On http://support.microsoft.com/gp/lifepolicy MS says that the "Extended Support Phase" includes "Security Update Support". If I have a Premier Support contract (which entitles me to Extended Support) aren't MS contractually obliged to make this fix available to me? 2009/9/16 Aras "Russ" Memisyazici <nowhere@xxxxxxxxxxx>: > :) > > Thank you all for your valuable comments... Indeed I appreciated some of the > links/info extended (Susan, Thor and Tom) However, in the end, it sounded > like: > > a) As a sysadmin in charge of maintaining XP systems along with a whole > shebang of other mix setups, unless I deploy a "better" firewall solution, I > seem to be SOL. > > b) M$ is trying to boost Win7 sales... Whoopdee-@#$%#^-doo... As was stated > earlier, they did the exact same thing back in Win2K days... Nothing new > here... :/ As Larry and Thor pointed out, what sux is that despite M$ > "PROMISING" that they would continue supporting XP since they didn't exactly > state WHAT they would support, they seem to be legally free to actually get > away with this BS *sigh* gotta love insurance-salesman-tactics when it comes > to promises... > > So... with all this commentary, in the end, I still didn't read from the > "big'uns" on whether or not a 3rd party open-source patch would be > released... I sure miss the days that people back in the day who cared would > :) In the end I realize, it sounds like a total over-haul of the TCP/IP > stack is required; but does it really have to? Really? > > How effective is what Tom Grace suggests? Unless I'm misunderstanding, he's > suggesting switching to an iptables based protection along with a registry > tweak... ahh the good ol' batch firewall :) Would this actually work as a > viable work-around? I realize M$ stated this as such, but given their > current reputation it's really hard to take their word for anything these > days :P > > What free/cheap client-level-IPS solutions block this current attack? Any > suggestions? > > Thank you for your time and look forward to some more answers. > > Sincerely, > Aras "Russ" Memisyazici > arasm {at) vt ^dot^ edu --> I set my return addy to /dev/null for... well > you know why! > > Systems Administrator > Virginia Tech > > -----Original Message----- > From: Larry Seltzer [mailto:larry@xxxxxxxxxxxxxxxx] > Sent: Wednesday, September 16, 2009 5:03 PM > To: Susan Bradley; Thor (Hammer of God) > Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048? > > Yes, they used the bulletin to soft-pedal the description, but at the > same time I think they send a message about XP users being on shaky > ground. Just because they've got 4+ years of Extended Support Period > left doesn't mean they're going to get first-class treatment. > > Larry Seltzer > Contributing Editor, PC Magazine > larry_seltzer@xxxxxxxxxxxxx > http://blogs.pcmag.com/securitywatch/ > > > -----Original Message----- > From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx > [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Susan > Bradley > Sent: Wednesday, September 16, 2009 2:26 PM > To: Thor (Hammer of God) > Cc: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? > > It's only "default" for people running XP standalone/consumer that are > not even in a home network settings. > > That kinda slices and dices that default down to a VERY narrow sub sub > sub set of customer base. > > (Bottom line, yes, the marketing team definitely got a hold of that > bulletin) > > Thor (Hammer of God) wrote: >> Yeah, I know what it is and what it's for ;) That was just my subtle > way of trying to make a point. To be more explicit: >> >> 1) If you are publishing a vulnerability for which there is no patch, > and for which you have no intention of making a patch for, don't tell me > it's mitigated by ancient, unusable default firewall settings, and don't > withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S > EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say > 'you can deploy firewall settings via group policy to mitigate exposure' > when the firewall obviously must be accepting network connections to get > the settings in the first place. If all it takes is any listening > service, then you have issues. It's like telling me that "the solution > is to take the letter 'f' out of the word "solution." >> >> 2) Think things through. If you are going to try to boot sales of > Win7 to corporate customers by providing free XP VM technology and thus > play up how important XP is and how many companies still depend upon it > for business critical application compatibility, don't deploy that > technology in an other-than-default