Microsoft Says No TCP/IP Patches For XP 759
Posted
by
timothy
from the to-improve-your-customer-experience dept.
from the to-improve-your-customer-experience dept.
CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"
In other words (Score:3, Insightful)
"not feasible"
yeah right, more like MS wants people to move onto Windows 7
15 years old (Score:5, Insightful)
I agree (Score:2, Insightful)
MS hate aside, they're just doing what they've always done. We don't get our panties in a knot when they don't release a Win 98 patch, do we? With Win 7 on our doorstep, there is no reason for MS to be supporting three separate OS. Well, aside from customer service. I just sort of shrug my shoulders and deal with it. Anyone running XP knows they're doing it because Vista/7 don't appeal to them; deal with the consequences.
In other News: XP not affected by Vista/W7 bugs! (Score:3, Insightful)
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."
Yes, it's easy to take the "We won't be backporting this fix" stance when the old OS isn't vulnerable in the first place.
Remote code execution is LOW impact? (Score:3, Insightful)
For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.
And somehow, the TCP stack, perhaps the most modular and with the most well-defined interfaces, can't be replaced wholesale.
This makes no sense, unless they're trying to get people to spend $$$ on moving to "Windows 7",
or as the congnoscenti call it, "Vista SP2".
ooooohhh.....
In other news... (Score:5, Insightful)
In other news... 10 year old Linux 2.4 kernel patched yesterday...
Re:15 years old (Score:5, Insightful)
This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.
Re:Yeah, right (Score:5, Insightful)
The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result. It will employ some 10,000 workers at a cost of 1.4 trillion dollars. Then it will fail to come-in on time, so they'll spend an extra 6 months and 0.3 trillion on schedule overrun.
That's SOP for the government.
Re:Upgrade or Else (Score:4, Insightful)
The XP virtual machine is not accessible from outside as it talks via a NAT router. Any attack would need to come from the Windows 7 host machine, but if that was pwned, there are many other ways to attack the XP virtual machine.
the true cost (Score:4, Insightful)
Xubuntu (or your favorite) for Netbooks (Score:3, Insightful)
There is really no reason for XP on a netbook any more. You aren't using it a high end gaming platform. You aren't running Adobe Creative stuff on it.
You are using it to run FireFox, edit documents, read, IM and send email.
Linux has all that covered and is even document-compatible with Windows.
I have a Eee 900A with a 32GB SSD in it running Xubuntu and I connect to a corporate Radius network, bluetooth tether to my phone, and even use the web version of outlook on it to get at calendars.
Flash even works.
The only thing I can't do that would be nice is play Netflix movies as the Moonlight package does not have DRM in it (and likely never will.)
Re:Yeah, right (Score:2, Insightful)
Your car has a 15 year warrantee I take it. And at your request your car manufacturer gave you all of the blueprints and circuit board diagrams and codes and sensor readouts and dyno information and design documents that helped them design and build your car right?
It's infeasible to support code this old. They didn't say it was impossible. Infeasible means that yes, they could spend lots of their money fixing code that is 15 years old. They could also spend that money to try and make new software that performs better on the whole.
Why do so many people dig into microsoft for something that every company does. In fact, Microsoft is much better at supporting their older software than most companies. (Take a look at Apple for example).
Stop blaming Microsoft for not pandering to your individual needs. They are a company. They make a product. Heaven forbid they try to make money off of it instead of offering insane 15 year + support.
Okay, we get it. This is leverage for 7 migration (Score:2, Insightful)
Clearly, this is something Microsoft is leveraging to get people to move to Win7. (You know, in some fonts "Win7" looks rather similar to "Win?") But I have to wonder:
There will be large government installations that still need to use Windows XP. Will they get this impossible patch? Also, does Microsoft's support claims for Windows XP fit within this windows and if not, how can Microsoft pull a stunt like this? Doesn't this mean they are dropping support for Windows XP "early"?
