribute it with free downloads for Win7 while saying "we wont
>>>>>
>>> patch
>>>
>>>>> old code."
>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>>>
>>>>> God)
>>>>>
>>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>>>
>>>>>>> Thanks for the link.  The problem here is that not enough
>>>>>>>
>>>>> information
>>>>>
>>>>>>> is given, and what IS given is obviously watered down to the point
>>>>>>>
>>>>> of
>>>>>
>>>>>>> being ineffective.
>>>>>>>
>>>>>>> The quote that stands out most for me:
>>>>>>> <snip>
>>>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>>>
>>>>> certain
>>>>>
>>>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
>>>>>>> use the Windows Firewall, if there are services listening, such as
>>>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>>>
>>>>>>> "Servers are a more likely target for this attack, and your
>>>>>>>
>>> firewall
>>>
>>>>>>> should provide additional protections against external exploits,"
>>>>>>> replied Stone and Bryant.
>>>>>>> </snip>
>>>>>>>
>>>>>>> If an employee managing a product that my company owned gave
>>>>>>>
>>> answers
>>>
>>>>>>> like that to a public interview with Computerworld, they would be
>>>>>>>
>>> in
>>>
>>>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>>>
>>>>> accept
>>>>>
>>>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>>>
>>>>> you
>>>>>
>>>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>>>
>>>>> RDP
>>>>>
>>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>>>
>>>>> question.
>>>>>
>>>>>>> Yes, servers are the target.  A firewall should provide added
>>>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>>>> really.  What was the question again?"
>>>>>>>
>>>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>>>
>>>>> help,
>>>>>
>>>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>>>
>>>>> and
>>>>>
>>>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>>>
>>>>> arse
>>>>>
>>>>>>> off right now."
>>>>>>>
>>>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>>>> stepping questions and not fully exposing the problems, they are
>>>>>>>
>>>>> wrong.
>>>>>
>>>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>>>
>>>>> is
>>>>>
>>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>>>> To: bugtraq@securityfocus.com
>>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>>>
>>> MS09-048?
>>>
>>>>>>>> Reference:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>
>>>>>>>> hes_for_you_XP
>>>>>>>>
>>>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>>>
>>> it
>>>
>>>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>>>
>>>>>>>>
>>>>>>> might
>>>>>>>
>>>>>>>
>>>>>>>> break that were designed for XP if they have to radically change
>>>>>>>>
>>>>> the
>>>>>
>>>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>>>> certainly sounds like it is not going to be patched.
>>>>>>>>
>>>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>>>
>>>>>>>>
>>>>>>> system
>>>>>>>
>>>>>>>
>>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>>>> necessary.
>>>>>>>>
>>>>>>>> -Eric
>>>>>>>>
>>>>>>>> -------- Original Message  --------
>>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>>>> To: nowhere@devnull.com
>>>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>>>> Date: 9/15/09 3:49 PM
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Aras,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Can you cite a reference?
>>>>>>>>>
>>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>>>
>>>>>>>>>
>>>>>>> should
>>>>>>>
>>>>>>>
>>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Home
>>>>>>>>
>>>>>>>>
>>>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>>>
>>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>
>>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>>>
>>>>> support,
>>>>>
>>>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>>>
>>>>>>>>>     17. What is the Security Update policy?
>>>>>>>>>
>>>>>>>>>     Security updates will be available through the end of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Extended
>>>>>>>>
>>>>>>>>
>>>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>>>
>>>>> years
>>>>>
>>>>>>>> of
>>>>>>>>
>>>>>>>>
>>>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>>>
>>> products.
>>>
>>>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>>>
>>>>>>>>>
>>>>>>> site
>>>>>>>
>>>>>>>
>>>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Not at all.
>>>>>>>>>
>>>>>>>>> Jeff
>>>>>>>>>
>>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>>>
>>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello All:
>>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>>>
>>>>> out
>>>>>
>>>>>>>> whether
>>>>>>>>
>>>>>>>>
>>>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>>>
>>>>> to
>>>>>
>>>>>>>> work on
>>>>>>>>
>>>>>>>>
>>>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>>>
>>>>> like
>>>>>
>>>>>>>> to hear
>>>>>>>>
>>>>>>>>
>>>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>>>
>>>>>>>>>> No harm in that is there?
>>>>>>>>>>
>>>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>>>> Systems Administrator
>>>>>>>>>> Virginia Tech
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Eric C. Lukens
>>>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>>>> ITS-Network Services
>>>>>>>> Curris Business Building 15
>>>>>>>> University of Northern Iowa
>>>>>>>> Cedar Falls, IA 50614-0121
>>>>>>>> 319-273-7434
>>>>>>>> http://www.uni.edu/elukens/
>>>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>


From: Mailing lists at Core Security Technologies lists@coresecurity.com
Sent: Tue 22. Sep 2009 19:32
Aras "Russ" Memisyazici wrote:
> 
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
> 
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
> 
> Thank you for your time and look forward to some more answers.

Hi,

This _may_ work for you. It include a port to Windows of OpenBSDs PF
firewall which provides stateful filtering with packet scrubing for
inbound and outbound traffic.

http://force.coresecurity.com/index.php?module=base&page=about

*CAVEAT* This is an OLD project that is no longer maintained or
supported. If you use it, you will be on your own.

regards,

-ivan



From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 16:49
Hi Aras,

> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue,
Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP should
be patched for security vulnerabilities until about 2014. Both XP Home
and XP Pros mainstream support ended in 4/2009, but extended support
ends in 4/2014 [2]. Given that we know the end of extended support,
take a look at bullet 17 of [1]:

    17. What is the Security Update policy?

    Security updates will be available through the end of the Extended
    Support phase (five years of Mainstream Support plus five years of
    the Extended Support) at no additional cost for most products.
    Security updates will be posted on the Microsoft Update Web site
    during both the Mainstream and the Extended Support phase.

> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric...
Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@devnull.com> wrote:
> Hello All:
>
> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue, Im now curious to find out whether
> or not any brave souls out there are already working or willing to work on
> an open-source patch to remediate the issue within XP.
>
> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric... I would just like to hear
> the thoughts of the true experts subscribed to these lists :)
>
> No harm in that is there?
>
> Aras "Russ" Memisyazici
> Systems Administrator
> Virginia Tech
>
>


From: Eric Kimminau eak@kimminau.org
Sent: Tue 15. Sep 2009 17:23
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

http://edge.technet.com/Media/MSRC-Monthly-Security-Bulletin-Webcast-September-2009/

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:24
Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
of low impact and thus no patch has been built.

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     
>
>   



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:29
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in 
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

<P><B>If Windows XP is listed as an affected product, why is Microsoft 
not issuing an update for it?</B><BR>By default, Windows XP Service Pack 
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition 
Service Pack 2 do not have a listening service configured in the client 
firewall and are therefore not affected by this vulnerability. Windows 
XP Service Pack 2 and later operating systems include a stateful host 
firewall that provides protection for computers against incoming traffic 
from the Internet or from neighboring network devices on a private 
network. The impact of a denial of service attack is that a system would 
become unresponsive due to memory consumption. However, a successful 
attack requires a sustained flood of specially crafted TCP packets, and 
the system will recover once the flood ceases. This makes the severity 
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. 
Customers running Windows XP are at reduced risk, and Microsoft 
recommends they use the firewall included with the operating system, or 
a network firewall, to block access to the affected ports and limit the 
attack surface from untrusted networks.</P>

Susan Bradley wrote:
> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
> of low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>> Hi Aras,
>>
>>  
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue,
>>>     
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>>     17. What is the Security Update policy?
>>
>>     Security updates will be available through the end of the Extended
>>     Support phase (five years of Mainstream Support plus five years of
>>     the Extended Support) at no additional cost for most products.
>>     Security updates will be posted on the Microsoft Update Web site
>>     during both the Mainstream and the Extended Support phase.
>>
>>  
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>     
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>  
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue, Im now curious to find out 
>>> whether
>>> or not any brave souls out there are already working or willing to 
>>> work on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like 
>>> to hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>     
>>
>>   
>



From: "Eric C. Lukens" eric.lukens@uni.edu
Sent: Tue 15. Sep 2009 16:37
Reference:

http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack.  Now, I dont know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP system
would not be vulnerable to a DOS anyway, so a patch shouldnt be necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@gmail.com>
To: nowhere@devnull.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Date: 9/15/09 3:49 PM
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/





From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 17:52
Hi Susan,

> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
> low impact and thus no patch has been built.
I dont know how I missed that XP/SP2 and above were not being
patched. It appears that my two references are worhtless... I used to
use them in position papers!
* http://support.microsoft.com/gp/lifepolicy
* http://support.microsoft.com/gp/lifeselect

Jeff

On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote=
:
> Read the bulletin. =A0Theres no patch. =A0It is deemed by Microsoft to b=
e of
> low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>>
>> Hi Aras,
>>
>>
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue,
>>>
>>
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>> =A0 =A017. What is the Security Update policy?
>>
>> =A0 =A0Security updates will be available through the end of the Extende=
d
>> =A0 =A0Support phase (five years of Mainstream Support plus five years o=
f
>> =A0 =A0the Extended Support) at no additional cost for most products.
>> =A0 =A0Security updates will be posted on the Microsoft Update Web site
>> =A0 =A0during both the Mainstream and the Extended Support phase.
>>
>>
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>
>>
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>
>>>
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue, Im now curious to find out
>>> whether
>>> or not any brave souls out there are already working or willing to work
>>> on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like to
>>> hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>
>>
>>
>
>


From: Matt Riddell matt@venturevoip.com
Sent: Wed 16. Sep 2009 09:53
On 16/09/09 8:49 AM, Jeffrey Walton wrote:
> Hi Aras,
>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
> Can you cite a reference?

http://tech.slashdot.org/article.pl?sid=09/09/15/0131209

-- 
Cheers,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)


From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:55
Its not that they arent supported per se, just that Microsoft has 
deemed the impact of DOS to be low, the ability to patch that platform 
impossible/difficult and thus have make a risk calculation accordingly.

Sometimes the architecture is what it is.

Jeffrey Walton wrote:
> Hi Susan,
>
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>     
> I dont know how I missed that XP/SP2 and above were not being
> patched. It appears that my two references are worhtless... I used to
> use them in position papers!
> * http://support.microsoft.com/gp/lifepolicy
> * http://support.microsoft.com/gp/lifeselect
>
> Jeff
>
> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote:
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>
>> Jeffrey Walton wrote:
>>     
>>> Hi Aras,
>>>
>>>
>>>       
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue,
>>>>
>>>>         
>>> Can you cite a reference?
>>>
>>> Unless Microsoft has changed their end of life policy [1], XP should
>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>> take a look at bullet 17 of [1]:
>>>
>>>    17. What is the Security Update policy?
>>>
>>>    Security updates will be available through the end of the Extended
>>>    Support phase (five years of Mainstream Support plus five years of
>>>    the Extended Support) at no additional cost for most products.
>>>    Security updates will be posted on the Microsoft Update Web site
>>>    during both the Mainstream and the Extended Support phase.
>>>
>>>
>>>       
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric...
>>>>
>>>>         
>>> Not at all.
>>>
>>> Jeff
>>>
>>> [1] http://support.microsoft.com/gp/lifepolicy
>>> [2] http://support.microsoft.com/gp/lifeselect
>>>
>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>> <nowhere@devnull.com> wrote:
>>>
>>>       
>>>> Hello All:
>>>>
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>> whether
>>>> or not any brave souls out there are already working or willing to work
>>>> on
>>>> an open-source patch to remediate the issue within XP.
>>>>
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>> hear
>>>> the thoughts of the true experts subscribed to these lists :)
>>>>
>>>> No harm in that is there?
>>>>
>>>> Aras "Russ" Memisyazici
>>>> Systems Administrator
>>>> Virginia Tech
>>>>
>>>>
>>>>
>>>>         
>>>       
>>     
>
>   


From: Elizabeth.a.greene@gmail.com
Sent: Tue 15. Sep 2009 21:56
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.

Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."

-eg


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 11:59
Thanks for the link.  The problem here is that not enough information is gi=
ven, and what IS given is obviously watered down to the point of being inef=
fective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts securit=
y team to explain why it wasnt patching XP, or if, in certain scenarios, t=
heir machines might be at risk. "We still use Windows XP and we do not use =
Windows Firewall," read one of the user questions. "We use a third-party ve=
ndor firewall product. Even assuming that we use the Windows Firewall, if t=
here are services listening, such as remote desktop, wouldnt then Windows =
XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall should=
 provide additional protections against external exploits," replied Stone a=
nd Bryant.
</snip>

If an employee managing a product that my company owned gave answers like t=
hat to a public interview with Computerworld, they would be in deep doo.  F=
irst off, my default install of XP Pro SP2 has remote assistance inbound, a=
nd once you join to a domain, you obviously accept necessary domain traffic=
.  This "no inbound traffic by default so you are not vulnerable" line is c=
rap.  It was a direct question - "If RDP is allowed through the firewall, a=
re we vulnerable?" A:"Great question. Yes, servers are the target.  A firew=
all should provide added protection, maybe.  Rumor is thats what they are =
for.  Not sure really.  What was the question again?"

You dont get "trustworthy" by not answering peoples questions, particular=
ly when they are good, obvious questions.  Just be honest about it.  "Yes, =
XP is vulnerable to a DOS.  Your firewall might help, but dont bet on it. =
 XP code is something like 15 years old now, and were not going to change =
it.  Thats the way it is, sorry. Just be glad youre using XP and not 2008=
/vista or youd be patching your arse off right now."=20

If MSFT thinks they are mitigating public opinion issues by side-stepping q=
uestions and not fully exposing the problems, they are wrong.  This just ma=
kes it worse. Thats the long answer.  The short answer is "XP is vulnerabl=
e to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 11:21
I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a "Low" threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have rated it at least Medium. If Im wrong about
that then the "Low" rating is misleading.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link.  The problem here is that not enough information is
given, and what IS given is obviously watered down to the point of being
ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts
security team to explain why it wasnt patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP and
we do not use Windows Firewall," read one of the user questions. "We use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldnt then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo.  First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously accept
necessary domain traffic.  This "no inbound traffic by default so you
are not vulnerable" line is crap.  It was a direct question - "If RDP is
allowed through the firewall, are we vulnerable?" A:"Great question.
Yes, servers are the target.  A firewall should provide added
protection, maybe.  Rumor is thats what they are for.  Not sure really.
What was the question again?"

You dont get "trustworthy" by not answering peoples questions,
particularly when they are good, obvious questions.  Just be honest
about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
but dont bet on it.  XP code is something like 15 years old now, and
were not going to change it.  Thats the way it is, sorry. Just be glad
youre using XP and not 2008/vista or youd be patching your arse off
right now."=20

If MSFT thinks they are mitigating public opinion issues by
side-stepping questions and not fully exposing the problems, they are
wrong.  This just makes it worse. Thats the long answer.  The short
answer is "XP is vulnerable to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications
might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended
support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 12:15
P.S.

