RE: [Full-disclosure] 3rd party patch for XP for MS09-048?



Hey Larry- hope everything's going well...

When you've got a systemic vulnerability, in this case the TCP/IP stack itself, exploitation information must be explicit and definitive. I'm fine with risk classification, and I appreciate efforts to categorize risk into manageable exposure metrics, but we shouldn't have to infer potential vulnerability information from vague disclosure data. I know many response teams base patch paths on the published severity, but one also has to be able to make decisions on their own. For me, no big deal. But it's not that simple for others.

But there's not enough information for me to make that call. Is it for ANY "listening service?" TCP or UPD? Does the "statefull" firewall introduced in subsequent versions stop it?

The answers are "yes," "yes," and "no." They should just say that. Is it "low" because the firewall doesn't have any exceptions by default? If so, that's silly. Everyone using XP for anything has incoming connections for something, and well known if on a domain. I feel sorry for Diebold and NEC with all the ATMs out there running XP, but fortunately, I'm not responsible for clients using their systems anymore :)

Anyway, the DoS suxx0rz, but I'm more irritated with the lack of real, straight-forward, no-nonsense information and technical sleight of hand. The information should be painfully obvious, not obviously painful.

t




-----Original Message-----
From: Larry Seltzer [mailto:larry@xxxxxxxxxxxxxxxx]
Sent: Wednesday, September 16, 2009 8:21 AM
To: Thor (Hammer of God); Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?

I agree that the FAQ explanation in the advisory is vague about what
protection the firewall provides. One clue I would infer about it is
that they rated this a "Low" threat. If it were vulnerable in the
default configuration, with the firewall (or some other firewall) on,
they probably would have rated it at least Medium. If I'm wrong about
that then the "Low" rating is misleading.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@xxxxxxxxxxxxx
http://blogs.pcmag.com/securitywatch/


-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, September 16, 2009 11:00 AM
To: Eric C. Lukens; bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Thanks for the link. The problem here is that not enough information
is
given, and what IS given is obviously watered down to the point of
being
ineffective.

The quote that stands out most for me:
<snip>
During the Q&A, however, Windows users repeatedly asked Microsoft's
security team to explain why it wasn't patching XP, or if, in certain
scenarios, their machines might be at risk. "We still use Windows XP
and
we do not use Windows Firewall," read one of the user questions. "We
use
a third-party vendor firewall product. Even assuming that we use the
Windows Firewall, if there are services listening, such as remote
desktop, wouldn't then Windows XP be vulnerable to this?"

"Servers are a more likely target for this attack, and your firewall
should provide additional protections against external exploits,"
replied Stone and Bryant.
</snip>

If an employee managing a product that my company owned gave answers
like that to a public interview with Computerworld, they would be in
deep doo. First off, my default install of XP Pro SP2 has remote
assistance inbound, and once you join to a domain, you obviously accept
necessary domain traffic. This "no inbound traffic by default so you
are not vulnerable" line is crap. It was a direct question - "If RDP
is
allowed through the firewall, are we vulnerable?" A:"Great question.
Yes, servers are the target. A firewall should provide added
protection, maybe. Rumor is that's what they are for. Not sure
really.
What was the question again?"

You don't get "trustworthy" by not answering people's questions,
particularly when they are good, obvious questions. Just be honest
about it. "Yes, XP is vulnerable to a DOS. Your firewall might help,
but don't bet on it. XP code is something like 15 years old now, and
we're not going to change it. That's the way it is, sorry. Just be
glad
you're using XP and not 2008/vista or you'd be patching your arse off
right now."

If MSFT thinks they are mitigating public opinion issues by
side-stepping questions and not fully exposing the problems, they are
wrong. This just makes it worse. That's the long answer. The short
answer is "XP is vulnerable to a DoS, and a patch is not being
offered."

t



-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric C. Lukens
Sent: Tuesday, September 15, 2009 2:37 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?

Reference:


http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
hes_for_you_XP

MS claims the patch would require to much overhaul of XP to make it
worth it, and they may be right. Who knows how many applications
might
break that were designed for XP if they have to radically change the
TCP/IP stack. Now, I don't know if the MS speak is true, but it
certainly sounds like it is not going to be patched.

The other side of the MS claim is that a properly-firewalled XP
system
would not be vulnerable to a DOS anyway, so a patch shouldn't be
necessary.

-Eric

-------- Original Message --------
Subject: Re: 3rd party patch for XP for MS09-048?
From: Jeffrey Walton <noloader@xxxxxxxxx>
To: nowhere@xxxxxxxxxxx
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Date: 9/15/09 3:49 PM
Hi Aras,


Given that M$ has officially shot-down all current Windows XP
users
by not
issuing a patch for a DoS level issue,

Can you cite a reference?

Unless Microsoft has changed their end of life policy [1], XP
should
be patched for security vulnerabilities until about 2014. Both XP
Home
and XP Pro's mainstream support ended in 4/2009, but extended
support
ends in 4/2014 [2]. Given that we know the end of extended support,
take a look at bullet 17 of [1]:

17. What is the Security Update policy?

Security updates will be available through the end of the
Extended
Support phase (five years of Mainstream Support plus five years
of
the Extended Support) at no additional cost for most products.
Security updates will be posted on the Microsoft Update Web
site
during both the Mainstream and the Extended Support phase.


I realize some of you might be tempted to relay the M$ BS about
"not
being
feasible because it's a lot of work" rhetoric...

Not at all.

Jeff

[1] http://support.microsoft.com/gp/lifepolicy
[2] http://support.microsoft.com/gp/lifeselect

On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
<nowhere@xxxxxxxxxxx> wrote:

Hello All:

Given that M$ has officially shot-down all current Windows XP
users
by not
issuing a patch for a DoS level issue, I'm now curious to find out
whether
or not any brave souls out there are already working or willing to
work on
an open-source patch to remediate the issue within XP.

I realize some of you might be tempted to relay the M$ BS about
"not
being
feasible because it's a lot of work" rhetoric... I would just like
to hear
the thoughts of the true experts subscribed to these lists :)

No harm in that is there?

Aras "Russ" Memisyazici
Systems Administrator
Virginia Tech




--
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/