configuration that is subject to a > DoS exploit while downplaying the extent that the exploit may be > leveraged by saying that a "typical" default configuration mitigates it > while choosing not to ever patch it. Seems like simple logic points > to me. >> >> t >> >> >>> -----Original Message----- >>> From: Susan Bradley [mailto:sbradcpa@xxxxxxxxxxx] >>> Sent: Wednesday, September 16, 2009 10:16 AM >>> To: Thor (Hammer of God) >>> Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx >>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>> >>> It's XP. Running in RDP mode. It's got IE6, and wants antivirus. > Of >>> course it's vulnerable to any and all gobs of stuff out there. But >>> it's >>> goal and intent is to allow Small shops to deploy Win7. If you need >>> more security, get appv/medv/whateverv or other virtualization. >>> >>> It's not a security platform. It's a get the stupid 16 bit line of >>> business app working platform. >>> >>> Thor (Hammer of God) wrote: >>> >>>> P.S. >>>> >>>> Anyone check to see if the default "XP Mode" VM you get for free > with >>>> >>> Win7 hyperv is vulnerable and what the implications are for a host >>> running an XP vm that get's DoS'd are? >>> >>>> I get the whole "XP code to too old to care" bit, but it seems odd > to >>>> >>> take that "old code" and re-market it around compatibility and re- >>> distribute it with free downloads for Win7 while saying "we won't > patch >>> old code." >>> >>>> t >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full- >>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor (Hammer of >>>>> >>> God) >>> >>>>> Sent: Wednesday, September 16, 2009 8:00 AM >>>>> To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx >>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx >>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048? >>>>> >>>>> Thanks for the link. The problem here is that not enough >>>>> >>> information >>> >>>>> is given, and what IS given is obviously watered down to the point >>>>> >>> of >>> >>>>> being ineffective. >>>>> >>>>> The quote that stands out most for me: >>>>> <snip> >>>>> During the Q&A, however, Windows users repeatedly asked Microsoft's >>>>> security team to explain why it wasn't patching XP, or if, in >>>>> >>> certain >>> >>>>> scenarios, their machines might be at risk. "We still use Windows > XP >>>>> and we do not use Windows Firewall," read one of the user > questions. >>>>> "We use a third-party vendor firewall product. Even assuming that > we >>>>> use the Windows Firewall, if there are services listening, such as >>>>> remote desktop, wouldn't then Windows XP be vulnerable to this?" >>>>> >>>>> "Servers are a more likely target for this attack, and your > firewall >>>>> should provide additional protections against external exploits," >>>>> replied Stone and Bryant. >>>>> </snip> >>>>> >>>>> If an employee managing a product that my company owned gave > answers >>>>> like that to a public interview with Computerworld, they would be > in >>>>> deep doo. First off, my default install of XP Pro SP2 has remote >>>>> assistance inbound, and once you join to a domain, you obviously >>>>> >>> accept >>> >>>>> necessary domain traffic. This "no inbound traffic by default so >>>>> >>> you >>> >>>>> are not vulnerable" line is crap. It was a direct question - "If >>>>> >>> RDP >>> >>>>> is allowed through the firewall, are we vulnerable?" A:"Great >>>>> >>> question. >>> >>>>> Yes, servers are the target. A firewall should provide added >>>>> protection, maybe. Rumor is that's what they are for. Not sure >>>>> really. What was the question again?" >>>>> >>>>> You don't get "trustworthy" by not answering people's questions, >>>>> particularly when they are good, obvious questions. Just be honest >>>>> about it. "Yes, XP is vulnerable to a DOS. Your firewall might >>>>> >>> help, >>> >>>>> but don't bet on it. XP code is something like 15 years old now, >>>>> >>> and >>> >>>>> we're not going to change it. That's the way it is, sorry. Just be >>>>> glad you're using XP and not 2008/vista or you'd be patching your >>>>> >>> arse >>> >>>>> off right now." >>>>> >>>>> If MSFT thinks they are mitigating public opinion issues by side- >>>>> stepping questions and not fully exposing the problems, they are >>>>> >>> wrong. >>> >>>>> This just makes it worse. That's the long answer. The short answer >>>>> >>> is >>> >>>>> "XP is vulnerable to a DoS, and a patch is not being offered." >>>>> >>>>> t >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full- >>>>>> disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens >>>>>> Sent: Tuesday, September 