Anyone check to see if the default "XP Mode" VM you get for free with Win7 =
hyperv is vulnerable and what the implications are for a host running an XP=
 vm that gets DoSd are? =20

I get the whole "XP code to too old to care" bit, but it seems odd to take =
that "old code" and re-market it around compatibility and re-distribute it =
with free downloads for Win7 while saying "we wont patch old code." =20

t=20

> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.  What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad youre using XP and not 2008/vista or youd be patching your arse
> off right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by side-
> stepping questions and not fully exposing the problems, they are wrong.
> This just makes it worse. Thats the long answer.  The short answer is
> "XP is vulnerable to a DoS, and a patch is not being offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Tom Grace tom@deathbycomputers.co.uk
Sent: Wed 16. Sep 2009 16:57
Is this relevant?
QUOTE---
Protect to 2 for the best protection against SYN attacks. This value 
adds additional delays to connection indications, and TCP connection 
requests quickly timeout when a SYN attack is in progress. This 
parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you 
set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in 
theory, around it... & iirc, "Scalable Windows", via setsockopt API 
calls from an attacker are what the problem is here anyhow & this ought 
to stall it... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize 
settings in the registry in TCP/IP Parameters (see registry path above) 
SHOULD also help here also, for servers that can accept MANY connections 
from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is 
stopped by SynAttackProtect too, so an attacking system/app sending a 
setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, 
just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, 
OR, single systems as well you either ALLOW or DENY to talk to your 
system, still can help also... vs. a DDOS though? SynAttackProtect is 
your best friend here... youd use netstat -b -n tcp to see which are 
held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR 
WAY (or just by doing it in a router or routing table)... takers anyone, 
on these thoughts (especially for Windows 2000)?

Thanks for your time... apk
UNQUOTE--

Source: http://tech.slashdot.org/comments.pl?sid=1368439&cid=29424787

Susan Bradley wrote:
> Its not that they arent supported per se, just that Microsoft has 
> deemed the impact of DOS to be low, the ability to patch that platform 
> impossible/difficult and thus have make a risk calculation accordingly.
> 
> Sometimes the architecture is what it is.
> 
> Jeffrey Walton wrote:
>> Hi Susan,
>>
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>     
>> I dont know how I missed that XP/SP2 and above were not being
>> patched. It appears that my two references are worhtless... I used to
>> use them in position papers!
>> * http://support.microsoft.com/gp/lifepolicy
>> * http://support.microsoft.com/gp/lifeselect
>>
>> Jeff
>>
>> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> 
>> wrote:
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>
>>> Jeffrey Walton wrote:
>>>    
>>>> Hi Aras,
>>>>
>>>>
>>>>      
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>         
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP should
>>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>    17. What is the Security Update policy?
>>>>
>>>>    Security updates will be available through the end of the Extended
>>>>    Support phase (five years of Mainstream Support plus five years of
>>>>    the Extended Support) at no additional cost for most products.
>>>>    Security updates will be posted on the Microsoft Update Web site
>>>>    during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>      
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>         
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>      
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>> whether
>>>>> or not any brave souls out there are already working or willing to 
>>>>> work
>>>>> on
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>>> hear
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>       
>>>     
>>
>>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 09:00
Only if you are a consumer.  In a network we ALL have listening ports 
out there.

Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>   



From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 13:31
Hey Larry- hope everythings going well...=20

When youve got a systemic vulnerability, in this case the TCP/IP stack its=
elf, exploitation information must be explicit and definitive.  Im fine wi=
th risk classification, and I appreciate efforts to categorize risk into ma=
nageable exposure metrics, but we shouldnt have to infer potential vulnera=
bility information from vague disclosure data.  I know many response teams =
base patch paths on the published severity, but one also has to be able to =
make decisions on their own.  For me, no big deal.  But its not that simpl=
e for others.  =20

But theres not enough information for me to make that call.  Is it for ANY=
 "listening service?"  TCP or UPD?  Does the "statefull" firewall introduce=
d in subsequent versions stop it?

The answers are "yes," "yes," and "no."  They should just say that.  Is it =
"low" because the firewall doesnt have any exceptions by default?  If so, =
thats silly.  Everyone using XP for anything has incoming connections for =
something, and well known if on a domain.  I feel sorry for Diebold and NEC=
 with all the ATMs out there running XP, but fortunately, Im not responsib=
le for clients using their systems anymore :)=20

Anyway, the DoS suxx0rz, but Im more irritated with the lack of real, stra=
ight-forward, no-nonsense information and technical sleight of hand.  The i=
nformation should be painfully obvious, not obviously painful.

t=20




> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
> they probably would have rated it at least Medium. If Im wrong about
> that then the "Low" rating is misleading.
>=20
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>=20
>=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, September 16, 2009 11:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is
> given, and what IS given is obviously watered down to the point of
> being
> ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is
> allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.
> What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad
> youre using XP and not 2008/vista or youd be patching your arse off
> right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by
> side-stepping questions and not fully exposing the problems, they are
> wrong.  This just makes it worse. Thats the long answer.  The short
> answer is "XP is vulnerable to a DoS, and a patch is not being
> offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 10:16
Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of 
course its vulnerable to any and all gobs of stuff out there.  But its 
goal and intent is to allow Small shops to deploy Win7.  If you need 
more security, get appv/medv/whateverv or other virtualization.

Its not a security platform.  Its a get the stupid 16 bit line of 
business app working platform.

Thor (Hammer of God) wrote:
> P.S.
>
> Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that gets DoSd are?  
>
> I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we wont patch old code."  
>
> t 
>
>   
>> -----Original Message-----
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Thanks for the link.  The problem here is that not enough information
>> is given, and what IS given is obviously watered down to the point of
>> being ineffective.
>>
>> The quote that stands out most for me:
>> <snip>
>> During the Q&A, however, Windows users repeatedly asked Microsofts
>> security team to explain why it wasnt patching XP, or if, in certain
>> scenarios, their machines might be at risk. "We still use Windows XP
>> and we do not use Windows Firewall," read one of the user questions.
>> "We use a third-party vendor firewall product. Even assuming that we
>> use the Windows Firewall, if there are services listening, such as
>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>
>> "Servers are a more likely target for this attack, and your firewall
>> should provide additional protections against external exploits,"
>> replied Stone and Bryant.
>> </snip>
>>
>> If an employee managing a product that my company owned gave answers
>> like that to a public interview with Computerworld, they would be in
>> deep doo.  First off, my default install of XP Pro SP2 has remote
>> assistance inbound, and once you join to a domain, you obviously accept
>> necessary domain traffic.  This "no inbound traffic by default so you
>> are not vulnerable" line is crap.  It was a direct question - "If RDP
>> is allowed through the firewall, are we vulnerable?" A:"Great question.
>> Yes, servers are the target.  A firewall should provide added
>> protection, maybe.  Rumor is thats what they are for.  Not sure
>> really.  What was the question again?"
>>
>> You dont get "trustworthy" by not answering peoples questions,
>> particularly when they are good, obvious questions.  Just be honest
>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
>> but dont bet on it.  XP code is something like 15 years old now, and
>> were not going to change it.  Thats the way it is, sorry. Just be
>> glad youre using XP and not 2008/vista or youd be patching your arse
>> off right now."
>>
>> If MSFT thinks they are mitigating public opinion issues by side-
>> stepping questions and not fully exposing the problems, they are wrong.
>> This just makes it worse. Thats the long answer.  The short answer is
>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>
>> t
>>
>>
>>
>>     
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>> To: bugtraq@securityfocus.com
>>> Cc: full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Reference:
>>>
>>>
>>>       
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>> hes_for_you_XP
>>>
>>> MS claims the patch would require to much overhaul of XP to make it
>>> worth it, and they may be right.  Who knows how many applications
>>>       
>> might
>>     
>>> break that were designed for XP if they have to radically change the
>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>> certainly sounds like it is not going to be patched.
>>>
>>> The other side of the MS claim is that a properly-firewalled XP
>>>       
>> system
>>     
>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>> necessary.
>>>
>>> -Eric
>>>
>>> -------- Original Message  --------
>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>> From: Jeffrey Walton <noloader@gmail.com>
>>> To: nowhere@devnull.com
>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>> Date: 9/15/09 3:49 PM
>>>       
>>>> Hi Aras,
>>>>
>>>>
>>>>         
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>           
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>         
>> should
>>     
>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>         
>>> Home
>>>       
>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>         
>> support
>>     
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>     17. What is the Security Update policy?
>>>>
>>>>     Security updates will be available through the end of the
>>>>         
>>> Extended
>>>       
>>>>     Support phase (five years of Mainstream Support plus five years
>>>>         
>>> of
>>>       
>>>>     the Extended Support) at no additional cost for most products.
>>>>     Security updates will be posted on the Microsoft Update Web
>>>>         
>> site
>>     
>>>>     during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>         
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>           
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>         
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>>           
>>> whether
>>>       
>>>>> or not any brave souls out there are already working or willing to
>>>>>           
>>> work on
>>>       
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric... I would just like
>>>>>           
>>> to hear
>>>       
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>           
>>> --
>>> Eric C. Lukens
>>> IT Security Policy and Risk Assessment Analyst
>>> ITS-Network Services
>>> Curris Business Building 15
>>> University of Northern Iowa
>>> Cedar Falls, IA 50614-0121
>>> 319-273-7434
>>> http://www.uni.edu/elukens/
>>> http://weblogs.uni.edu/elukens/
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>       
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>
>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 11:25
Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, dont tell me its mitigated by ancient, unusable default firewall settings, and dont withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deploy firewall settings via group policy to mitigate exposure when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues.  Its like telling me that "the solution is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, dont deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it.    Seems like simple logic points to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave answers
>>>> like that to a public interview with Computerworld, they would be in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 15:23
Yeah, I know what it is and what its for ;)  That was just my subtle way o=
f trying to make a point.  To be more explicit:

1)  If you are publishing a vulnerability for which there is no patch, and =
for which you have no intention of making a patch for, dont tell me its m=
itigated by ancient, unusable default firewall settings, and dont withhold=
 explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING W=
E KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deplo=
y firewall settings via group policy to mitigate exposure when the firewal=
l obviously must be accepting network connections to get the settings in th=
e first place. If all it takes is any listening service, then you have issu=
es.  Its like telling me that "the solution is to take the letter f out =
of the word "solution."

2)  Think things through.  If you are going to try to boot sales of Win7 to=
 corporate customers by providing free XP VM technology and thus play up ho=
w important XP is and how many companies still depend upon it for business =
critical application compatibility, dont deploy that technology in an othe=
r-than-default configuration that is subject to a DoS exploit while downpla=
ying the extent that the exploit may be leveraged by saying that a "typical=
" default configuration mitigates it while choosing not to ever patch it.  =
  Seems like simple logic points to me.

t

> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
> course its vulnerable to any and all gobs of stuff out there.  But
> its
> goal and intent is to allow Small shops to deploy Win7.  If you need
> more security, get appv/medv/whateverv or other virtualization.
>=20
> Its not a security platform.  Its a get the stupid 16 bit line of
> business app working platform.
>=20
> Thor (Hammer of God) wrote:
> > P.S.
> >
> > Anyone check to see if the default "XP Mode" VM you get for free with
> Win7 hyperv is vulnerable and what the implications are for a host
> running an XP vm that gets DoSd are?
> >
> > I get the whole "XP code to too old to care" bit, but it seems odd to
> take that "old code" and re-market it around compatibility and re-
> distribute it with free downloads for Win7 while saying "we wont patch
> old code."
> >
> > t
> >
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
> God)
> >> Sent: Wednesday, September 16, 2009 8:00 AM
> >> To: Eric C. Lukens; bugtraq@securityfocus.com
> >> Cc: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>
> >> Thanks for the link.  The problem here is that not enough
> information
> >> is given, and what IS given is obviously watered down to the point
> of
> >> being ineffective.
> >>
> >> The quote that stands out most for me:
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsofts
> >> security team to explain why it wasnt patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldnt then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> >> should provide additional protections against external exploits,"
> >> replied Stone and Bryant.
> >> </snip>
> >>
> >> If an employee managing a product that my company owned gave answers
> >> like that to a public interview with Computerworld, they would be in
> >> deep doo.  First off, my default install of XP Pro SP2 has remote
> >> assistance inbound, and once you join to a domain, you obviously
> accept
> >> necessary domain traffic.  This "no inbound traffic by default so
> you
> >> are not vulnerable" line is crap.  It was a direct question - "If
> RDP
> >> is allowed through the firewall, are we vulnerable?" A:"Great
> question.
> >> Yes, servers are the target.  A firewall should provide added
> >> protection, maybe.  Rumor is thats what they are for.  Not sure
> >> really.  What was the question again?"
> >>
> >> You dont get "trustworthy" by not answering peoples questions,
> >> particularly when they are good, obvious questions.  Just be honest
> >> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
> help,
> >> but dont bet on it.  XP code is something like 15 years old now,
> and
> >> were not going to change it.  Thats the way it is, sorry. Just be
> >> glad youre using XP and not 2008/vista or youd be patching your
> arse
> >> off right now."
> >>
> >> If MSFT thinks they are mitigating public opinion issues by side-
> >> stepping questions and not fully exposing the problems, they are
> wrong.
> >> This just makes it worse. Thats the long answer.  The short answer
> is
> >> "XP is vulnerable to a DoS, and a patch is not being offered."
> >>
> >> t
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> >>> Sent: Tuesday, September 15, 2009 2:37 PM
> >>> To: bugtraq@securityfocus.com
> >>> Cc: full-disclosure@lists.grok.org.uk
> >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>>
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right.  Who knows how many applications
> >>>
> >> might
> >>
> >>> break that were designed for XP if they have to radically change
> the
> >>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> >>> certainly sounds like it is not going to be patched.
> >>>
> >>> The other side of the MS claim is that a properly-firewalled XP
> >>>
> >> system
> >>
> >>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> >>> necessary.
> >>>
> >>> -Eric
> >>>
> >>> -------- Original Message  --------
> >>> Subject: Re: 3rd party patch for XP for MS09-048?
> >>> From: Jeffrey Walton <noloader@gmail.com>
> >>> To: nowhere@devnull.com
> >>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> >>> Date: 9/15/09 3:49 PM
> >>>
> >>>> Hi Aras,
> >>>>
> >>>>
> >>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue,
> >>>>>
> >>>>>
> >>>> Can you cite a reference?
> >>>>
> >>>> Unless Microsoft has changed their end of life policy [1], XP
> >>>>
> >> should
> >>
> >>>> be patched for security vulnerabilities until about 2014. Both XP
> >>>>
> >>> Home
> >>>
> >>>> and XP Pros mainstream support ended in 4/2009, but extended
> >>>>
> >> support
> >>
> >>>> ends in 4/2014 [2]. Given that we know the end of extended
> support,
> >>>> take a look at bullet 17 of [1]:
> >>>>
> >>>>     17. What is the Security Update policy?
> >>>>
> >>>>     Security updates will be available through the end of the
> >>>>
> >>> Extended
> >>>
> >>>>     Support phase (five years of Mainstream Support plus five
> years
> >>>>
> >>> of
> >>>
> >>>>     the Extended Support) at no additional cost for most products.
> >>>>     Security updates will be posted on the Microsoft Update Web
> >>>>
> >> site
> >>
> >>>>     during both the Mainstream and the Extended Support phase.
> >>>>
> >>>>
> >>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric...
> >>>>>
> >>>>>
> >>>> Not at all.
> >>>>
> >>>> Jeff
> >>>>
> >>>> [1] http://support.microsoft.com/gp/lifepolicy
> >>>> [2] http://support.microsoft.com/gp/lifeselect
> >>>>
> >>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> >>>> <nowhere@devnull.com> wrote:
> >>>>
> >>>>
> >>>>> Hello All:
> >>>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue, Im now curious to find
> out
> >>>>>
> >>> whether
> >>>
> >>>>> or not any brave souls out there are already working or willing
> to
> >>>>>
> >>> work on
> >>>
> >>>>> an open-source patch to remediate the issue within XP.
> >>>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric... I would just
> like
> >>>>>
> >>> to hear
> >>>
> >>>>> the thoughts of the true experts subscribed to these lists :)
> >>>>>
> >>>>> No harm in that is there?
> >>>>>
> >>>>> Aras "Russ" Memisyazici
> >>>>> Systems Administrator
> >>>>> Virginia Tech
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>> --
> >>> Eric C. Lukens
> >>> IT Security Policy and Risk Assessment Analyst
> >>> ITS-Network Services
> >>> Curris Business Building 15
> >>> University of Northern Iowa
> >>> Cedar Falls, IA 50614-0121
> >>> 319-273-7434
> >>> http://www.uni.edu/elukens/
> >>> http://weblogs.uni.edu/elukens/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >


From: Rob Thompson my.security.lists@gmail.com
Sent: Wed 16. Sep 2009 11:24
Susan Bradley wrote:
> Only if you are a consumer.  In a network we ALL have listening ports
> out there.

This is simply Microsofts way of forcing you to upgrade your OS.  They
pulled the same shenanigans with Windows 2000, if you do not recall.

Id have to say, its time to re-evaluate where you are funneling your
$$$.  If the vendor that you PAID your hard earned dollars to is not
supporting their product like they said they would, then its time to
move on.

There are plenty of alternatives out there.  No one says you _have_ to
run Windows.

> 
> Elizabeth.a.greene@gmail.com wrote:
>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>> patches for XP because, by default, it runs no listening services or
>> the windows firewall can protect it.
>>
>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>> "If Windows XP is listed as an affected product, why is Microsoft not
>> issuing an update for it?
>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>> listening service configured in the client firewall and are therefore
>> not affected by this vulnerability. Windows XP Service Pack 2 and
>> later operating systems include a stateful host firewall that provides
>> protection for computers against incoming traffic from the Internet or
>> from neighboring network devices on a private network. ... Customers
>> running Windows XP are at reduced risk, and Microsoft recommends they
>> use the firewall included with the operating system, or a network
>> firewall, to block access to the affected ports and limit the attack
>> surface from untrusted networks."
>>
>> -eg
>>
>>   
> 
> 


-- 
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        /   |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 12:48
Cloud option maybe as we go forward but right now today, this is 
business making the decisions here.

Desktop, if it were that easy wed have ripped out desktops years ago.

Businesses have to be realistic.  Sometimes there is not "plenty of 
comparable alternatives out there".

Sometimes the boss/business needs/line of business apps dictates you run 
windows.

Rob Thompson wrote:
> Susan Bradley wrote:
>   
>> Only if you are a consumer.  In a network we ALL have listening ports
>> out there.
>>     
>
> This is simply Microsofts way of forcing you to upgrade your OS.  They
> pulled the same shenanigans with Windows 2000, if you do not recall.
>
> Id have to say, its time to re-evaluate where you are funneling your
> $$$.  If the vendor that you PAID your hard earned dollars to is not
> supporting their product like they said they would, then its time to
> move on.
>
> There are plenty of alternatives out there.  No one says you _have_ to
> run Windows.
>
>   
>> Elizabeth.a.greene@gmail.com wrote:
>>     
>>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>>> patches for XP because, by default, it runs no listening services or
>>> the windows firewall can protect it.
>>>
>>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>>> "If Windows XP is listed as an affected product, why is Microsoft not
>>> issuing an update for it?
>>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>>> listening service configured in the client firewall and are therefore
>>> not affected by this vulnerability. Windows XP Service Pack 2 and
>>> later operating systems include a stateful host firewall that provides
>>> protection for computers against incoming traffic from the Internet or
>>> from neighboring network devices on a private network. ... Customers
>>> running Windows XP are at reduced risk, and Microsoft recommends they
>>> use the firewall included with the operating system, or a network
>>> firewall, to block access to the affected ports and limit the attack
>>> surface from untrusted networks."
>>>
>>> -eg
>>>
>>>   
>>>       
>>     
>
>
>   



From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 17:02
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are=20
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub=20
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that=20
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>  =20
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>    =20
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>      =20
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>    =20
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>      =20
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>    =20
>>> t
>>>
>>>
>>>      =20
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>        =20
>> God)
>>    =20
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>        =20
>> information
>>    =20
>>>> is given, and what IS given is obviously watered down to the point
>>>>        =20
>> of
>>    =20
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>        =20
>> certain
>>    =20
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>        =20
>> accept
>>    =20
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>        =20
>> you
>>    =20
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>        =20
>> RDP
>>    =20
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>        =20
>> question.
>>    =20
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>        =20
>> help,
>>    =20
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>        =20
>> and
>>    =20
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>        =20
>> arse
>>    =20
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>        =20
>> wrong.
>>    =20
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>        =20
>> is
>>    =20
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>        =20
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>          =20
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>    =20
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>          =20
>>>> might
>>>>
>>>>        =20
>>>>> break that were designed for XP if they have to radically change
>>>>>          =20
>> the
>>    =20
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>          =20
>>>> system
>>>>
>>>>        =20
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>          =20
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>            =20
>>>> should
>>>>
>>>>        =20
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>            =20
>>>>> Home
>>>>>
>>>>>          =20
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>            =20
>>>> support
>>>>
>>>>        =20
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>            =20
>> support,
>>    =20
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>            =20
>>>>> Extended
>>>>>
>>>>>          =20
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>            =20
>> years
>>    =20
>>>>> of
>>>>>
>>>>>          =20
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>            =20
>>>> site
>>>>
>>>>        =20
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>            =20
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>              =20
>>>> users
>>>>
>>>>        =20
>>>>> by not
>>>>>
>>>>>          =20
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>              =20
>> out
>>    =20
>>>>> whether
>>>>>
>>>>>          =20
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>              =20
>> to
>>    =20
>>>>> work on
>>>>>
>>>>>          =20
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>              =20
>>>> "not
>>>>
>>>>        =20
>>>>> being
>>>>>
>>>>>          =20
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>              =20
>> like
>>    =20
>>>>> to hear
>>>>>
>>>>>          =20
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>              =20
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>          =20
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>        =20
>>>      =20
>
>  =20

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Aras "Russ" Memisyazici" nowhere@devnull.com
Sent: Wed 16. Sep 2009 18:39
:)

Thank you all for your valuable comments... Indeed I appreciated some of the
links/info extended (Susan, Thor and Tom) However, in the end, it sounded
like:

a) As a sysadmin in charge of maintaining XP systems along with a whole
shebang of other mix setups, unless I deploy a "better" firewall solution, I
seem to be SOL.

b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
earlier, they did the exact same thing back in Win2K days... Nothing new
here... :/ As Larry and Thor pointed out, what sux is that despite M$
"PROMISING" that they would continue supporting XP since they didnt exactly
state WHAT they would support, they seem to be legally free to actually get
away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
to promises...

So... with all this commentary, in the end, I still didnt read from the
"biguns" on whether or not a 3rd party open-source patch would be
released... I sure miss the days that people back in the day who cared would
:) In the end I realize, it sounds like a total over-haul of the TCP/IP
stack is required; but does it really have to? Really?

How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
suggesting switching to an iptables based protection along with a registry
tweak... ahh the good ol batch firewall :) Would this actually work as a
viable work-around? I realize M$ stated this as such, but given their
current reputation its really hard to take their word for anything these
days :P

What free/cheap client-level-IPS solutions block this current attack? Any
suggestions?

Thank you for your time and look forward to some more answers.

Sincerely,
Aras "Russ" Memisyazici
arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
you know why!

Systems Administrator
Virginia Tech

-----Original Message-----
From: Larry Seltzer [mailto:larry@larryseltzer.com] 
Sent: Wednesday, September 16, 2009 5:03 PM
To: Susan Bradley; Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?

Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because theyve got 4+ years of Extended Support Period
left doesnt mean theyre going to get first-class treatment.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com 
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
Bradley
Sent: Wednesday, September 16, 2009 2:26 PM
To: Thor (Hammer of God)
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle
way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch,
and for which you have no intention of making a patch for, dont tell me
its mitigated by ancient, unusable default firewall settings, and dont
withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
you can deploy firewall settings via group policy to mitigate exposure
when the firewall obviously must be accepting network connections to get
the settings in the first place. If all it takes is any listening
service, then you have issues.  Its like telling me that "the solution
is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of
Win7 to corporate customers by providing free XP VM technology and thus
play up how important XP is and how many companies still depend upon it
for business critical application compatibility, dont deploy that
technology in an other-than-default configuration that is subject to a
DoS exploit while downplaying the extent that the exploit may be
leveraged by saying that a "typical" default configuration mitigates it
while choosing not to ever patch it.    Seems like simple logic points
to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free
with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd
to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont
patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows
XP
>>>> and we do not use Windows Firewall," read one of the user
questions.
>>>> "We use a third-party vendor firewall product. Even assuming that
we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your
firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave
answers
>>>> like that to a public interview with Computerworld, they would be
in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make
it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most
products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 07:59
<jaded mode off>

I know too many of the gook geeks behind Microsoft and I do trust that 
this IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
architecture in XP just isnt there.  Its a 10 year old platform that 
sometimes you cant bolt on this stuff afterwards.  Even in Vista, its 
not truly fixing the issue, merely making the system more resilient to 
attacks.  Read the fine print in the patch.. its just making the system 
kill a session and recover better.

I am not a fan of third party because you bring yourself outside the 
support window of the product.

It is just a DOS.  I DOS myself after patch Tuesday sometimes with mere 
patch issues.  Also the risk of this appears low, the potential for 
someone coding up an attack low... I have bigger risks from fake A/V at me.

Is this truly the risk that one has to take such actions and expect such 
energy? 

I dont see that it is.  Give me more information that it is a risk and 
I may change my mind, but right now, Im just not seeing that its worth it.



Aras "Russ" Memisyazici wrote:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exactly
> state WHAT they would support, they seem to be legally free to actually get
> away with this BS *sigh* gotta love insurance-salesman-tactics when it comes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared would
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null for... well
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com] 
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com 
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are 
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub 
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that 
> bulletin)
>
> Thor (Hammer of God) wrote:
>   
>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>     
> way of trying to make a point.  To be more explicit:
>   
>> 1)  If you are publishing a vulnerability for which there is no patch,
>>     
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues.  Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>   
>> 2)  Think things through.  If you are going to try to boot sales of
>>     
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it.    Seems like simple logic points
> to me.
>   
>> t
>>
>>   
>>     
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>       
> Of
>   
>>> course its vulnerable to any and all gobs of stuff out there.  But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>     
>>>       
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>         
> with
>   
>>>>       
>>>>         
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>     
>>>       
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>         
> to
>   
>>>>       
>>>>         
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
>>>       
> patch
>   
>>> old code."
>>>     
>>>       
>>>> t
>>>>
>>>>
>>>>       
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>         
>>>>>           
>>> God)
>>>     
>>>       
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link.  The problem here is that not enough
>>>>>         
>>>>>           
>>> information
>>>     
>>>       
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>         
>>>>>           
>>> of
>>>     
>>>       
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>         
>>>>>           
>>> certain
>>>     
>>>       
>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>           
> XP
>   
>>>>> and we do not use Windows Firewall," read one of the user
>>>>>           
> questions.
>   
>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>           
> we
>   
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
>>>>>           
> firewall
>   
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
>>>>>           
> answers
>   
>>>>> like that to a public interview with Computerworld, they would be
>>>>>           
> in
>   
>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>         
>>>>>           
>>> accept
>>>     
>>>       
>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>         
>>>>>           
>>> you
>>>     
>>>       
>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>         
>>>>>           
>>> RDP
>>>     
>>>       
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>         
>>>>>           
>>> question.
>>>     
>>>       
>>>>> Yes, servers are the target.  A firewall should provide added
>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>> really.  What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>         
>>>>>           
>>> help,
>>>     
>>>       
>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>         
>>>>>           
>>> and
>>>     
>>>       
>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>         
>>>>>           
>>> arse
>>>     
>>>       
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>         
>>>>>           
>>> wrong.
>>>     
>>>       
>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>         
>>>>>           
>>> is
>>>     
>>>       
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>             
> MS09-048?
>   
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>           
>>>>>>             
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>   
>>>     
>>>       
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>             
> it
>   
>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>
>>>>>>           
>>>>>>             
>>>>> might
>>>>>
>>>>>         
>>>>>           
>>>>>> break that were designed for XP if they have to radically change
>>>>>>           
>>>>>>             
>>> the
>>>     
>>>       
>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>           
>>>>>>             
>>>>> system
>>>>>
>>>>>         
>>>>>           
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message  --------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> should
>>>>>
>>>>>         
>>>>>           
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Home
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> support
>>>>>
>>>>>         
>>>>>           
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>             
>>>>>>>               
>>> support,
>>>     
>>>       
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>>     17. What is the Security Update policy?
>>>>>>>
>>>>>>>     Security updates will be available through the end of the
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>> Extended
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>             
>>>>>>>               
>>> years
>>>     
>>>       
>>>>>> of
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>               
> products.
>   
>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>> site
>>>>>
>>>>>         
>>>>>           
>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>             
>>>>>>>               
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> users
>>>>>
>>>>>         
>>>>>           
>>>>>> by not
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>               
>>>>>>>>                 
>>> out
>>>     
>>>       
>>>>>> whether
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>               
>>>>>>>>                 
>>> to
>>>     
>>>       
>>>>>> work on
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>> "not
>>>>>
>>>>>         
>>>>>           
>>>>>> being
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>               
>>>>>>>>                 
>>> like
>>>     
>>>       
>>>>>> to hear
>>>>>>
>>>>>>           
>>>>>>             
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>               
>>>>>>>>                 
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>           
>>>>>>             
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>         
>>>>>           
>>>>       
>>>>         
>>   
>>     
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>   


From: John Morrison john.morrison101@googlemail.com
Sent: Thu 17. Sep 2009 16:29
On http://support.microsoft.com/gp/lifepolicy MS says that the
"Extended Support Phase" includes "Security Update Support". If I have
a Premier Support contract (which entitles me to Extended Support)
arent MS contractually obliged to make this fix available to me?