What really needs to happen is that "the public" needs to be aware of what is happening and, in Fox News style, be instructed how to feel and respond to it.
2014 ???? (Score:5, Insightful)
Re:Unclear (Score:3, Insightful)
It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.
The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.
Re:Yeah, right (Score:1, Insightful)
No, no, .... recycle it. Please!
Re:Remote code execution is LOW impact? (Score:3, Insightful)
There's no remote code execution possible with this on XP, only DoS. You can make the system essentially freeze while the packeting is going on but that's it. Only Vista and Server 2008 have remote code execution exploits from this bug.
Also you can only exploit this if the machine has software accepting TCP connections. If you have an (application) firewall blocking all incoming connections with no exceptions (such as XP SP2+ has by default) there's no real problem.
Re:Unclear (Score:3, Insightful)
There are essentially no software liability regulations.
Re:My job is to apply "The Formula" (Score:3, Insightful)
A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...
If X is less that the cost of a recall, we don't do one.
The first rule of screwing the public is we don't talk about screwing the public.
The second rule of screwing the public is WE DON'T TALK ABOUT SCREWING THE PUBLIC!
Re:Yeah, right (Score:4, Insightful)
Translation: "Sales of Vista didn't go well due to Vista being crap, and Win7 isn't actually all that much better, so rather than offer a product people actually want we're going to exploit our monopoly and withhold necessary security fixes from others in order to force people to 'upgrade.'"
Bad Car Analogy. You know it is coming ;-) (Score:5, Insightful)
Today GM announced that the GMC trucks have some fundamental flaw and they are prone to explode randomly. GM said it wont fix the issue because the design is very old, and fixing it is unfeasible. When asked if they will when they stopped shipping trucks with the fatal flaw, GM spokesman said, "we have not stopped building or shipping them yet. We need to compete with the low cost competitors in the net-truck market and so we continue to make and ship the trucks, but we wont fix the safety issue. The drivers may wrap themselves in bags filled with thermocol peanuts to get some measure of protection.
If not, why do we let Microsoft get away with it?
Re:15 years old (Score:3, Insightful)
Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.
If a defect in a 1994 Taurus was found, Ford would recall the vehicles at great expense to them. Especially if it was a design defect in an engine that was basically used in an engine still produced for a 2003 Taurus.
There is NO excuse for any software company to NOT patch security holes in any product, no matter how old.
Re:Yeah, right (Score:5, Insightful)
Except I bought a brand NEW license of XP on my Acer netbook less than 1 year ago. That means Microsoft received NEW payment for that license in the last year (and a bunch of others) so obviously they're making money on it. Unlike patching cars you don't have to make additional parts, once you fix the problem in one copy of XP it is near-zero to fix the problem for ALL XPs as they're exactly the same.
My local stores still sell NEW netbooks with NEW licenses of XP on them... where's bug support for the new buyers?
Re:Yeah, right (Score:3, Insightful)
Best Buy's Training FUD (Score:5, Insightful)
Best Buy's recent "training" slide #9, where they say that "Linux is safer than Windows" is a myth, the "Real Facts" states (referring to Linux) 'There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own.'
Here's proof that that statement is really talking about Windows...
Re:Good Bye Microsoft (Score:3, Insightful)
Re:US Navy already ditching M$ (Score:4, Insightful)
Re:Yeah, right (Score:3, Insightful)
Apparently they mispronounced "unprofitable". Because that's why they're not doing it, they don't want to spend the money and plus they want everyone to (pay for the) upgrade to Windows 7.
It's pretty much standard operating procedure for most corporations.
They could, they just dont want to... (Score:5, Insightful)
Please..all underlying architecture has not changed from xp to vista, even though they want you to believe this...and for them to correct the wrapper on xp, would be trivial, however, they are testing the waters about phasing out xp, and want to see what the backlash will be like, seeing as no one wants vista garbage, and maybe even no windows7!
