Re: 3rd party patch for XP for MS09-048?

["James Lay" <jlay () slave-tothe-box net>]

> Reference:
>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP
>
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right.  Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack.  Now, I don't know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldn't be
> necessary.
>
> -Eric

Apparently MS either:

a)  believes that people/employees on a LAN would NEVER EVER do anything
naughty or;
b)  that hostbased firewalls should be enabled on ALL workstations
regardless if they are behind corporate firewall/nat/etc...

Either way....remote code or DoS, it's still a timebomb.  PCI DSS requires
these types of things to be patched or mitigated (compensating control) if
placed in the cardholder data environment.  Looks like no patch means a
lot of extra work for companies taking debit/credit and running XP.

James

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/