2009/9/16 Aras "Russ" Memisyazici <nowhere@devnull.com>:
> :)
>
> Thank you all for your valuable comments... Indeed I appreciated some of =
the
> links/info extended (Susan, Thor and Tom) However, in the end, it sounded
> like:
>
> a) As a sysadmin in charge of maintaining XP systems along with a whole
> shebang of other mix setups, unless I deploy a "better" firewall solution=
, I
> seem to be SOL.
>
> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stat=
ed
> earlier, they did the exact same thing back in Win2K days... Nothing new
> here... :/ As Larry and Thor pointed out, what sux is that despite M$
> "PROMISING" that they would continue supporting XP since they didnt exac=
tly
> state WHAT they would support, they seem to be legally free to actually g=
et
> away with this BS *sigh* gotta love insurance-salesman-tactics when it co=
mes
> to promises...
>
> So... with all this commentary, in the end, I still didnt read from the
> "biguns" on whether or not a 3rd party open-source patch would be
> released... I sure miss the days that people back in the day who cared wo=
uld
> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
> stack is required; but does it really have to? Really?
>
> How effective is what Tom Grace suggests? Unless Im misunderstanding, he=
s
> suggesting switching to an iptables based protection along with a registr=
y
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
>
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
>
> Thank you for your time and look forward to some more answers.
>
> Sincerely,
> Aras "Russ" Memisyazici
> arasm {at) vt ^dot^ edu =A0--> I set my return addy to /dev/null for... w=
ell
> you know why!
>
> Systems Administrator
> Virginia Tech
>
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 5:03 PM
> To: Susan Bradley; Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because theyve got 4+ years of Extended Support Period
> left doesnt mean theyre going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>
>
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
> Bradley
> Sent: Wednesday, September 16, 2009 2:26 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Its only "default" for people running XP standalone/consumer that are
> not even in a home network settings.
>
> That kinda slices and dices that default down to a VERY narrow sub sub
> sub set of customer base.
>
> (Bottom line, yes, the marketing team definitely got a hold of that
> bulletin)
>
> Thor (Hammer of God) wrote:
>> Yeah, I know what it is and what its for ;) =A0That was just my subtle
> way of trying to make a point. =A0To be more explicit:
>>
>> 1) =A0If you are publishing a vulnerability for which there is no patch,
> and for which you have no intention of making a patch for, dont tell me
> its mitigated by ancient, unusable default firewall settings, and dont
> withhold explicit details. =A0Say "THERE WILL BE NO PATCH, EVER. =A0HERE=
S
> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." =A0Also, dont sa=
y
> you can deploy firewall settings via group policy to mitigate exposure
> when the firewall obviously must be accepting network connections to get
> the settings in the first place. If all it takes is any listening
> service, then you have issues. =A0Its like telling me that "the solution
> is to take the letter f out of the word "solution."
>>
>> 2) =A0Think things through. =A0If you are going to try to boot sales of
> Win7 to corporate customers by providing free XP VM technology and thus
> play up how important XP is and how many companies still depend upon it
> for business critical application compatibility, dont deploy that
> technology in an other-than-default configuration that is subject to a
> DoS exploit while downplaying the extent that the exploit may be
> leveraged by saying that a "typical" default configuration mitigates it
> while choosing not to ever patch it. =A0 =A0Seems like simple logic point=
s
> to me.
>>
>> t
>>
>>
>>> -----Original Message-----
>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>> To: Thor (Hammer of God)
>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its XP. =A0Running in RDP mode. =A0Its got IE6, and wants antivirus.
> Of
>>> course its vulnerable to any and all gobs of stuff out there. =A0But
>>> its
>>> goal and intent is to allow Small shops to deploy Win7. =A0If you need
>>> more security, get appv/medv/whateverv or other virtualization.
>>>
>>> Its not a security platform. =A0Its a get the stupid 16 bit line of
>>> business app working platform.
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> P.S.
>>>>
>>>> Anyone check to see if the default "XP Mode" VM you get for free
> with
>>>>
>>> Win7 hyperv is vulnerable and what the implications are for a host
>>> running an XP vm that gets DoSd are?
>>>
>>>> I get the whole "XP code to too old to care" bit, but it seems odd
> to
>>>>
>>> take that "old code" and re-market it around compatibility and re-
>>> distribute it with free downloads for Win7 while saying "we wont
> patch
>>> old code."
>>>
>>>> t
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>
>>> God)
>>>
>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Thanks for the link. =A0The problem here is that not enough
>>>>>
>>> information
>>>
>>>>> is given, and what IS given is obviously watered down to the point
>>>>>
>>> of
>>>
>>>>> being ineffective.
>>>>>
>>>>> The quote that stands out most for me:
>>>>> <snip>
>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>
>>> certain
>>>
>>>>> scenarios, their machines might be at risk. "We still use Windows
> XP
>>>>> and we do not use Windows Firewall," read one of the user
> questions.
>>>>> "We use a third-party vendor firewall product. Even assuming that
> we
>>>>> use the Windows Firewall, if there are services listening, such as
>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>
>>>>> "Servers are a more likely target for this attack, and your
> firewall
>>>>> should provide additional protections against external exploits,"
>>>>> replied Stone and Bryant.
>>>>> </snip>
>>>>>
>>>>> If an employee managing a product that my company owned gave
> answers
>>>>> like that to a public interview with Computerworld, they would be
> in
>>>>> deep doo. =A0First off, my default install of XP Pro SP2 has remote
>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>
>>> accept
>>>
>>>>> necessary domain traffic. =A0This "no inbound traffic by default so
>>>>>
>>> you
>>>
>>>>> are not vulnerable" line is crap. =A0It was a direct question - "If
>>>>>
>>> RDP
>>>
>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>
>>> question.
>>>
>>>>> Yes, servers are the target. =A0A firewall should provide added
>>>>> protection, maybe. =A0Rumor is thats what they are for. =A0Not sure
>>>>> really. =A0What was the question again?"
>>>>>
>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>> particularly when they are good, obvious questions. =A0Just be honest
>>>>> about it. =A0"Yes, XP is vulnerable to a DOS. =A0Your firewall might
>>>>>
>>> help,
>>>
>>>>> but dont bet on it. =A0XP code is something like 15 years old now,
>>>>>
>>> and
>>>
>>>>> were not going to change it. =A0Thats the way it is, sorry. Just be
>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>
>>> arse
>>>
>>>>> off right now."
>>>>>
>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>> stepping questions and not fully exposing the problems, they are
>>>>>
>>> wrong.
>>>
>>>>> This just makes it worse. Thats the long answer. =A0The short answer
>>>>>
>>> is
>>>
>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>> To: bugtraq@securityfocus.com
>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
> MS09-048?
>>>>>>
>>>>>> Reference:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>> hes_for_you_XP
>>>>>>
>>>>>> MS claims the patch would require to much overhaul of XP to make
> it
>>>>>> worth it, and they may be right. =A0Who knows how many applications
>>>>>>
>>>>>>
>>>>> might
>>>>>
>>>>>
>>>>>> break that were designed for XP if they have to radically change
>>>>>>
>>> the
>>>
>>>>>> TCP/IP stack. =A0Now, I dont know if the MS speak is true, but it
>>>>>> certainly sounds like it is not going to be patched.
>>>>>>
>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>
>>>>>>
>>>>> system
>>>>>
>>>>>
>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>> necessary.
>>>>>>
>>>>>> -Eric
>>>>>>
>>>>>> -------- Original Message =A0--------
>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>> To: nowhere@devnull.com
>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>> Date: 9/15/09 3:49 PM
>>>>>>
>>>>>>
>>>>>>> Hi Aras,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Can you cite a reference?
>>>>>>>
>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>
>>>>>>>
>>>>> should
>>>>>
>>>>>
>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>
>>>>>>>
>>>>>> Home
>>>>>>
>>>>>>
>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>
>>>>>>>
>>>>> support
>>>>>
>>>>>
>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>
>>> support,
>>>
>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>
>>>>>>> =A0 =A0 17. What is the Security Update policy?
>>>>>>>
>>>>>>> =A0 =A0 Security updates will be available through the end of the
>>>>>>>
>>>>>>>
>>>>>> Extended
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 Support phase (five years of Mainstream Support plus five
>>>>>>>
>>> years
>>>
>>>>>> of
>>>>>>
>>>>>>
>>>>>>> =A0 =A0 the Extended Support) at no additional cost for most
> products.
>>>>>>> =A0 =A0 Security updates will be posted on the Microsoft Update Web
>>>>>>>
>>>>>>>
>>>>> site
>>>>>
>>>>>
>>>>>>> =A0 =A0 during both the Mainstream and the Extended Support phase.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Not at all.
>>>>>>>
>>>>>>> Jeff
>>>>>>>
>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>
>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello All:
>>>>>>>>
>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>
>>>>>>>>
>>>>> users
>>>>>
>>>>>
>>>>>> by not
>>>>>>
>>>>>>
>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>
>>> out
>>>
>>>>>> whether
>>>>>>
>>>>>>
>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>
>>> to
>>>
>>>>>> work on
>>>>>>
>>>>>>
>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>
>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>
>>>>>>>>
>>>>> "not
>>>>>
>>>>>
>>>>>> being
>>>>>>
>>>>>>
>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>
>>> like
>>>
>>>>>> to hear
>>>>>>
>>>>>>
>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>
>>>>>>>> No harm in that is there?
>>>>>>>>
>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>> Systems Administrator
>>>>>>>> Virginia Tech
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Eric C. Lukens
>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>> ITS-Network Services
>>>>>> Curris Business Building 15
>>>>>> University of Northern Iowa
>>>>>> Cedar Falls, IA 50614-0121
>>>>>> 319-273-7434
>>>>>> http://www.uni.edu/elukens/
>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>


From: Susan Bradley sbradcpa@pacbell.net
Sent: Thu 17. Sep 2009 10:16
Good geeks ...not gook geeks.

Its not a racial slight, its spellchecker not working and I didnt 
realize I spelled it wrong.  My deepest apologies if anyone reads that 
wrong.