15, 2009 2:37 PM >>>>>> To: bugtraq@xxxxxxxxxxxxxxxxx >>>>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx >>>>>> Subject: Re: [Full-disclosure] 3rd party patch for XP for > MS09-048? >>>>>> >>>>>> Reference: >>>>>> >>>>>> >>>>>> >>>>>> >>> > http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc >>> >>>>>> hes_for_you_XP >>>>>> >>>>>> MS claims the patch would require to much overhaul of XP to make > it >>>>>> worth it, and they may be right. Who knows how many applications >>>>>> >>>>>> >>>>> might >>>>> >>>>> >>>>>> break that were designed for XP if they have to radically change >>>>>> >>> the >>> >>>>>> TCP/IP stack. Now, I don't know if the MS speak is true, but it >>>>>> certainly sounds like it is not going to be patched. >>>>>> >>>>>> The other side of the MS claim is that a properly-firewalled XP >>>>>> >>>>>> >>>>> system >>>>> >>>>> >>>>>> would not be vulnerable to a DOS anyway, so a patch shouldn't be >>>>>> necessary. >>>>>> >>>>>> -Eric >>>>>> >>>>>> -------- Original Message -------- >>>>>> Subject: Re: 3rd party patch for XP for MS09-048? >>>>>> From: Jeffrey Walton <noloader@xxxxxxxxx> >>>>>> To: nowhere@xxxxxxxxxxx >>>>>> Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx >>>>>> Date: 9/15/09 3:49 PM >>>>>> >>>>>> >>>>>>> Hi Aras, >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Given that M$ has officially shot-down all current Windows XP >>>>>>>> >>>>>>>> >>>>> users >>>>> >>>>> >>>>>> by not >>>>>> >>>>>> >>>>>>>> issuing a patch for a DoS level issue, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Can you cite a reference? >>>>>>> >>>>>>> Unless Microsoft has changed their end of life policy [1], XP >>>>>>> >>>>>>> >>>>> should >>>>> >>>>> >>>>>>> be patched for security vulnerabilities until about 2014. Both XP >>>>>>> >>>>>>> >>>>>> Home >>>>>> >>>>>> >>>>>>> and XP Pro's mainstream support ended in 4/2009, but extended >>>>>>> >>>>>>> >>>>> support >>>>> >>>>> >>>>>>> ends in 4/2014 [2]. Given that we know the end of extended >>>>>>> >>> support, >>> >>>>>>> take a look at bullet 17 of [1]: >>>>>>> >>>>>>> 17. What is the Security Update policy? >>>>>>> >>>>>>> Security updates will be available through the end of the >>>>>>> >>>>>>> >>>>>> Extended >>>>>> >>>>>> >>>>>>> Support phase (five years of Mainstream Support plus five >>>>>>> >>> years >>> >>>>>> of >>>>>> >>>>>> >>>>>>> the Extended Support) at no additional cost for most > products. >>>>>>> Security updates will be posted on the Microsoft Update Web >>>>>>> >>>>>>> >>>>> site >>>>> >>>>> >>>>>>> during both the Mainstream and the Extended Support phase. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I realize some of you might be tempted to relay the M$ BS about >>>>>>>> >>>>>>>> >>>>> "not >>>>> >>>>> >>>>>> being >>>>>> >>>>>> >>>>>>>> feasible because it's a lot of work" rhetoric... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Not at all. >>>>>>> >>>>>>> Jeff >>>>>>> >>>>>>> [1] http://support.microsoft.com/gp/lifepolicy >>>>>>> [2] http://support.microsoft.com/gp/lifeselect >>>>>>> >>>>>>> On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici >>>>>>> <nowhere@xxxxxxxxxxx> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Hello All: >>>>>>>> >>>>>>>> Given that M$ has officially shot-down all current Windows XP >>>>>>>> >>>>>>>> >>>>> users >>>>> >>>>> >>>>>> by not >>>>>> >>>>>> >>>>>>>> issuing a patch for a DoS level issue, I'm now curious to find >>>>>>>> >>> out >>> >>>>>> whether >>>>>> >>>>>> >>>>>>>> or not any brave souls out there are already working or willing >>>>>>>> >>> to >>> >>>>>> work on >>>>>> >>>>>> >>>>>>>> an open-source patch to remediate the issue within XP. >>>>>>>> >>>>>>>> I realize some of you might be tempted to relay the M$ BS about >>>>>>>> >>>>>>>> >>>>> "not >>>>> >>>>> >>>>>> being >>>>>> >>>>>> >>>>>>>> feasible because it's a lot of work" rhetoric... I would just >>>>>>>> >>> like >>> >>>>>> to hear >>>>>> >>>>>> >>>>>>>> the thoughts of the true experts subscribed to these lists :) >>>>>>>> >>>>>>>> No harm in that is there? >>>>>>>> >>>>>>>> Aras "Russ" Memisyazici >>>>>>>> Systems Administrator >>>>>>>> Virginia Tech >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> Eric C. Lukens >>>>>> IT Security Policy and Risk Assessment Analyst >>>>>> ITS-Network Services >>>>>> Curris Business Building 15 >>>>>> University of Northern Iowa >>>>>> Cedar Falls, IA 50614-0121 >>>>>> 319-273-7434 >>>>>> http://www.uni.edu/elukens/ >>>>>> http://weblogs.uni.edu/elukens/ >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>>> >>>> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >
