Re: 3rd party patch for XP for MS09-048?

[Susan Bradley <sbradcpa () pacbell net>]

It's only "default" for people running XP standalone/consumer that are 
not even in a home network settings.

That kinda slices and dices that default down to a VERY narrow sub sub 
sub set of customer base.

(Bottom line, yes, the marketing team definitely got a hold of that 
bulletin)

Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;)  That was just my subtle way of trying to make a point.  To be more 
> explicit:
>
> 1)  If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making 
> a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit 
> details.  Say "THERE WILL BE NO PATCH, EVER.  HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK."  Also, 
> don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must 
> be accepting network connections to get the settings in the first place. If all it takes is any listening service, 
> then you have issues.  It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
>
> 2)  Think things through.  If you are going to try to boot sales of Win7 to corporate customers by providing free XP 
> VM technology and thus play up how important XP is and how many companies still depend upon it for business critical 
> application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a 
> DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default 
> configuration mitigates it while choosing not to ever patch it.    Seems like simple logic points to me.
>
> t
>
>   
> > -----Original Message-----
> > From: Susan Bradley [mailto:sbradcpa () pacbell net]
> > Sent: Wednesday, September 16, 2009 10:16 AM
> > To: Thor (Hammer of God)
> > Cc: bugtraq () securityfocus com; full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > It's XP.  Running in RDP mode.  It's got IE6, and wants antivirus.  Of
> > course it's vulnerable to any and all gobs of stuff out there.  But
> > it's
> > goal and intent is to allow Small shops to deploy Win7.  If you need
> > more security, get appv/medv/whateverv or other virtualization.
> >
> > It's not a security platform.  It's a get the stupid 16 bit line of
> > business app working platform.
> >
> > Thor (Hammer of God) wrote:
> >     
> > > P.S.
> > >
> > > Anyone check to see if the default "XP Mode" VM you get for free with
> > >       
> > Win7 hyperv is vulnerable and what the implications are for a host
> > running an XP vm that get's DoS'd are?
> >     
> > > I get the whole "XP code to too old to care" bit, but it seems odd to
> > >       
> > take that "old code" and re-market it around compatibility and re-
> > distribute it with free downloads for Win7 while saying "we won't patch
> > old code."
> >     
> > > t
> > >
> > >
> > >       
> > > > -----Original Message-----
> > > > From: full-disclosure-bounces () lists grok org uk [mailto:full-
> > > > disclosure-bounces () lists grok org uk] On Behalf Of Thor (Hammer of
> > > >         
> > God)
> >     
> > > > Sent: Wednesday, September 16, 2009 8:00 AM
> > > > To: Eric C. Lukens; bugtraq () securityfocus com
> > > > Cc: full-disclosure () lists grok org uk
> > > > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> > > >
> > > > Thanks for the link.  The problem here is that not enough
> > > >         
> > information
> >     
> > > > is given, and what IS given is obviously watered down to the point
> > > >         
> > of
> >     
> > > > being ineffective.
> > > >
> > > > The quote that stands out most for me:
> > > > <snip>
> > > > During the Q&A, however, Windows users repeatedly asked Microsoft's
> > > > security team to explain why it wasn't patching XP, or if, in
> > > >         
> > certain
> >     
> > > > scenarios, their machines might be at risk. "We still use Windows XP
> > > > and we do not use Windows Firewall," read one of the user questions.
> > > > "We use a third-party vendor firewall product. Even assuming that we
> > > > use the Windows Firewall, if there are services listening, such as
> > > > remote desktop, wouldn't then Windows XP be vulnerable to this?"
> > > >
> > > > "Servers are a more likely target for this attack, and your firewall
> > > > should provide additional protections against external exploits,"
> > > > replied Stone and Bryant.
> > > > </snip>
> > > >
> > > > If an employee managing a product that my company owned gave answers
> > > > like that to a public interview with Computerworld, they would be in
> > > > deep doo.  First off, my default install of XP Pro SP2 has remote
> > > > assistance inbound, and once you join to a domain, you obviously
> > > >         
> > accept
> >     
> > > > necessary domain traffic.  This "no inbound traffic by default so
> > > >         
> > you
> >     
> > > > are not vulnerable" line is crap.  It was a direct question - "If
> > > >         
> > RDP
> >     
> > > > is allowed through the firewall, are we vulnerable?" A:"Great
> > > >         
> > question.
> >     
> > > > Yes, servers are the target.  A firewall should provide added
> > > > protection, maybe.  Rumor is that's what they are for.  Not sure
> > > > really.  What was the question again?"
> > > >
> > > > You don't get "trustworthy" by not answering people's questions,
> > > > particularly when they are good, obvious questions.  Just be honest
> > > > about it.  "Yes, XP is vulnerable to a DOS.  Your firewall might
> > > >         
> > help,
> >     
> > > > but don't bet on it.  XP code is something like 15 years old now,
> > > >         
> > and
> >     
> > > > we're not going to change it.  That's the way it is, sorry. Just be
> > > > glad you're using XP and not 2008/vista or you'd be patching your
> > > >         
> > arse
> >     
> > > > off right now."
> > > >
> > > > If MSFT thinks they are mitigating public opinion issues by side-
> > > > stepping questions and not fully exposing the problems, they are
> > > >         
> > wrong.
> >     
> > > > This just makes it worse. That's the long answer.  The short answer
> > > >         
> > is
> >     
> > > > "XP is vulnerable to a DoS, and a patch is not being offered."
> > > >
> > > > t
> > > >
> > > >
> > > >
> > > >
> > > >         
> > > > > -----Original Message-----
> > > > > From: full-disclosure-bounces () lists grok org uk [mailto:full-
> > > > > disclosure-bounces () lists grok org uk] On Behalf Of Eric C. Lukens
> > > > > Sent: Tuesday, September 15, 2009 2:37 PM
> > > > > To: bugtraq () securityfocus com
> > > > > Cc: full-disclosure () lists grok org uk
> > > > > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> > > > >
> > > > > Reference:
> > > > >
> > > > >
> > > > >
> > > > >           
> > http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> >     
> > > > > hes_for_you_XP
> > > > >
> > > > > MS claims the patch would require to much overhaul of XP to make it
> > > > > worth it, and they may be right.  Who knows how many applications
> > > > >
> > > > >           
> > > > might
> > > >
> > > >         
> > > > > break that were designed for XP if they have to radically change
> > > > >           
> > the
> >     
> > > > > TCP/IP stack.  Now, I don't know if the MS speak is true, but it
> > > > > certainly sounds like it is not going to be patched.
> > > > >
> > > > > The other side of the MS claim is that a properly-firewalled XP
> > > > >
> > > > >           
> > > > system
> > > >
> > > >         
> > > > > would not be vulnerable to a DOS anyway, so a patch shouldn't be
> > > > > necessary.
> > > > >
> > > > > -Eric
> > > > >
> > > > > -------- Original Message  --------
> > > > > Subject: Re: 3rd party patch for XP for MS09-048?
> > > > > From: Jeffrey Walton <noloader () gmail com>
> > > > > To: nowhere () devnull com
> > > > > Cc: bugtraq () securityfocus com, full-disclosure () lists grok org uk
> > > > > Date: 9/15/09 3:49 PM
> > > > >
> > > > >           
> > > > > > Hi Aras,
> > > > > >
> > > > > >
> > > > > >
> > > > > >             
> > > > > > > Given that M$ has officially shot-down all current Windows XP
> > > > > > >
> > > > > > >               
> > > > users
> > > >
> > > >         
> > > > > by not
> > > > >
> > > > >           
> > > > > > > issuing a patch for a DoS level issue,