Hisashi T Fujinaka wrote:
> On Thu, 17 Sep 2009, Susan Bradley wrote:
>
>> <jaded mode off>
>>
>> I know too many of the gook geeks behind Microsoft and I do trust 
>> that this
>                          ^^^^ ^^^^
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7.  Granted the marketing folks spun 
>> this bulletin WAY WAY TOO much.  It is what it is.  I do believe the 
>> architecture in XP just isnt there.  Its a 10 year old platform 
>> that sometimes you cant bolt on this stuff afterwards.  Even in 
>> Vista, its not truly fixing the issue, merely making the system more 
>> resilient to attacks.  Read the fine print in the patch.. its just 
>> making the system kill a session and recover better.
>>
>> I am not a fan of third party because you bring yourself outside the 
>> support window of the product.
>>
>> It is just a DOS.  I DOS myself after patch Tuesday sometimes with 
>> mere patch issues.  Also the risk of this appears low, the potential 
>> for someone coding up an attack low... I have bigger risks from fake 
>> A/V at me.
>>
>> Is this truly the risk that one has to take such actions and expect 
>> such energy? I dont see that it is.  Give me more information that 
>> it is a risk and I may change my mind, but right now, Im just not 
>> seeing that its worth it.
>>
>>
>>
>> Aras "Russ" Memisyazici wrote:
>>> :)
>>>
>>> Thank you all for your valuable comments... Indeed I appreciated 
>>> some of the
>>> links/info extended (Susan, Thor and Tom) However, in the end, it 
>>> sounded
>>> like:
>>>
>>> a) As a sysadmin in charge of maintaining XP systems along with a whole
>>> shebang of other mix setups, unless I deploy a "better" firewall 
>>> solution, I
>>> seem to be SOL.
>>>
>>> b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was 
>>> stated
>>> earlier, they did the exact same thing back in Win2K days... Nothing 
>>> new
>>> here... :/ As Larry and Thor pointed out, what sux is that despite M$
>>> "PROMISING" that they would continue supporting XP since they didnt 
>>> exactly
>>> state WHAT they would support, they seem to be legally free to 
>>> actually get
>>> away with this BS *sigh* gotta love insurance-salesman-tactics when 
>>> it comes
>>> to promises...
>>>
>>> So... with all this commentary, in the end, I still didnt read from 
>>> the
>>> "biguns" on whether or not a 3rd party open-source patch would be
>>> released... I sure miss the days that people back in the day who 
>>> cared would
>>> :) In the end I realize, it sounds like a total over-haul of the TCP/IP
>>> stack is required; but does it really have to? Really?
>>>
>>> How effective is what Tom Grace suggests? Unless Im 
>>> misunderstanding, hes
>>> suggesting switching to an iptables based protection along with a 
>>> registry
>>> tweak... ahh the good ol batch firewall :) Would this actually work 
>>> as a
>>> viable work-around? I realize M$ stated this as such, but given their
>>> current reputation its really hard to take their word for anything 
>>> these
>>> days :P
>>>
>>> What free/cheap client-level-IPS solutions block this current 
>>> attack? Any
>>> suggestions?
>>>
>>> Thank you for your time and look forward to some more answers.
>>>
>>> Sincerely,
>>> Aras "Russ" Memisyazici
>>> arasm {at) vt ^dot^ edu  --> I set my return addy to /dev/null 
>>> for... well
>>> you know why!
>>>
>>> Systems Administrator
>>> Virginia Tech
>>>
>>> -----Original Message-----
>>> From: Larry Seltzer [mailto:larry@larryseltzer.com] Sent: Wednesday, 
>>> September 16, 2009 5:03 PM
>>> To: Susan Bradley; Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Yes, they used the bulletin to soft-pedal the description, but at the
>>> same time I think they send a message about XP users being on shaky
>>> ground. Just because theyve got 4+ years of Extended Support Period
>>> left doesnt mean theyre going to get first-class treatment.
>>>
>>> Larry Seltzer
>>> Contributing Editor, PC Magazine
>>> larry_seltzer@ziffdavis.com http://blogs.pcmag.com/securitywatch/
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk
>>> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Susan
>>> Bradley
>>> Sent: Wednesday, September 16, 2009 2:26 PM
>>> To: Thor (Hammer of God)
>>> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Its only "default" for people running XP standalone/consumer that 
>>> are not even in a home network settings.
>>>
>>> That kinda slices and dices that default down to a VERY narrow sub 
>>> sub sub set of customer base.
>>>
>>> (Bottom line, yes, the marketing team definitely got a hold of that 
>>> bulletin)
>>>
>>> Thor (Hammer of God) wrote:
>>>
>>>> Yeah, I know what it is and what its for ;)  That was just my subtle
>>>>
>>> way of trying to make a point.  To be more explicit:
>>>
>>>> 1)  If you are publishing a vulnerability for which there is no patch,
>>>>
>>> and for which you have no intention of making a patch for, dont 
>>> tell me
>>> its mitigated by ancient, unusable default firewall settings, and 
>>> dont
>>> withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES
>>> EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont 
>>> say
>>> you can deploy firewall settings via group policy to mitigate 
>>> exposure
>>> when the firewall obviously must be accepting network connections to 
>>> get
>>> the settings in the first place. If all it takes is any listening
>>> service, then you have issues.  Its like telling me that "the solution
>>> is to take the letter f out of the word "solution."
>>>
>>>> 2)  Think things through.  If you are going to try to boot sales of
>>>>
>>> Win7 to corporate customers by providing free XP VM technology and thus
>>> play up how important XP is and how many companies still depend upon it
>>> for business critical application compatibility, dont deploy that
>>> technology in an other-than-default configuration that is subject to a
>>> DoS exploit while downplaying the extent that the exploit may be
>>> leveraged by saying that a "typical" default configuration mitigates it
>>> while choosing not to ever patch it.    Seems like simple logic points
>>> to me.
>>>
>>>> t
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>>>>> Sent: Wednesday, September 16, 2009 10:16 AM
>>>>> To: Thor (Hammer of God)
>>>>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.
>>>>>
>>> Of
>>>
>>>>> course its vulnerable to any and all gobs of stuff out there.  But
>>>>> its
>>>>> goal and intent is to allow Small shops to deploy Win7.  If you need
>>>>> more security, get appv/medv/whateverv or other virtualization.
>>>>>
>>>>> Its not a security platform.  Its a get the stupid 16 bit line of
>>>>> business app working platform.
>>>>>
>>>>> Thor (Hammer of God) wrote:
>>>>>
>>>>>> P.S.
>>>>>>
>>>>>> Anyone check to see if the default "XP Mode" VM you get for free
>>>>>>
>>> with
>>>
>>>>>>
>>>>> Win7 hyperv is vulnerable and what the implications are for a host
>>>>> running an XP vm that gets DoSd are?
>>>>>
>>>>>> I get the whole "XP code to too old to care" bit, but it seems odd
>>>>>>
>>> to
>>>
>>>>>>
>>>>> take that "old code" and re-market it around compatibility and re-
>>>>> distribute it with free downloads for Win7 while saying "we wont
>>>>>
>>> patch
>>>
>>>>> old code."
>>>>>
>>>>>> t
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>>>>
>>>>> God)
>>>>>
>>>>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>>>
>>>>>>> Thanks for the link.  The problem here is that not enough
>>>>>>>
>>>>> information
>>>>>
>>>>>>> is given, and what IS given is obviously watered down to the point
>>>>>>>
>>>>> of
>>>>>
>>>>>>> being ineffective.
>>>>>>>
>>>>>>> The quote that stands out most for me:
>>>>>>> <snip>
>>>>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>>>>> security team to explain why it wasnt patching XP, or if, in
>>>>>>>
>>>>> certain
>>>>>
>>>>>>> scenarios, their machines might be at risk. "We still use Windows
>>>>>>>
>>> XP
>>>
>>>>>>> and we do not use Windows Firewall," read one of the user
>>>>>>>
>>> questions.
>>>
>>>>>>> "We use a third-party vendor firewall product. Even assuming that
>>>>>>>
>>> we
>>>
>>>>>>> use the Windows Firewall, if there are services listening, such as
>>>>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>>>>
>>>>>>> "Servers are a more likely target for this attack, and your
>>>>>>>
>>> firewall
>>>
>>>>>>> should provide additional protections against external exploits,"
>>>>>>> replied Stone and Bryant.
>>>>>>> </snip>
>>>>>>>
>>>>>>> If an employee managing a product that my company owned gave
>>>>>>>
>>> answers
>>>
>>>>>>> like that to a public interview with Computerworld, they would be
>>>>>>>
>>> in
>>>
>>>>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>>>>> assistance inbound, and once you join to a domain, you obviously
>>>>>>>
>>>>> accept
>>>>>
>>>>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>>>>
>>>>> you
>>>>>
>>>>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>>>>
>>>>> RDP
>>>>>
>>>>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>>>>
>>>>> question.
>>>>>
>>>>>>> Yes, servers are the target.  A firewall should provide added
>>>>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>>>>> really.  What was the question again?"
>>>>>>>
>>>>>>> You dont get "trustworthy" by not answering peoples questions,
>>>>>>> particularly when they are good, obvious questions.  Just be honest
>>>>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>>>>
>>>>> help,
>>>>>
>>>>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>>>>
>>>>> and
>>>>>
>>>>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>>>>
>>>>> arse
>>>>>
>>>>>>> off right now."
>>>>>>>
>>>>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>>>>> stepping questions and not fully exposing the problems, they are
>>>>>>>
>>>>> wrong.
>>>>>
>>>>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>>>>
>>>>> is
>>>>>
>>>>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>>>>
>>>>>>> t
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>>>>> To: bugtraq@securityfocus.com
>>>>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for
>>>>>>>>
>>> MS09-048?
>>>
>>>>>>>> Reference:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>>
>>>>>
>>>>>>>> hes_for_you_XP
>>>>>>>>
>>>>>>>> MS claims the patch would require to much overhaul of XP to make
>>>>>>>>
>>> it
>>>
>>>>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>>>>
>>>>>>>>
>>>>>>> might
>>>>>>>
>>>>>>>
>>>>>>>> break that were designed for XP if they have to radically change
>>>>>>>>
>>>>> the
>>>>>
>>>>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>>>>> certainly sounds like it is not going to be patched.
>>>>>>>>
>>>>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>>>>
>>>>>>>>
>>>>>>> system
>>>>>>>
>>>>>>>
>>>>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>>>>> necessary.
>>>>>>>>
>>>>>>>> -Eric
>>>>>>>>
>>>>>>>> -------- Original Message  --------
>>>>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>>>>> To: nowhere@devnull.com
>>>>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>>>>> Date: 9/15/09 3:49 PM
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi Aras,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Can you cite a reference?
>>>>>>>>>
>>>>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>>>>
>>>>>>>>>
>>>>>>> should
>>>>>>>
>>>>>>>
>>>>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Home
>>>>>>>>
>>>>>>>>
>>>>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>>>>
>>>>>>>>>
>>>>>>> support
>>>>>>>
>>>>>>>
>>>>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>>>>
>>>>> support,
>>>>>
>>>>>>>>> take a look at bullet 17 of [1]:
>>>>>>>>>
>>>>>>>>>     17. What is the Security Update policy?
>>>>>>>>>
>>>>>>>>>     Security updates will be available through the end of the
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Extended
>>>>>>>>
>>>>>>>>
>>>>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>>>>
>>>>> years
>>>>>
>>>>>>>> of
>>>>>>>>
>>>>>>>>
>>>>>>>>>     the Extended Support) at no additional cost for most
>>>>>>>>>
>>> products.
>>>
>>>>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>>>>
>>>>>>>>>
>>>>>>> site
>>>>>>>
>>>>>>>
>>>>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Not at all.
>>>>>>>>>
>>>>>>>>> Jeff
>>>>>>>>>
>>>>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>>>>
>>>>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>>>>> <nowhere@devnull.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello All:
>>>>>>>>>>
>>>>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> users
>>>>>>>
>>>>>>>
>>>>>>>> by not
>>>>>>>>
>>>>>>>>
>>>>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>>>>
>>>>> out
>>>>>
>>>>>>>> whether
>>>>>>>>
>>>>>>>>
>>>>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>>>>
>>>>> to
>>>>>
>>>>>>>> work on
>>>>>>>>
>>>>>>>>
>>>>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>>>>
>>>>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>>>>
>>>>>>>>>>
>>>>>>> "not
>>>>>>>
>>>>>>>
>>>>>>>> being
>>>>>>>>
>>>>>>>>
>>>>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>>>>
>>>>> like
>>>>>
>>>>>>>> to hear
>>>>>>>>
>>>>>>>>
>>>>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>>>>
>>>>>>>>>> No harm in that is there?
>>>>>>>>>>
>>>>>>>>>> Aras "Russ" Memisyazici
>>>>>>>>>> Systems Administrator
>>>>>>>>>> Virginia Tech
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Eric C. Lukens
>>>>>>>> IT Security Policy and Risk Assessment Analyst
>>>>>>>> ITS-Network Services
>>>>>>>> Curris Business Building 15
>>>>>>>> University of Northern Iowa
>>>>>>>> Cedar Falls, IA 50614-0121
>>>>>>>> 319-273-7434
>>>>>>>> http://www.uni.edu/elukens/
>>>>>>>> http://weblogs.uni.edu/elukens/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>


From: Mailing lists at Core Security Technologies lists@coresecurity.com
Sent: Tue 22. Sep 2009 19:32
Aras "Russ" Memisyazici wrote:
> 
> How effective is what Tom Grace suggests? Unless Im misunderstanding, hes
> suggesting switching to an iptables based protection along with a registry
> tweak... ahh the good ol batch firewall :) Would this actually work as a
> viable work-around? I realize M$ stated this as such, but given their
> current reputation its really hard to take their word for anything these
> days :P
> 
> What free/cheap client-level-IPS solutions block this current attack? Any
> suggestions?
> 
> Thank you for your time and look forward to some more answers.

Hi,

This _may_ work for you. It include a port to Windows of OpenBSDs PF
firewall which provides stateful filtering with packet scrubing for
inbound and outbound traffic.

http://force.coresecurity.com/index.php?module=base&page=about

*CAVEAT* This is an OLD project that is no longer maintained or
supported. If you use it, you will be on your own.

regards,

-ivan



From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 16:49
Hi Aras,

> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue,
Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP should
be patched for security vulnerabilities until about 2014. Both XP Home
and XP Pros mainstream support ended in 4/2009, but extended support
ends in 4/2014 [2]. Given that we know the end of extended support,
take a look at bullet 17 of [1]:

    17. What is the Security Update policy?

    Security updates will be available through the end of the Extended
    Support phase (five years of Mainstream Support plus five years of
    the Extended Support) at no additional cost for most products.
    Security updates will be posted on the Microsoft Update Web site
    during both the Mainstream and the Extended Support phase.

> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric...
Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@devnull.com> wrote:
> Hello All:
>
> Given that M$ has officially shot-down all current Windows XP users by not
> issuing a patch for a DoS level issue, Im now curious to find out whether
> or not any brave souls out there are already working or willing to work on
> an open-source patch to remediate the issue within XP.
>
> I realize some of you might be tempted to relay the M$ BS about "not being
> feasible because its a lot of work" rhetoric... I would just like to hear
> the thoughts of the true experts subscribed to these lists :)
>
> No harm in that is there?
>
> Aras "Russ" Memisyazici
> Systems Administrator
> Virginia Tech
>
>


From: Eric Kimminau eak@kimminau.org
Sent: Tue 15. Sep 2009 17:23
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

http://edge.technet.com/Media/MSRC-Monthly-Security-Bulletin-Webcast-September-2009/

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:24
Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
of low impact and thus no patch has been built.

Jeffrey Walton wrote:
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     
>
>   



From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:29
Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in 
Windows TCP/IP Could Allow Remote Code Execution (967723):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

<P><B>If Windows XP is listed as an affected product, why is Microsoft 
not issuing an update for it?</B><BR>By default, Windows XP Service Pack 
2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition 
Service Pack 2 do not have a listening service configured in the client 
firewall and are therefore not affected by this vulnerability. Windows 
XP Service Pack 2 and later operating systems include a stateful host 
firewall that provides protection for computers against incoming traffic 
from the Internet or from neighboring network devices on a private 
network. The impact of a denial of service attack is that a system would 
become unresponsive due to memory consumption. However, a successful 
attack requires a sustained flood of specially crafted TCP packets, and 
the system will recover once the flood ceases. This makes the severity 
rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. 
Customers running Windows XP are at reduced risk, and Microsoft 
recommends they use the firewall included with the operating system, or 
a network firewall, to block access to the affected ports and limit the 
attack surface from untrusted networks.</P>

Susan Bradley wrote:
> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be 
> of low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>> Hi Aras,
>>
>>  
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue,
>>>     
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>>     17. What is the Security Update policy?
>>
>>     Security updates will be available through the end of the Extended
>>     Support phase (five years of Mainstream Support plus five years of
>>     the Extended Support) at no additional cost for most products.
>>     Security updates will be posted on the Microsoft Update Web site
>>     during both the Mainstream and the Extended Support phase.
>>
>>  
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>     
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>  
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users 
>>> by not
>>> issuing a patch for a DoS level issue, Im now curious to find out 
>>> whether
>>> or not any brave souls out there are already working or willing to 
>>> work on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not 
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like 
>>> to hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>     
>>
>>   
>



From: "Eric C. Lukens" eric.lukens@uni.edu
Sent: Tue 15. Sep 2009 16:37
Reference:

http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right.  Who knows how many applications might
break that were designed for XP if they have to radically change the
TCP/IP stack.  Now, I dont know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP system
would not be vulnerable to a DOS anyway, so a patch shouldnt be necessary.