I prefer, being given the opportunity of just paying a yearly fee to keep getting updates on a system that runs properly compared to their new bloated versions of vista etc... too bad no one can pick it up like a linux distro and start their own version of windows...
Re:Yeah, right (Score:3, Insightful)
Re:Unclear (Score:3, Insightful)
It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.
The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.
Well, this is just MS's own business practices backfiring. MS with XP, Vista, and Win7 is now competing with itself, so MS's own aggressive monopoly defenses/dirty tricks dept. is seeking to derail it's own most successful OS! I wonder if they'll try to embrace, extend, and extinguish themselves next?
Yes kiddies, that was sarcasm.
Strat
In other words... (Score:4, Insightful)
in other words:
it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....
The solution is rather obvious (Score:4, Insightful)
Weighted Down? (Score:1, Insightful)
I wonder if the enormous deployment of XP will be the concrete block that causes Microsoft to sink to the bottom of the river.
If Microsoft could not get XP users to adopt Vista and Win7 does not get them to upgrade either, then XP customers' inertia will pull Microsoft down.
Microsoft can never go forward with XP users rejecting any new OS it produces.
Re:15 years old (Score:3, Insightful)
And yet, it is still available through OEM channels. Maybe distributors are ordering it through a wormhole?
Re:Weighted Down? (Score:3, Insightful)
Re:15 years old (Score:3, Insightful)
This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.
The article mentioned an effective workaround: turn on Windows Firewall.
Re:Yeah, right (Score:2, Insightful)
Sounds like an opportunity for a class action lawsuit. When you win, the lawyer will get rich and you will get a coupon for a discounted Windows 7 License.
I hear that if you join the IEEE and wait a week, they'll invite you to join the PC Club for $10 off. It apparently gets you windows and other googies like visual studio. Perhaps after Windows 7 ships they'll get it. Students join for $32, so take an online or local class you've been waiting on to make it cost effective.
Anyone know any other crafty ways to get Windows? :)
Re:US Navy already ditching M$ (Score:4, Insightful)
Red-Hat is commercial product. They're moving to the best of the two worlds: a cheap commercial product which they *can* adapt to their needs.
Re:I agre (Score:4, Insightful)
Because Apple stopped selling versions older than 10.5 nearly two years ago and the upgrade to 10.6 is thirty dollars retail. Microsoft is still selling XP licenses.
Re:Yeah, right (Score:2, Insightful)
Alternatively, sue Microsoft because they're breaking a sales promise. Windows XP is officially supported ("Extended Support" including security fixes) until mid 2010.
From Wikipedia [wikipedia.org]:
They still sold/licensed XP as late as June 2008, which means that in Europe they're even in the mandatory two-year warranty period, regardless of whether they claim your warranty expired in the "Extended Support" phase. I hope they get sued to hell and back. And then back again.
Re:Yeah, right (Score:3, Insightful)
Maybe they should stop offering XP licenses then. (So what if it makes some room in the market for ubuntu netbook remix)
Re:Yeah, right (Score:2, Insightful)
Re:Typical Microsoft (Score:3, Insightful)
TCP/IP, selling knowingly defective products (Score:5, Insightful)
Since the government has been ineffective in enforcing these laws, falling for MS legal theories, only insistent market rejection will [partially] protect a consumer from the borg. No doubt we will be seeing more FUD IP attacks, like SCO, traceable to MSFT. Good luck to all. Fsck MSFT.
Car/engine = Netbook/XP (Score:5, Insightful)
Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.
Re:Yeah, right (Score:3, Insightful)
Heaven forbid they try to make money off of it instead of offering insane 15 year + support.
FreeBSD started as a branch of BSD, which began around 1977. Somehow a group of volunteers manages to support 32 year old code.
stop this slashdot bashing and RTFA (Score:1, Insightful)
and nobody here on slashdot notices that they actually explained that xp past sp2 doesn't NEED the fix, as it's written and documented.
reason: it's a flaw that affects all systems that have a listening service of some form on the firewall. all server os have it, vista, win7 have it. but xp doesn't.
so it doesn't NEED THAT FIX.
stop slashdotting and bashing microsoft, all of you.
