Microsoft Says No TCP/IP Patches For XP 759
CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"
Re:Yeah, right (Score:3, Informative)
Re:Yeah, right (Score:5, Informative)
Re:Unclear (Score:2, Informative)
Re:Unclear (Score:4, Informative)
Re:Unclear (Score:4, Informative)
It does if you have 2 gig of memory. Bit cramped with 1 gig. Unusable with 512MB.
Windows 7 is more user-responsive than Vista, but its arse is just as fat.
Re:15 years old (Score:2, Informative)
From the article:
Microsoft has been selling Windows XP SP2 and SP3 for some time now. I really wouldn't expect them patching plain old XP.
Re:Upgrade or Else (Score:2, Informative)
No. It is a DoS attack. It will not even crash your computer. For the average user, it is harmless.
Quote from MS:
The DoS attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity Low for Windows XP.
Re:Question (Score:3, Informative)
However. XP x64 is actually just Server 2003 x64 rebadged.
Re:My job is to apply "The Formula" (Score:2, Informative)
Kind of. The Pinto gas tank issue had far more to do with Lee Iacocca when he was at Ford. In order to compete with the imports, he gave the designers and engineers a simple directive: "2000#, $2000". Whenever an issue made it up to his office, that was the answer the engineers got - including the gas tank issue. That way, he could deny having "decided" anything. The cost/benefit analysis was more a matter of cover for decisions that had already been made.
"Class Action" may have borrowed elements from the Pinto, but it was fiction.
Re:Upgrade or Else (Score:1, Informative)
Can people PLEASE actually read the security bulletin? I'm not an MS fan by any means, but a quick review of the actual notice shows that the impact on 2000/XP systems is denial of service, not remote code execution. That's still bad, but nobody on XP will get "hacked" this way.
Re:Question (Score:1, Informative)
Ya. I agree - I'd think 2003 & XP similar to fix.
Also - what about the netbooks that are still sold today with XP because Vista's such a hog?
Re:In other news... (Score:5, Informative)
Link in case you think this is sarcasm: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=summary [kernel.org]
Re:XP Still uspported on netbooks. (Score:3, Informative)
If you read the article you'll see systems with SP2 or SP3 are unaffected:
"By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,
Re:Remote code execution is LOW impact? (Score:3, Informative)
For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.
But that's not what they're doing! There is no remote code execution vulnerability on Windows 2000, XP, or Server 2003. Only Vista and Server 2008 are susceptible to remote code execution. This is a Denial of Service vulnerability on NT 5.x systems, and you have to have the firewall disabled (and, indeed, no stateful hardware firewall at all) in order to be vulnerable.
The details are here:
http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx [microsoft.com]
It's fine to criticise Microsoft for not releasing a patch for XP, but let's at least get the facts about the vulnerability straight, first, yeah?
Re:Yeah, right (Score:4, Informative)
Actually they wont have to do anything if they are running SP2 or higher. They wont be patching VANILLA XP BUT SP2 AND LATER ARE FINE. RTFA:
"In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Re:US Navy already ditching M$ (Score:4, Informative)
The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not?
You are being ridiculous. Microsoft under Bill Gates got a free pass from Ashcroft. The Gates Foundation is part of a program to push western IP law throughout the world; if you don't provide patent and other protections for big pharma, you don't get any inoculations. At the same time, the Gates foundation is making for-profit investments in things like oil refineries which are causing lung bleeding in children they're providing inoculation to. Meanwhile, the stated goal of eliminating certain diseases is impossible because the restrictions the foundation is placing mean that not all nations will pick up the inoculations, and a partial cure is no cure.
Bill Gates is now part of the power structure controlling America and attempting to use it to control the world. Barring some one-step-away-from-a-persian-cat-and-a-monocle actions by BillyG, his future is secure.
Re:Yeah, right (Score:5, Informative)
How about you read the article before you start yelling at your congressman? RFTA:
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Re:Yeah, right (Score:4, Informative)
Lets see... Kia, Hyundai, Mitsubishi and GM all offer 10-year powertrain warranties (that's "engine parts, transmission, drive system") on new cars. Chrysler's powertrain is covered for "lifetime" [cars.com] as long as you keep a record of proper maintenance.
Yeah, that's not "bumper-to-bumper" coverage, but TCP/IP is pretty damn close to an "essential" part of the car.
Re:XP is teh dead (Score:4, Informative)
Re:Wouldn't SynAttackProtect work here? (on 2000 t (Score:1, Informative)
It's actually Alexander Peter Kowalski, and he's a freakin nutjob.
His posts are ALWAYS like this... a bizarre mashup of english, symbols and general incomprehensibility.
He likes to piss and moan about the HOSTS file not allowing 0 as a shorthand for 127.0.0.1
-Yuri Klastalov-
Re:Yeah, right (Score:4, Informative)
Apples and oranges. Took M$ 5 years to come out with a new OS and that OS was crap, MS even admits Vista is crap [theinquirer.net]. So it comes out with a new OS 3 years later but it's not released yet, no support for it.
So MS is saying "We won't patch XP because it's old, the Vista OS we patched is crap so don't use it, and the new Win7 OS has not been officially released so no support. Good luck!"