-Eric

-------- Original Message  --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@gmail.com>
To: nowhere@devnull.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Date: 9/15/09 3:49 PM
> Hi Aras,
>
>   
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
>>     
> Can you cite a reference?
>
> Unless Microsoft has changed their end of life policy [1], XP should
> be patched for security vulnerabilities until about 2014. Both XP Home
> and XP Pros mainstream support ended in 4/2009, but extended support
> ends in 4/2014 [2]. Given that we know the end of extended support,
> take a look at bullet 17 of [1]:
>
>     17. What is the Security Update policy?
>
>     Security updates will be available through the end of the Extended
>     Support phase (five years of Mainstream Support plus five years of
>     the Extended Support) at no additional cost for most products.
>     Security updates will be posted on the Microsoft Update Web site
>     during both the Mainstream and the Extended Support phase.
>
>   
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric...
>>     
> Not at all.
>
> Jeff
>
> [1] http://support.microsoft.com/gp/lifepolicy
> [2] http://support.microsoft.com/gp/lifeselect
>
> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> <nowhere@devnull.com> wrote:
>   
>> Hello All:
>>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue, Im now curious to find out whether
>> or not any brave souls out there are already working or willing to work on
>> an open-source patch to remediate the issue within XP.
>>
>> I realize some of you might be tempted to relay the M$ BS about "not being
>> feasible because its a lot of work" rhetoric... I would just like to hear
>> the thoughts of the true experts subscribed to these lists :)
>>
>> No harm in that is there?
>>
>> Aras "Russ" Memisyazici
>> Systems Administrator
>> Virginia Tech
>>
>>
>>     

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/





From: Jeffrey Walton noloader@gmail.com
Sent: Tue 15. Sep 2009 17:52
Hi Susan,

> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
> low impact and thus no patch has been built.
I dont know how I missed that XP/SP2 and above were not being
patched. It appears that my two references are worhtless... I used to
use them in position papers!
* http://support.microsoft.com/gp/lifepolicy
* http://support.microsoft.com/gp/lifeselect

Jeff

On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote=
:
> Read the bulletin. =A0Theres no patch. =A0It is deemed by Microsoft to b=
e of
> low impact and thus no patch has been built.
>
> Jeffrey Walton wrote:
>>
>> Hi Aras,
>>
>>
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue,
>>>
>>
>> Can you cite a reference?
>>
>> Unless Microsoft has changed their end of life policy [1], XP should
>> be patched for security vulnerabilities until about 2014. Both XP Home
>> and XP Pros mainstream support ended in 4/2009, but extended support
>> ends in 4/2014 [2]. Given that we know the end of extended support,
>> take a look at bullet 17 of [1]:
>>
>> =A0 =A017. What is the Security Update policy?
>>
>> =A0 =A0Security updates will be available through the end of the Extende=
d
>> =A0 =A0Support phase (five years of Mainstream Support plus five years o=
f
>> =A0 =A0the Extended Support) at no additional cost for most products.
>> =A0 =A0Security updates will be posted on the Microsoft Update Web site
>> =A0 =A0during both the Mainstream and the Extended Support phase.
>>
>>
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric...
>>>
>>
>> Not at all.
>>
>> Jeff
>>
>> [1] http://support.microsoft.com/gp/lifepolicy
>> [2] http://support.microsoft.com/gp/lifeselect
>>
>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>> <nowhere@devnull.com> wrote:
>>
>>>
>>> Hello All:
>>>
>>> Given that M$ has officially shot-down all current Windows XP users by
>>> not
>>> issuing a patch for a DoS level issue, Im now curious to find out
>>> whether
>>> or not any brave souls out there are already working or willing to work
>>> on
>>> an open-source patch to remediate the issue within XP.
>>>
>>> I realize some of you might be tempted to relay the M$ BS about "not
>>> being
>>> feasible because its a lot of work" rhetoric... I would just like to
>>> hear
>>> the thoughts of the true experts subscribed to these lists :)
>>>
>>> No harm in that is there?
>>>
>>> Aras "Russ" Memisyazici
>>> Systems Administrator
>>> Virginia Tech
>>>
>>>
>>>
>>
>>
>
>


From: Matt Riddell matt@venturevoip.com
Sent: Wed 16. Sep 2009 09:53
On 16/09/09 8:49 AM, Jeffrey Walton wrote:
> Hi Aras,
>
>> Given that M$ has officially shot-down all current Windows XP users by not
>> issuing a patch for a DoS level issue,
> Can you cite a reference?

http://tech.slashdot.org/article.pl?sid=09/09/15/0131209

-- 
Cheers,

Matt Riddell
Director
_______________________________________________

http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
http://www.venturevoip.com/c3.php (ConduIT3 PABX Systems)


From: Susan Bradley sbradcpa@pacbell.net
Sent: Tue 15. Sep 2009 14:55
Its not that they arent supported per se, just that Microsoft has 
deemed the impact of DOS to be low, the ability to patch that platform 
impossible/difficult and thus have make a risk calculation accordingly.

Sometimes the architecture is what it is.

Jeffrey Walton wrote:
> Hi Susan,
>
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>     
> I dont know how I missed that XP/SP2 and above were not being
> patched. It appears that my two references are worhtless... I used to
> use them in position papers!
> * http://support.microsoft.com/gp/lifepolicy
> * http://support.microsoft.com/gp/lifeselect
>
> Jeff
>
> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> wrote:
>   
>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to be of
>> low impact and thus no patch has been built.
>>
>> Jeffrey Walton wrote:
>>     
>>> Hi Aras,
>>>
>>>
>>>       
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue,
>>>>
>>>>         
>>> Can you cite a reference?
>>>
>>> Unless Microsoft has changed their end of life policy [1], XP should
>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>> take a look at bullet 17 of [1]:
>>>
>>>    17. What is the Security Update policy?
>>>
>>>    Security updates will be available through the end of the Extended
>>>    Support phase (five years of Mainstream Support plus five years of
>>>    the Extended Support) at no additional cost for most products.
>>>    Security updates will be posted on the Microsoft Update Web site
>>>    during both the Mainstream and the Extended Support phase.
>>>
>>>
>>>       
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric...
>>>>
>>>>         
>>> Not at all.
>>>
>>> Jeff
>>>
>>> [1] http://support.microsoft.com/gp/lifepolicy
>>> [2] http://support.microsoft.com/gp/lifeselect
>>>
>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>> <nowhere@devnull.com> wrote:
>>>
>>>       
>>>> Hello All:
>>>>
>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>> not
>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>> whether
>>>> or not any brave souls out there are already working or willing to work
>>>> on
>>>> an open-source patch to remediate the issue within XP.
>>>>
>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>> being
>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>> hear
>>>> the thoughts of the true experts subscribed to these lists :)
>>>>
>>>> No harm in that is there?
>>>>
>>>> Aras "Russ" Memisyazici
>>>> Systems Administrator
>>>> Virginia Tech
>>>>
>>>>
>>>>
>>>>         
>>>       
>>     
>
>   


From: Elizabeth.a.greene@gmail.com
Sent: Tue 15. Sep 2009 21:56
As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.

Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
"If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."

-eg


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 11:59
Thanks for the link.  The problem here is that not enough information is gi=
ven, and what IS given is obviously watered down to the point of being inef=
fective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts securit=
y team to explain why it wasnt patching XP, or if, in certain scenarios, t=
heir machines might be at risk. "We still use Windows XP and we do not use =
Windows Firewall," read one of the user questions. "We use a third-party ve=
ndor firewall product. Even assuming that we use the Windows Firewall, if t=
here are services listening, such as remote desktop, wouldnt then Windows =
XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall should=
 provide additional protections against external exploits," replied Stone a=
nd Bryant.
</snip>

If an employee managing a product that my company owned gave answers like t=
hat to a public interview with Computerworld, they would be in deep doo.  F=
irst off, my default install of XP Pro SP2 has remote assistance inbound, a=
nd once you join to a domain, you obviously accept necessary domain traffic=
.  This "no inbound traffic by default so you are not vulnerable" line is c=
rap.  It was a direct question - "If RDP is allowed through the firewall, a=
re we vulnerable?" A:"Great question. Yes, servers are the target.  A firew=
all should provide added protection, maybe.  Rumor is thats what they are =
for.  Not sure really.  What was the question again?"

You dont get "trustworthy" by not answering peoples questions, particular=
ly when they are good, obvious questions.  Just be honest about it.  "Yes, =
XP is vulnerable to a DOS.  Your firewall might help, but dont bet on it. =
 XP code is something like 15 years old now, and were not going to change =
it.  Thats the way it is, sorry. Just be glad youre using XP and not 2008=
/vista or youd be patching your arse off right now."=20

If MSFT thinks they are mitigating public opinion issues by side-stepping q=
uestions and not fully exposing the problems, they are wrong.  This just ma=
kes it worse. Thats the long answer.  The short answer is "XP is vulnerabl=
e to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about "not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Larry Seltzer larry@larryseltzer.com
Sent: Wed 16. Sep 2009 11:21
I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a "Low" threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have rated it at least Medium. If Im wrong about
that then the "Low" rating is misleading.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com=20
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link.  The problem here is that not enough information is
given, and what IS given is obviously watered down to the point of being
ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsofts
security team to explain why it wasnt patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP and
we do not use Windows Firewall," read one of the user questions. "We use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldnt then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo.  First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously accept
necessary domain traffic.  This "no inbound traffic by default so you
are not vulnerable" line is crap.  It was a direct question - "If RDP is
allowed through the firewall, are we vulnerable?" A:"Great question.
Yes, servers are the target.  A firewall should provide added
protection, maybe.  Rumor is thats what they are for.  Not sure really.
What was the question again?"

You dont get "trustworthy" by not answering peoples questions,
particularly when they are good, obvious questions.  Just be honest
about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
but dont bet on it.  XP code is something like 15 years old now, and
were not going to change it.  Thats the way it is, sorry. Just be glad
youre using XP and not 2008/vista or youd be patching your arse off
right now."=20

If MSFT thinks they are mitigating public opinion issues by
side-stepping questions and not fully exposing the problems, they are
wrong.  This just makes it worse. Thats the long answer.  The short
answer is "XP is vulnerable to a DoS, and a patch is not being offered."

t=20



> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> Sent: Tuesday, September 15, 2009 2:37 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Reference:
>=20
>
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> hes_for_you_XP
>=20
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications
might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>=20
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> necessary.
>=20
> -Eric
>=20
> -------- Original Message  --------
> Subject: Re: 3rd party patch for XP for MS09-048?
> From: Jeffrey Walton <noloader@gmail.com>
> To: nowhere@devnull.com
> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Date: 9/15/09 3:49 PM
> > Hi Aras,
> >
> >
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue,
> >>
> > Can you cite a reference?
> >
> > Unless Microsoft has changed their end of life policy [1], XP should
> > be patched for security vulnerabilities until about 2014. Both XP
> Home
> > and XP Pros mainstream support ended in 4/2009, but extended
support
> > ends in 4/2014 [2]. Given that we know the end of extended support,
> > take a look at bullet 17 of [1]:
> >
> >     17. What is the Security Update policy?
> >
> >     Security updates will be available through the end of the
> Extended
> >     Support phase (five years of Mainstream Support plus five years
> of
> >     the Extended Support) at no additional cost for most products.
> >     Security updates will be posted on the Microsoft Update Web site
> >     during both the Mainstream and the Extended Support phase.
> >
> >
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric...
> >>
> > Not at all.
> >
> > Jeff
> >
> > [1] http://support.microsoft.com/gp/lifepolicy
> > [2] http://support.microsoft.com/gp/lifeselect
> >
> > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > <nowhere@devnull.com> wrote:
> >
> >> Hello All:
> >>
> >> Given that M$ has officially shot-down all current Windows XP users
> by not
> >> issuing a patch for a DoS level issue, Im now curious to find out
> whether
> >> or not any brave souls out there are already working or willing to
> work on
> >> an open-source patch to remediate the issue within XP.
> >>
> >> I realize some of you might be tempted to relay the M$ BS about
"not
> being
> >> feasible because its a lot of work" rhetoric... I would just like
> to hear
> >> the thoughts of the true experts subscribed to these lists :)
> >>
> >> No harm in that is there?
> >>
> >> Aras "Russ" Memisyazici
> >> Systems Administrator
> >> Virginia Tech
> >>
> >>
> >>
>=20
> --
> Eric C. Lukens
> IT Security Policy and Risk Assessment Analyst
> ITS-Network Services
> Curris Business Building 15
> University of Northern Iowa
> Cedar Falls, IA 50614-0121
> 319-273-7434
> http://www.uni.edu/elukens/
> http://weblogs.uni.edu/elukens/
>=20
>=20
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 12:15
P.S.

Anyone check to see if the default "XP Mode" VM you get for free with Win7 =
hyperv is vulnerable and what the implications are for a host running an XP=
 vm that gets DoSd are? =20

I get the whole "XP code to too old to care" bit, but it seems odd to take =
that "old code" and re-market it around compatibility and re-distribute it =
with free downloads for Win7 while saying "we wont patch old code." =20

t=20

> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, September 16, 2009 8:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is given, and what IS given is obviously watered down to the point of
> being ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and we do not use Windows Firewall," read one of the user questions.
> "We use a third-party vendor firewall product. Even assuming that we
> use the Windows Firewall, if there are services listening, such as
> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.  What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad youre using XP and not 2008/vista or youd be patching your arse
> off right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by side-
> stepping questions and not fully exposing the problems, they are wrong.
> This just makes it worse. Thats the long answer.  The short answer is
> "XP is vulnerable to a DoS, and a patch is not being offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Tom Grace tom@deathbycomputers.co.uk
Sent: Wed 16. Sep 2009 16:57
Is this relevant?
QUOTE---
Protect to 2 for the best protection against SYN attacks. This value 
adds additional delays to connection indications, and TCP connection 
requests quickly timeout when a SYN attack is in progress. This 
parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you 
set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in 
theory, around it... & iirc, "Scalable Windows", via setsockopt API 
calls from an attacker are what the problem is here anyhow & this ought 
to stall it... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize 
settings in the registry in TCP/IP Parameters (see registry path above) 
SHOULD also help here also, for servers that can accept MANY connections 
from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is 
stopped by SynAttackProtect too, so an attacking system/app sending a 
setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, 
just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, 
OR, single systems as well you either ALLOW or DENY to talk to your 
system, still can help also... vs. a DDOS though? SynAttackProtect is 
your best friend here... youd use netstat -b -n tcp to see which are 
held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR 
WAY (or just by doing it in a router or routing table)... takers anyone, 
on these thoughts (especially for Windows 2000)?

Thanks for your time... apk
UNQUOTE--

Source: http://tech.slashdot.org/comments.pl?sid=1368439&cid=29424787

Susan Bradley wrote:
> Its not that they arent supported per se, just that Microsoft has 
> deemed the impact of DOS to be low, the ability to patch that platform 
> impossible/difficult and thus have make a risk calculation accordingly.
> 
> Sometimes the architecture is what it is.
> 
> Jeffrey Walton wrote:
>> Hi Susan,
>>
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>     
>> I dont know how I missed that XP/SP2 and above were not being
>> patched. It appears that my two references are worhtless... I used to
>> use them in position papers!
>> * http://support.microsoft.com/gp/lifepolicy
>> * http://support.microsoft.com/gp/lifeselect
>>
>> Jeff
>>
>> On Tue, Sep 15, 2009 at 5:24 PM, Susan Bradley <sbradcpa@pacbell.net> 
>> wrote:
>>  
>>> Read the bulletin.  Theres no patch.  It is deemed by Microsoft to 
>>> be of
>>> low impact and thus no patch has been built.
>>>
>>> Jeffrey Walton wrote:
>>>    
>>>> Hi Aras,
>>>>
>>>>
>>>>      
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>         
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP should
>>>> be patched for security vulnerabilities until about 2014. Both XP Home
>>>> and XP Pros mainstream support ended in 4/2009, but extended support
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>    17. What is the Security Update policy?
>>>>
>>>>    Security updates will be available through the end of the Extended
>>>>    Support phase (five years of Mainstream Support plus five years of
>>>>    the Extended Support) at no additional cost for most products.
>>>>    Security updates will be posted on the Microsoft Update Web site
>>>>    during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>      
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>         
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>      
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP users by
>>>>> not
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>> whether
>>>>> or not any brave souls out there are already working or willing to 
>>>>> work
>>>>> on
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about "not
>>>>> being
>>>>> feasible because its a lot of work" rhetoric... I would just like to
>>>>> hear
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>         
>>>>       
>>>     
>>
>>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 09:00
Only if you are a consumer.  In a network we ALL have listening ports 
out there.

Elizabeth.a.greene@gmail.com wrote:
> As I understand the bulletin, Microsoft will not be releasing MS09-048 patches for XP because, by default, it runs no listening services or the windows firewall can protect it.
>
> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
> "If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. ... Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."
>
> -eg
>
>   



From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 13:31
Hey Larry- hope everythings going well...=20

When youve got a systemic vulnerability, in this case the TCP/IP stack its=
elf, exploitation information must be explicit and definitive.  Im fine wi=
th risk classification, and I appreciate efforts to categorize risk into ma=
nageable exposure metrics, but we shouldnt have to infer potential vulnera=
bility information from vague disclosure data.  I know many response teams =
base patch paths on the published severity, but one also has to be able to =
make decisions on their own.  For me, no big deal.  But its not that simpl=
e for others.  =20

But theres not enough information for me to make that call.  Is it for ANY=
 "listening service?"  TCP or UPD?  Does the "statefull" firewall introduce=
d in subsequent versions stop it?

The answers are "yes," "yes," and "no."  They should just say that.  Is it =
"low" because the firewall doesnt have any exceptions by default?  If so, =
thats silly.  Everyone using XP for anything has incoming connections for =
something, and well known if on a domain.  I feel sorry for Diebold and NEC=
 with all the ATMs out there running XP, but fortunately, Im not responsib=
le for clients using their systems anymore :)=20

Anyway, the DoS suxx0rz, but Im more irritated with the lack of real, stra=
ight-forward, no-nonsense information and technical sleight of hand.  The i=
nformation should be painfully obvious, not obviously painful.

t=20




> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
> they probably would have rated it at least Medium. If Im wrong about
> that then the "Low" rating is misleading.
>=20
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>=20
>=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, September 16, 2009 11:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link.  The problem here is that not enough information
> is
> given, and what IS given is obviously watered down to the point of
> being
> ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsofts
> security team to explain why it wasnt patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldnt then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo.  First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic.  This "no inbound traffic by default so you
> are not vulnerable" line is crap.  It was a direct question - "If RDP
> is
> allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target.  A firewall should provide added
> protection, maybe.  Rumor is thats what they are for.  Not sure
> really.
> What was the question again?"
>=20
> You dont get "trustworthy" by not answering peoples questions,
> particularly when they are good, obvious questions.  Just be honest
> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
> but dont bet on it.  XP code is something like 15 years old now, and
> were not going to change it.  Thats the way it is, sorry. Just be
> glad
> youre using XP and not 2008/vista or youd be patching your arse off
> right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by
> side-stepping questions and not fully exposing the problems, they are
> wrong.  This just makes it worse. Thats the long answer.  The short
> answer is "XP is vulnerable to a DoS, and a patch is not being
> offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right.  Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldnt be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message  --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pros mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > >     17. What is the Security Update policy?
> > >
> > >     Security updates will be available through the end of the
> > Extended
> > >     Support phase (five years of Mainstream Support plus five years
> > of
> > >     the Extended Support) at no additional cost for most products.
> > >     Security updates will be posted on the Microsoft Update Web
> site
> > >     during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, Im now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because its a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 10:16
Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of 
course its vulnerable to any and all gobs of stuff out there.  But its 
goal and intent is to allow Small shops to deploy Win7.  If you need 
more security, get appv/medv/whateverv or other virtualization.

Its not a security platform.  Its a get the stupid 16 bit line of 
business app working platform.

Thor (Hammer of God) wrote:
> P.S.
>
> Anyone check to see if the default "XP Mode" VM you get for free with Win7 hyperv is vulnerable and what the implications are for a host running an XP vm that gets DoSd are?  
>
> I get the whole "XP code to too old to care" bit, but it seems odd to take that "old code" and re-market it around compatibility and re-distribute it with free downloads for Win7 while saying "we wont patch old code."  
>
> t 
>
>   
>> -----Original Message-----
>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, September 16, 2009 8:00 AM
>> To: Eric C. Lukens; bugtraq@securityfocus.com
>> Cc: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Thanks for the link.  The problem here is that not enough information
>> is given, and what IS given is obviously watered down to the point of
>> being ineffective.
>>
>> The quote that stands out most for me:
>> <snip>
>> During the Q&A, however, Windows users repeatedly asked Microsofts
>> security team to explain why it wasnt patching XP, or if, in certain
>> scenarios, their machines might be at risk. "We still use Windows XP
>> and we do not use Windows Firewall," read one of the user questions.
>> "We use a third-party vendor firewall product. Even assuming that we
>> use the Windows Firewall, if there are services listening, such as
>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>
>> "Servers are a more likely target for this attack, and your firewall
>> should provide additional protections against external exploits,"
>> replied Stone and Bryant.
>> </snip>
>>
>> If an employee managing a product that my company owned gave answers
>> like that to a public interview with Computerworld, they would be in
>> deep doo.  First off, my default install of XP Pro SP2 has remote
>> assistance inbound, and once you join to a domain, you obviously accept
>> necessary domain traffic.  This "no inbound traffic by default so you
>> are not vulnerable" line is crap.  It was a direct question - "If RDP
>> is allowed through the firewall, are we vulnerable?" A:"Great question.
>> Yes, servers are the target.  A firewall should provide added
>> protection, maybe.  Rumor is thats what they are for.  Not sure
>> really.  What was the question again?"
>>
>> You dont get "trustworthy" by not answering peoples questions,
>> particularly when they are good, obvious questions.  Just be honest
>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might help,
>> but dont bet on it.  XP code is something like 15 years old now, and
>> were not going to change it.  Thats the way it is, sorry. Just be
>> glad youre using XP and not 2008/vista or youd be patching your arse
>> off right now."
>>
>> If MSFT thinks they are mitigating public opinion issues by side-
>> stepping questions and not fully exposing the problems, they are wrong.
>> This just makes it worse. Thats the long answer.  The short answer is
>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>
>> t
>>
>>
>>
>>     
>>> -----Original Message-----
>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>> To: bugtraq@securityfocus.com
>>> Cc: full-disclosure@lists.grok.org.uk
>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>
>>> Reference:
>>>
>>>
>>>       
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>> hes_for_you_XP
>>>
>>> MS claims the patch would require to much overhaul of XP to make it
>>> worth it, and they may be right.  Who knows how many applications
>>>       
>> might
>>     
>>> break that were designed for XP if they have to radically change the
>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>> certainly sounds like it is not going to be patched.
>>>
>>> The other side of the MS claim is that a properly-firewalled XP
>>>       
>> system
>>     
>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>> necessary.
>>>
>>> -Eric
>>>
>>> -------- Original Message  --------
>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>> From: Jeffrey Walton <noloader@gmail.com>
>>> To: nowhere@devnull.com
>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>> Date: 9/15/09 3:49 PM
>>>       
>>>> Hi Aras,
>>>>
>>>>
>>>>         
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue,
>>>>>
>>>>>           
>>>> Can you cite a reference?
>>>>
>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>         
>> should
>>     
>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>         
>>> Home
>>>       
>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>         
>> support
>>     
>>>> ends in 4/2014 [2]. Given that we know the end of extended support,
>>>> take a look at bullet 17 of [1]:
>>>>
>>>>     17. What is the Security Update policy?
>>>>
>>>>     Security updates will be available through the end of the
>>>>         
>>> Extended
>>>       
>>>>     Support phase (five years of Mainstream Support plus five years
>>>>         
>>> of
>>>       
>>>>     the Extended Support) at no additional cost for most products.
>>>>     Security updates will be posted on the Microsoft Update Web
>>>>         
>> site
>>     
>>>>     during both the Mainstream and the Extended Support phase.
>>>>
>>>>
>>>>         
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric...
>>>>>
>>>>>           
>>>> Not at all.
>>>>
>>>> Jeff
>>>>
>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>
>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>> <nowhere@devnull.com> wrote:
>>>>
>>>>         
>>>>> Hello All:
>>>>>
>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>           
>> users
>>     
>>> by not
>>>       
>>>>> issuing a patch for a DoS level issue, Im now curious to find out
>>>>>           
>>> whether
>>>       
>>>>> or not any brave souls out there are already working or willing to
>>>>>           
>>> work on
>>>       
>>>>> an open-source patch to remediate the issue within XP.
>>>>>
>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>           
>> "not
>>     
>>> being
>>>       
>>>>> feasible because its a lot of work" rhetoric... I would just like
>>>>>           
>>> to hear
>>>       
>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>
>>>>> No harm in that is there?
>>>>>
>>>>> Aras "Russ" Memisyazici
>>>>> Systems Administrator
>>>>> Virginia Tech
>>>>>
>>>>>
>>>>>
>>>>>           
>>> --
>>> Eric C. Lukens
>>> IT Security Policy and Risk Assessment Analyst
>>> ITS-Network Services
>>> Curris Business Building 15
>>> University of Northern Iowa
>>> Cedar Falls, IA 50614-0121
>>> 319-273-7434
>>> http://www.uni.edu/elukens/
>>> http://weblogs.uni.edu/elukens/
>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>       
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>
>   


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 11:25
Its only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what its for ;)  That was just my subtle way of trying to make a point.  To be more explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, dont tell me its mitigated by ancient, unusable default firewall settings, and dont withhold explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deploy firewall settings via group policy to mitigate exposure when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues.  Its like telling me that "the solution is to take the letter f out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, dont deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it.    Seems like simple logic points to me.
>
> t
>
>   
>> -----Original Message-----
>> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
>> Sent: Wednesday, September 16, 2009 10:16 AM
>> To: Thor (Hammer of God)
>> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>
>> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
>> course its vulnerable to any and all gobs of stuff out there.  But
>> its
>> goal and intent is to allow Small shops to deploy Win7.  If you need
>> more security, get appv/medv/whateverv or other virtualization.
>>
>> Its not a security platform.  Its a get the stupid 16 bit line of
>> business app working platform.
>>
>> Thor (Hammer of God) wrote:
>>     
>>> P.S.
>>>
>>> Anyone check to see if the default "XP Mode" VM you get for free with
>>>       
>> Win7 hyperv is vulnerable and what the implications are for a host
>> running an XP vm that gets DoSd are?
>>     
>>> I get the whole "XP code to too old to care" bit, but it seems odd to
>>>       
>> take that "old code" and re-market it around compatibility and re-
>> distribute it with free downloads for Win7 while saying "we wont patch
>> old code."
>>     
>>> t
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
>>>>         
>> God)
>>     
>>>> Sent: Wednesday, September 16, 2009 8:00 AM
>>>> To: Eric C. Lukens; bugtraq@securityfocus.com
>>>> Cc: full-disclosure@lists.grok.org.uk
>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>
>>>> Thanks for the link.  The problem here is that not enough
>>>>         
>> information
>>     
>>>> is given, and what IS given is obviously watered down to the point
>>>>         
>> of
>>     
>>>> being ineffective.
>>>>
>>>> The quote that stands out most for me:
>>>> <snip>
>>>> During the Q&A, however, Windows users repeatedly asked Microsofts
>>>> security team to explain why it wasnt patching XP, or if, in
>>>>         
>> certain
>>     
>>>> scenarios, their machines might be at risk. "We still use Windows XP
>>>> and we do not use Windows Firewall," read one of the user questions.
>>>> "We use a third-party vendor firewall product. Even assuming that we
>>>> use the Windows Firewall, if there are services listening, such as
>>>> remote desktop, wouldnt then Windows XP be vulnerable to this?"
>>>>
>>>> "Servers are a more likely target for this attack, and your firewall
>>>> should provide additional protections against external exploits,"
>>>> replied Stone and Bryant.
>>>> </snip>
>>>>
>>>> If an employee managing a product that my company owned gave answers
>>>> like that to a public interview with Computerworld, they would be in
>>>> deep doo.  First off, my default install of XP Pro SP2 has remote
>>>> assistance inbound, and once you join to a domain, you obviously
>>>>         
>> accept
>>     
>>>> necessary domain traffic.  This "no inbound traffic by default so
>>>>         
>> you
>>     
>>>> are not vulnerable" line is crap.  It was a direct question - "If
>>>>         
>> RDP
>>     
>>>> is allowed through the firewall, are we vulnerable?" A:"Great
>>>>         
>> question.
>>     
>>>> Yes, servers are the target.  A firewall should provide added
>>>> protection, maybe.  Rumor is thats what they are for.  Not sure
>>>> really.  What was the question again?"
>>>>
>>>> You dont get "trustworthy" by not answering peoples questions,
>>>> particularly when they are good, obvious questions.  Just be honest
>>>> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
>>>>         
>> help,
>>     
>>>> but dont bet on it.  XP code is something like 15 years old now,
>>>>         
>> and
>>     
>>>> were not going to change it.  Thats the way it is, sorry. Just be
>>>> glad youre using XP and not 2008/vista or youd be patching your
>>>>         
>> arse
>>     
>>>> off right now."
>>>>
>>>> If MSFT thinks they are mitigating public opinion issues by side-
>>>> stepping questions and not fully exposing the problems, they are
>>>>         
>> wrong.
>>     
>>>> This just makes it worse. Thats the long answer.  The short answer
>>>>         
>> is
>>     
>>>> "XP is vulnerable to a DoS, and a patch is not being offered."
>>>>
>>>> t
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>>> -----Original Message-----
>>>>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
>>>>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
>>>>> Sent: Tuesday, September 15, 2009 2:37 PM
>>>>> To: bugtraq@securityfocus.com
>>>>> Cc: full-disclosure@lists.grok.org.uk
>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>>>>>
>>>>> Reference:
>>>>>
>>>>>
>>>>>
>>>>>           
>> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
>>     
>>>>> hes_for_you_XP
>>>>>
>>>>> MS claims the patch would require to much overhaul of XP to make it
>>>>> worth it, and they may be right.  Who knows how many applications
>>>>>
>>>>>           
>>>> might
>>>>
>>>>         
>>>>> break that were designed for XP if they have to radically change
>>>>>           
>> the
>>     
>>>>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
>>>>> certainly sounds like it is not going to be patched.
>>>>>
>>>>> The other side of the MS claim is that a properly-firewalled XP
>>>>>
>>>>>           
>>>> system
>>>>
>>>>         
>>>>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
>>>>> necessary.
>>>>>
>>>>> -Eric
>>>>>
>>>>> -------- Original Message  --------
>>>>> Subject: Re: 3rd party patch for XP for MS09-048?
>>>>> From: Jeffrey Walton <noloader@gmail.com>
>>>>> To: nowhere@devnull.com
>>>>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
>>>>> Date: 9/15/09 3:49 PM
>>>>>
>>>>>           
>>>>>> Hi Aras,
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue,
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Can you cite a reference?
>>>>>>
>>>>>> Unless Microsoft has changed their end of life policy [1], XP
>>>>>>
>>>>>>             
>>>> should
>>>>
>>>>         
>>>>>> be patched for security vulnerabilities until about 2014. Both XP
>>>>>>
>>>>>>             
>>>>> Home
>>>>>
>>>>>           
>>>>>> and XP Pros mainstream support ended in 4/2009, but extended
>>>>>>
>>>>>>             
>>>> support
>>>>
>>>>         
>>>>>> ends in 4/2014 [2]. Given that we know the end of extended
>>>>>>             
>> support,
>>     
>>>>>> take a look at bullet 17 of [1]:
>>>>>>
>>>>>>     17. What is the Security Update policy?
>>>>>>
>>>>>>     Security updates will be available through the end of the
>>>>>>
>>>>>>             
>>>>> Extended
>>>>>
>>>>>           
>>>>>>     Support phase (five years of Mainstream Support plus five
>>>>>>             
>> years
>>     
>>>>> of
>>>>>
>>>>>           
>>>>>>     the Extended Support) at no additional cost for most products.
>>>>>>     Security updates will be posted on the Microsoft Update Web
>>>>>>
>>>>>>             
>>>> site
>>>>
>>>>         
>>>>>>     during both the Mainstream and the Extended Support phase.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric...
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Not at all.
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>> [1] http://support.microsoft.com/gp/lifepolicy
>>>>>> [2] http://support.microsoft.com/gp/lifeselect
>>>>>>
>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
>>>>>> <nowhere@devnull.com> wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hello All:
>>>>>>>
>>>>>>> Given that M$ has officially shot-down all current Windows XP
>>>>>>>
>>>>>>>               
>>>> users
>>>>
>>>>         
>>>>> by not
>>>>>
>>>>>           
>>>>>>> issuing a patch for a DoS level issue, Im now curious to find
>>>>>>>               
>> out
>>     
>>>>> whether
>>>>>
>>>>>           
>>>>>>> or not any brave souls out there are already working or willing
>>>>>>>               
>> to
>>     
>>>>> work on
>>>>>
>>>>>           
>>>>>>> an open-source patch to remediate the issue within XP.
>>>>>>>
>>>>>>> I realize some of you might be tempted to relay the M$ BS about
>>>>>>>
>>>>>>>               
>>>> "not
>>>>
>>>>         
>>>>> being
>>>>>
>>>>>           
>>>>>>> feasible because its a lot of work" rhetoric... I would just
>>>>>>>               
>> like
>>     
>>>>> to hear
>>>>>
>>>>>           
>>>>>>> the thoughts of the true experts subscribed to these lists :)
>>>>>>>
>>>>>>> No harm in that is there?
>>>>>>>
>>>>>>> Aras "Russ" Memisyazici
>>>>>>> Systems Administrator
>>>>>>> Virginia Tech
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> --
>>>>> Eric C. Lukens
>>>>> IT Security Policy and Risk Assessment Analyst
>>>>> ITS-Network Services
>>>>> Curris Business Building 15
>>>>> University of Northern Iowa
>>>>> Cedar Falls, IA 50614-0121
>>>>> 319-273-7434
>>>>> http://www.uni.edu/elukens/
>>>>> http://weblogs.uni.edu/elukens/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>         
>>>       
>
>   