(and i fully support that they don't care about pre sp2 windows xp anymore, as no one should)
Re:Yeah, right (Score:4, Insightful)
This is not Microsoft's fault. Talk to whoever created a web site that only works in specific versions of a specific browser.
RTFA? Oh wait... it's slashdot. (Score:2, Insightful)
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Interesting enough, if you are that concerned about security, then you probably already installed at least SP2. Which means that your XP box is NOT vulnerable to this type of attack. I guess computerworld needed a flashy headline to get some clicks and ad revenue.
Re:Yeah, right (Score:5, Insightful)
How does this rate insightful, when the fellow knows nothing about his topic?
Weird assertion: "Sales of Win7 are down so low MS isn't even promoting it in most places"
Newsflash: There is no retail release of Win7 yet.
Good point? "underpromise and overdeliver. They have been doing the opposite and wonder why people hate them.
Excellent diagnosis. MS should also learn how to sell to the business, preferably the CFO - not keep hyping 'features' to IT - often the most dysfunctional outfit in any org.
Wild claim: "There are lots of groundbreaking problems that people will not touch with a 20 foot pole"
C'mon! Cite a bloody reference, or just yell "FIRE!" in a crowded theatre!
In reality you make claims about Windows 7 sales that cannot be backed up - and use unspecific criticism to support the claim, without evidence. Allow me to explain some basics.
The bulk of Corporation and Government purchases? They already owned Windows 7, before it was released, through the Software Assurance benefit in their contract through their reseller. Microsoft measures "deployment", not "sales" with these folks... You know Home Depot, Wal*Mart, Hewlett Packard, General Motors, even Google.
Despite not even being offered as a public, retail item, Windows 7 will do very well on the day it goes to market. Retail sales are a tricky number. Most are through OEM installation on new computers - not shiny disc SKUs. So, for 2 months, these have been ramped through the manufacturing channels.
Let's talk in February - when the after-Christmas inventory purge is complete. Then we can compare notes.
Re:Good Bye Microsoft (Score:3, Insightful)
Re:you are off (Score:5, Insightful)
Your argument doesn't work either though IMO. For one thing software changes a lot quicker than car technology so I was being pretty kind saying 10 years for the car stuff. You might expect a dealer to service a 30 year old car, but you're probably going to have to pay through the nose for it (and I've read of at least one case where a dealer didn't have the parts to service a car because it was so old).
XP is not the latest software, it is simply the most popular. Even if the majority of people in the world preferred the original VW Beetle from the 30s (or whenever it started production, I think it was in production for something crazy like 50 years), it doesn't mean that VW are still obliged to find and fix design flaws in it. You'd expect a product recall if a large problem was found in the latest incarnation of the Beetle sure - but we're not talking about the latest version, we're simply talking about the most popular version, and it's getting out of its support lifetime. I don't think any other version of Windows has lasted so long.
In this case the WINE team or some group like that could probably produce a replacement version of the TCP/IP stack to stick into Windows, it would be the equivalent of having to buy 3rd party copies of OEM parts for an ancient car. Yes you can "keep it running", but the original manufacturer has stopped supporting it. MS are not shutting down all old copies of XP, they're simply stopping support.
IMO it would be nice of them to keep supporting it, and some companies would do so, but they have no obligation to. And it's definitely not MS's style to be 'nice'.
Re:Car/engine = Netbook/XP (Score:4, Insightful)
The problem with all these analogies is Microsoft DID put a long warranty on XP, and SP2 is still covered.
http://support.microsoft.com/lifecycle/?LN=en-us&x=8&y=10&C2=1173 [microsoft.com]
So the analogy here is, you buy a car. The manufacturer offers a 15 year warranty. 10 years in they find a flaw, they don't fix it and instead tell you to take it to a third party mechanic for a workaround at which point you find some lawyers and sue their contract breaching butt into next year.
Re:In other words... (Score:3, Insightful)
It isn't a feigned argument. Having development resources, development environments, build engineers, QA testers, release engineers + assorted managers to fix vanilla XP when it's already fixed by a service pack is a monumental waste of time. Just keeping a shoestring operation running would probably cost MS tens of millions of dollars in resources.
Of course they're not going to want to do it. I'm sure if you paid them enough money they might of course, but who could blame them?
Re:Yeah, right (Score:3, Insightful)
Re:Yeah, right (Score:4, Insightful)
Re:Yeah, right (Score:3, Insightful)
Apparently the marketing trick worked. People are talking about windows 7 as if it were something other than vista when in reality its vista with a service pack and a rename.
Re:Yeah, right (Score:2, Insightful)
And ruin wars in foreign countries for Gallium? Now way.
Re:Yeah, right (Score:5, Insightful)
> They would also be perfectly within their rights to stop making
> Windows altogether and start manufacturing refrigerators...
Knowing Microsoft, it'll probably be their first product that never freezes.
Re:Yeah, right (Score:3, Insightful)
Microsoft gave people the tools to make IE6 only websites and pushed hard to get people to use them
So IE6 Only Web applications are very common inside businesses (and the Navy)
Microsoft have not given an easy upgrade path for any of these applications, and IE7/8 break them, and so it is 100% Microsoft fault ....
Re:In other words... (Score:1, Insightful)
it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....
Except those hackers consider the endeavor a failure, more than a year ago.
From Here [blogspot.com]
It is with great sadness that I announce the closing of Falling Leaf Systems, LLC. We set out over a year ago to provide users of both "old and unsupported" as well as "alternative" Operating Systems the ability to run the latest games for the PC. Unfortunately, Falling Leaf Systems was unable to achieve that goal.
So, what, is it that we've redefined success to include failure, which means that the failed attempt to port DX10 to XP, now counts as a success and proves Microsoft wrong?
Re:XP is teh dead (Score:4, Insightful)
The XP firewall is practically fucking useless to begin with. That still doesn't give them the right to jump out of a contractual support obligation 5 years in advance.
Re:Yeah, right (Score:3, Insightful)
Re:But anything can install such a service (Score:3, Insightful)
Here's more ammo - Microsoft offers a fix for Windows Server 2003 which is based on many of the same core components as Windows XP. You very well might be able to use the Windows Server 2003 hotfix on Windows XP without any modification. If I were in charge of patching desktops in a large corporate environment (and I was at one point), that's exactly what I would do (after testing that it works) while screaming bloody murder to my Microsoft rep. Then, I'd let the network guys know about it so they can lock things down at the gateway, as well, if it wasn't already.
Translation: "By NOT fixing Windows XP like we should, we are artificially creating a reason for you home users to 'upgrade' to Windows Vista or Windows 7 and seriously pissing off our corporate customers."
Re:In other words... (Score:1, Insightful)
DX10 was never ported to XP in any significant manner. It was from this project: which hasn't been updated since January, 2008 [blogspot.com] as it is now defunct. If you want to try to make something of the work that they started (meaning actually getting it to easily allow you to use DX10 in a meaningful manner on non-Vista/7 platforms) they did release their work under the LGPL. But honestly, this isn't going anywhere because Microsoft was just simply not talking out of it's ass when it said porting DX10 to XP is not so trivial as some make it seem.
Maybe you should look into things before you start throwing around statements you can't support.
Re:Yeah, right (Score:3, Insightful)
"The start orb now has a fade-in highlight effect when the user moves the mouse over it."
Truly I was mistaken. Clearly these are the sort of things that distinguish one operating system from another and are not merely a fluff list.
Its not the size of the feature list, but how you use it. Quite frankly, if fade-in highlight effects are even on the list then it is obviously a slow newsday.