> > > > > > >
> > > > > > >
> > > > > > >               
> > > > > > Can you cite a reference?
> > > > > >
> > > > > > Unless Microsoft has changed their end of life policy [1], XP
> > > > > >
> > > > > >             
> > > > should
> > > >
> > > >         
> > > > > > be patched for security vulnerabilities until about 2014. Both XP
> > > > > >
> > > > > >             
> > > > > Home
> > > > >
> > > > >           
> > > > > > and XP Pro's mainstream support ended in 4/2009, but extended
> > > > > >
> > > > > >             
> > > > support
> > > >
> > > >         
> > > > > > ends in 4/2014 [2]. Given that we know the end of extended
> > > > > >             
> > support,
> >     
> > > > > > take a look at bullet 17 of [1]:
> > > > > >
> > > > > >     17. What is the Security Update policy?
> > > > > >
> > > > > >     Security updates will be available through the end of the
> > > > > >
> > > > > >             
> > > > > Extended
> > > > >
> > > > >           
> > > > > >     Support phase (five years of Mainstream Support plus five
> > > > > >             
> > years
> >     
> > > > > of
> > > > >
> > > > >           
> > > > > >     the Extended Support) at no additional cost for most products.
> > > > > >     Security updates will be posted on the Microsoft Update Web
> > > > > >
> > > > > >             
> > > > site
> > > >
> > > >         
> > > > > >     during both the Mainstream and the Extended Support phase.
> > > > > >
> > > > > >
> > > > > >
> > > > > >             
> > > > > > > I realize some of you might be tempted to relay the M$ BS about
> > > > > > >
> > > > > > >               
> > > > "not
> > > >
> > > >         
> > > > > being
> > > > >
> > > > >           
> > > > > > > feasible because it's a lot of work" rhetoric...
> > > > > > >
> > > > > > >
> > > > > > >               
> > > > > > Not at all.
> > > > > >
> > > > > > Jeff
> > > > > >
> > > > > > [1] http://support.microsoft.com/gp/lifepolicy
> > > > > > [2] http://support.microsoft.com/gp/lifeselect
> > > > > >
> > > > > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > > > > <nowhere () devnull com> wrote:
> > > > > >
> > > > > >
> > > > > >             
> > > > > > > Hello All:
> > > > > > >
> > > > > > > Given that M$ has officially shot-down all current Windows XP
> > > > > > >
> > > > > > >               
> > > > users
> > > >
> > > >         
> > > > > by not
> > > > >
> > > > >           
> > > > > > > issuing a patch for a DoS level issue, I'm now curious to find
> > > > > > >               
> > out
> >     
> > > > > whether
> > > > >
> > > > >           
> > > > > > > or not any brave souls out there are already working or willing
> > > > > > >               
> > to
> >     
> > > > > work on
> > > > >
> > > > >           
> > > > > > > an open-source patch to remediate the issue within XP.
> > > > > > >
> > > > > > > I realize some of you might be tempted to relay the M$ BS about
> > > > > > >
> > > > > > >               
> > > > "not
> > > >
> > > >         
> > > > > being
> > > > >
> > > > >           
> > > > > > > feasible because it's a lot of work" rhetoric... I would just
> > > > > > >               
> > like
> >     
> > > > > to hear
> > > > >
> > > > >           
> > > > > > > the thoughts of the true experts subscribed to these lists :)
> > > > > > >
> > > > > > > No harm in that is there?
> > > > > > >
> > > > > > > Aras "Russ" Memisyazici
> > > > > > > Systems Administrator
> > > > > > > Virginia Tech
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >               
> > > > > --
> > > > > Eric C. Lukens
> > > > > IT Security Policy and Risk Assessment Analyst
> > > > > ITS-Network Services
> > > > > Curris Business Building 15
> > > > > University of Northern Iowa
> > > > > Cedar Falls, IA 50614-0121
> > > > > 319-273-7434
> > > > > http://www.uni.edu/elukens/
> > > > > http://weblogs.uni.edu/elukens/
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > >
> > > > >           
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > > >         
> > >       
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/