From: "Thor (Hammer of God)" thor@hammerofgod.com
Sent: Wed 16. Sep 2009 15:23
Yeah, I know what it is and what its for ;)  That was just my subtle way o=
f trying to make a point.  To be more explicit:

1)  If you are publishing a vulnerability for which there is no patch, and =
for which you have no intention of making a patch for, dont tell me its m=
itigated by ancient, unusable default firewall settings, and dont withhold=
 explicit details.  Say "THERE WILL BE NO PATCH, EVER.  HERES EVERYTHING W=
E KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, dont say you can deplo=
y firewall settings via group policy to mitigate exposure when the firewal=
l obviously must be accepting network connections to get the settings in th=
e first place. If all it takes is any listening service, then you have issu=
es.  Its like telling me that "the solution is to take the letter f out =
of the word "solution."

2)  Think things through.  If you are going to try to boot sales of Win7 to=
 corporate customers by providing free XP VM technology and thus play up ho=
w important XP is and how many companies still depend upon it for business =
critical application compatibility, dont deploy that technology in an othe=
r-than-default configuration that is subject to a DoS exploit while downpla=
ying the extent that the exploit may be leveraged by saying that a "typical=
" default configuration mitigates it while choosing not to ever patch it.  =
  Seems like simple logic points to me.

t

> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
> Sent: Wednesday, September 16, 2009 10:16 AM
> To: Thor (Hammer of God)
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Its XP.  Running in RDP mode.  Its got IE6, and wants antivirus.  Of
> course its vulnerable to any and all gobs of stuff out there.  But
> its
> goal and intent is to allow Small shops to deploy Win7.  If you need
> more security, get appv/medv/whateverv or other virtualization.
>=20
> Its not a security platform.  Its a get the stupid 16 bit line of
> business app working platform.
>=20
> Thor (Hammer of God) wrote:
> > P.S.
> >
> > Anyone check to see if the default "XP Mode" VM you get for free with
> Win7 hyperv is vulnerable and what the implications are for a host
> running an XP vm that gets DoSd are?
> >
> > I get the whole "XP code to too old to care" bit, but it seems odd to
> take that "old code" and re-market it around compatibility and re-
> distribute it with free downloads for Win7 while saying "we wont patch
> old code."
> >
> > t
> >
> >
> >> -----Original Message-----
> >> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >> disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor (Hammer of
> God)
> >> Sent: Wednesday, September 16, 2009 8:00 AM
> >> To: Eric C. Lukens; bugtraq@securityfocus.com
> >> Cc: full-disclosure@lists.grok.org.uk
> >> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>
> >> Thanks for the link.  The problem here is that not enough
> information
> >> is given, and what IS given is obviously watered down to the point
> of
> >> being ineffective.
> >>
> >> The quote that stands out most for me:
> >> <snip>
> >> During the Q&A, however, Windows users repeatedly asked Microsofts
> >> security team to explain why it wasnt patching XP, or if, in
> certain
> >> scenarios, their machines might be at risk. "We still use Windows XP
> >> and we do not use Windows Firewall," read one of the user questions.
> >> "We use a third-party vendor firewall product. Even assuming that we
> >> use the Windows Firewall, if there are services listening, such as
> >> remote desktop, wouldnt then Windows XP be vulnerable to this?"
> >>
> >> "Servers are a more likely target for this attack, and your firewall
> >> should provide additional protections against external exploits,"
> >> replied Stone and Bryant.
> >> </snip>
> >>
> >> If an employee managing a product that my company owned gave answers
> >> like that to a public interview with Computerworld, they would be in
> >> deep doo.  First off, my default install of XP Pro SP2 has remote
> >> assistance inbound, and once you join to a domain, you obviously
> accept
> >> necessary domain traffic.  This "no inbound traffic by default so
> you
> >> are not vulnerable" line is crap.  It was a direct question - "If
> RDP
> >> is allowed through the firewall, are we vulnerable?" A:"Great
> question.
> >> Yes, servers are the target.  A firewall should provide added
> >> protection, maybe.  Rumor is thats what they are for.  Not sure
> >> really.  What was the question again?"
> >>
> >> You dont get "trustworthy" by not answering peoples questions,
> >> particularly when they are good, obvious questions.  Just be honest
> >> about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
> help,
> >> but dont bet on it.  XP code is something like 15 years old now,
> and
> >> were not going to change it.  Thats the way it is, sorry. Just be
> >> glad youre using XP and not 2008/vista or youd be patching your
> arse
> >> off right now."
> >>
> >> If MSFT thinks they are mitigating public opinion issues by side-
> >> stepping questions and not fully exposing the problems, they are
> wrong.
> >> This just makes it worse. Thats the long answer.  The short answer
> is
> >> "XP is vulnerable to a DoS, and a patch is not being offered."
> >>
> >> t
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> >>> disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> >>> Sent: Tuesday, September 15, 2009 2:37 PM
> >>> To: bugtraq@securityfocus.com
> >>> Cc: full-disclosure@lists.grok.org.uk
> >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >>>
> >>> Reference:
> >>>
> >>>
> >>>
> >>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >>
> >>> hes_for_you_XP
> >>>
> >>> MS claims the patch would require to much overhaul of XP to make it
> >>> worth it, and they may be right.  Who knows how many applications
> >>>
> >> might
> >>
> >>> break that were designed for XP if they have to radically change
> the
> >>> TCP/IP stack.  Now, I dont know if the MS speak is true, but it
> >>> certainly sounds like it is not going to be patched.
> >>>
> >>> The other side of the MS claim is that a properly-firewalled XP
> >>>
> >> system
> >>
> >>> would not be vulnerable to a DOS anyway, so a patch shouldnt be
> >>> necessary.
> >>>
> >>> -Eric
> >>>
> >>> -------- Original Message  --------
> >>> Subject: Re: 3rd party patch for XP for MS09-048?
> >>> From: Jeffrey Walton <noloader@gmail.com>
> >>> To: nowhere@devnull.com
> >>> Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> >>> Date: 9/15/09 3:49 PM
> >>>
> >>>> Hi Aras,
> >>>>
> >>>>
> >>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue,
> >>>>>
> >>>>>
> >>>> Can you cite a reference?
> >>>>
> >>>> Unless Microsoft has changed their end of life policy [1], XP
> >>>>
> >> should
> >>
> >>>> be patched for security vulnerabilities until about 2014. Both XP
> >>>>
> >>> Home
> >>>
> >>>> and XP Pros mainstream support ended in 4/2009, but extended
> >>>>
> >> support
> >>
> >>>> ends in 4/2014 [2]. Given that we know the end of extended
> support,
> >>>> take a look at bullet 17 of [1]:
> >>>>
> >>>>     17. What is the Security Update policy?
> >>>>
> >>>>     Security updates will be available through the end of the
> >>>>
> >>> Extended
> >>>
> >>>>     Support phase (five years of Mainstream Support plus five
> years
> >>>>
> >>> of
> >>>
> >>>>     the Extended Support) at no additional cost for most products.
> >>>>     Security updates will be posted on the Microsoft Update Web
> >>>>
> >> site
> >>
> >>>>     during both the Mainstream and the Extended Support phase.
> >>>>
> >>>>
> >>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric...
> >>>>>
> >>>>>
> >>>> Not at all.
> >>>>
> >>>> Jeff
> >>>>
> >>>> [1] http://support.microsoft.com/gp/lifepolicy
> >>>> [2] http://support.microsoft.com/gp/lifeselect
> >>>>
> >>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> >>>> <nowhere@devnull.com> wrote:
> >>>>
> >>>>
> >>>>> Hello All:
> >>>>>
> >>>>> Given that M$ has officially shot-down all current Windows XP
> >>>>>
> >> users
> >>
> >>> by not
> >>>
> >>>>> issuing a patch for a DoS level issue, Im now curious to find
> out
> >>>>>
> >>> whether
> >>>
> >>>>> or not any brave souls out there are already working or willing
> to
> >>>>>
> >>> work on
> >>>
> >>>>> an open-source patch to remediate the issue within XP.
> >>>>>
> >>>>> I realize some of you might be tempted to relay the M$ BS about
> >>>>>
> >> "not
> >>
> >>> being
> >>>
> >>>>> feasible because its a lot of work" rhetoric... I would just
> like
> >>>>>
> >>> to hear
> >>>
> >>>>> the thoughts of the true experts subscribed to these lists :)
> >>>>>
> >>>>> No harm in that is there?
> >>>>>
> >>>>> Aras "Russ" Memisyazici
> >>>>> Systems Administrator
> >>>>> Virginia Tech
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>> --
> >>> Eric C. Lukens
> >>> IT Security Policy and Risk Assessment Analyst
> >>> ITS-Network Services
> >>> Curris Business Building 15
> >>> University of Northern Iowa
> >>> Cedar Falls, IA 50614-0121
> >>> 319-273-7434
> >>> http://www.uni.edu/elukens/
> >>> http://weblogs.uni.edu/elukens/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >


From: Rob Thompson my.security.lists@gmail.com
Sent: Wed 16. Sep 2009 11:24
Susan Bradley wrote:
> Only if you are a consumer.  In a network we ALL have listening ports
> out there.

This is simply Microsofts way of forcing you to upgrade your OS.  They
pulled the same shenanigans with Windows 2000, if you do not recall.

Id have to say, its time to re-evaluate where you are funneling your
$$$.  If the vendor that you PAID your hard earned dollars to is not
supporting their product like they said they would, then its time to
move on.

There are plenty of alternatives out there.  No one says you _have_ to
run Windows.

> 
> Elizabeth.a.greene@gmail.com wrote:
>> As I understand the bulletin, Microsoft will not be releasing MS09-048
>> patches for XP because, by default, it runs no listening services or
>> the windows firewall can protect it.
>>
>> Quoting http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
>> "If Windows XP is listed as an affected product, why is Microsoft not
>> issuing an update for it?
>> By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and
>> Windows XP Professional x64 Edition Service Pack 2 do not have a
>> listening service configured in the client firewall and are therefore
>> not affected by this vulnerability. Windows XP Service Pack 2 and
>> later operating systems include a stateful host firewall that provides
>> protection for computers against incoming traffic from the Internet or
>> from neighboring network devices on a private network. ... Customers
>> running Windows XP are at reduced risk, and Microsoft recommends they
>> use the firewall included with the operating system, or a network
>> firewall, to block access to the affected ports and limit the attack
>> surface from untrusted networks."
>>
>> -eg
>>
>>   
> 
> 


-- 
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        /   |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


From: Susan Bradley sbradcpa@pacbell.net
Sent: Wed 16. Sep 2009 12:48
Cloud option maybe as we go forward but right now today, this is 
business making the decisions here.

Desktop, if it were that easy wed have ripped out desktops years ago.

Businesses have to be realistic.  Sometimes there is not "plenty of 
comparable alternatives out there".

Sometimes the boss/business needs/line of business apps dictates you run 
windows.

Rob Thompson wrote:
> Susan Bradley wrote:
>   
>> Only if you are a consumer.  In a network we ALL have listening ports
>> out there.
>>     
>
> This is simply Microsofts way of forcing you to upgrade your OS.  They
> pulled the same shenanigans with Windows 2000, if you do not recall.
>
> Id have to say, its time to re-evaluate where you are funneling your
> $$$.  If the vendor that you PAID your hard earn