Re:Yeah, right (Score:5, Informative)
Sales of Win7 are down so low MS isn't even promoting it in most places.
Maybe that's because it won't be released until 22 October?
Re:Wouldn't SynAttackProtect work here? (on 2000 t (Score:1, Informative)
First and foremost: remember, we're talking about Windows 2000 and Windows XP below.
CVE-2008-4609 documents a problem with TCP stacks where established connections (meaning the initial SYN, SYN+ACK, ACK have already been experienced) can renegotiate their TCP receive window size to a small value (no idea what "small" means) or zero, the result being the number of available sockets on the machine becomes exhausted over time. Since TCP window sizes are negotiated, but not necessarily respected, there's really nothing one can do about this other than fix the stack, or allow added tuning for this. You can force window sizes (like you mention in your post), but that does not guarantee the remote end will honour them. This is Normal(tm).
CVE-2009-1925 documents a much more serious problem with the Windows TCP stack: "a remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information." There's nothing one can do about this one other than fix the TCP stack. End of discussion.
CVE-2009-1926 documents a problem with the Windows TCP stack where an already established TCP connection, with an agreed upon small (again, no idea what "small" is) or zero-sized TCP receive window, is closed with data still pending on the socket (likely shown as SendQ). When this scenario occurs, the Windows TCP stack never removes this entry from the state table. There's no indication or documentation from Microsoft as to whether or not this applies to sockets which have a) already gone through the FIN, ACK, FIN+ACK, FIN+ACK handshake, or b) is stuck in a "half-open" state where either the teardown handshake is severed/botched in mid-stream, c) is stuck in a "half-open" state elsewhere before socket teardown, or d) is stuck in a "half-open" state during RST.
I think you're focusing on CVE-2009-1926, since you have excessive focus on "half-open" connections, but then simultaneously you switch to focusing on SYN.
> TcpMaxHalfOpen
> TcpMaxHalfOpenRetried
>
> Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)
"Half-open" can refer to one of two things, depending on who you talk to: where from a source, SYN has been sent but has not received a SYN+ACK back (Windows calls this state SYN_RECEIVE, *IX calls this SYN_RECV) -- or -- a socket that has already been established but during tear-down never completes the full 4-way handshake (see above).
> P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above)
> SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...
Please do not follow this advice. It has been stated by Microsoft in numerous KB articles that people should not use GlobalTcpWindowSize. The registry entry in question has been deprecated with the introduction of Windows 2000 and beyond; you should be using this [microsoft.com].
Secondly, increasing/forcing/making static the TCP window size permitted does not "harden" the stack at all, or provide any direct effect on security. Instead, stop that and enable RFC1323 instead. There are numerous sites that describe this process. On servers in this day and age, RFC1323 is more or less mandatory, ideally if you're serving large content (greater than 64KB). Here's some links that describe RFC1323 in Windows:
http://searchnetworking.techtarget.com.au/tips/27055-How-to-use-TCP-RFC-1323-to-improve-Windows-XP-s-network-performance [techtarget.com.au]
h [speedguide.net]
Re:Yeah, right (Score:4, Informative)
Both Vista and Windows 7 were sold as pre-orders for a reduced cost. In fact, Windows 7 is doing better than Vista at pre-orders:
http://www.crunchgear.com/2009/07/15/in-8-hours-windows-7-pre-orders-overtake-vista-pre-orders/ [crunchgear.com]
But anything can install such a service (Score:3, Informative)
The problem is that anything can install such a listening service on XP making it instantly vulnerable. That XP SP2/3 isn't vulnerable by default is a 'mitigating factor' in MS Security bulletin lingo, not a reason not to patch.
I don't understand why they're dragging their feet, as sooner or later something installs a listening service (or the user already has such a service) and it's over.
Re:Yeah, right (Score:1, Informative)
Maybe you should try thinking and realize that the default configuration is not what is used. Is Windows file and printer sharing enabled? How about remote desktop? The "stateful firewall" is a red herring -- that only helps if you don't have a service enabled and a spoof packet is sent faking the initial handshake. If you actually have a service enabled (go ahead, check any random XP system you want, especially in a corporate or government environment) spoofing isn't necessary.
The summary above about "forced upgrades" appears to be spot on.
Re:I agree (Score:3, Informative)
Except we're not talking about consumer toys and electronics (though some might argue that Windows XP is a 'toy OS'). We're talking about the OS with the largest corporate/business install base, ever. And there has been an official EOL date known for some time now - and this falls before that date.
Re:Yeah, right (Score:3, Informative)
In addition, it is my understanding that this is a remote code execution vulnerability.
It is in Vista and Win2008, where it is fixed. In XP, it's just a DoS attack.
Re:Yeah, right (Score:2, Informative)
Yes, but from the transcript linked in the summary:
Q: Is Windows XP vulnerable to MS09-048 without the Windows XP firewall?
A: Yes but only for the two DoS vulnerabilities. The bulletin has been updated to indicate this and the severity for XP is low.
This means in some corporate environments where IT has disabled the Windows FW, SP2 and SP3 are still vulnerable to DoS. And that vulnerability still hasn't been patched.
So at its core the XP TCP/IP stack will still have this problem.