Reviews:
 ·Zen Internet
| reply to dp
Re: Microsoft Security Bulletin(s) for September 8, 2009 September 2009 Security Release ISO Image
Brief Description
This DVD5 ISO image file contains the security updates for Windows released on Windows Update on September 8th, 2009.
»www.microsoft.com/downloads/deta···d19d95ab
--
Wilders Security Forum Admin
Microsoft MVP - Consumer Security
|
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 | reply to Romney2012
If you mean the "out of band" releases of late, yes, they would not apply to every second Full Tuesday of every month. |
|
|
|
 swhx7Premium
join:2006-07-23
Elbonia | reply to Tuulilapsi
said by Tuulilapsi:The MS09-048 bulletin is confusing me. ... which of those TCP/IP vulnerabilities apply to "non-default" configurations of XP that have listening services...? Is it only the denial of service vulnerabilities that affect such XP systems? Or does the remote code execution vulnerability affect them, too? The latter would be as bad as it gets, considering that there seems to be no patch for XP.
I was puzzled by this too. The article cited by SUNnGOLF does not address this question.
This blogger »taosecurity.blogspot.com/2009/09···nst.html raises the same question, and speculates that the non-fix may be intended to deter users from staying with XP (presumably to drive sales of Windows 7).
Based on the text of the bulletin, the only way XP would not be affected is if the vulnerability depends on "a listening service with an exception in the client firewall", but I don't see how that would be different from, say, turning off the MS firewall in favor of a third-party firewall, or none.
Also, Windows experts: is XP's TCP/IP really so different from 2000's? Maybe there is similarity such that the same considerations have led them not to fix this for XP.
And what does this imply about the support schedule for XP? That appeared to be a promise, but if MS feels free to opt out of security fixes, it is meaningless. |
|
| Well, I read the bulletin again, and it's still confusing to me. They have made it really hard to understand exactly which of the vulnerabilities in that bulletin affect XP (meaning, affect those "non-default configurations", which certainly are out there in masses, especially in company networks). It's as if they're trying hard not to make a clear statement on the issue.
In the FAQ this is said (emphasis mine):
quote:
How are default configurations of Windows XP not affected by this vulnerability?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. For the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall.
So, that suggests that it's only a denial of service that XP is affected by (in "non-default configurations"), but that alone is a real issue. But, it doesn't say which of the two DoS vulnerabilities affect XP, or whether it's both.
And then there's the affected software list that does suggest the same, as well, although it doesn't actually say it.
The maximum security impact is listed as denial of service from Windows 2000 SP 4 to Server 2003, and only with Vista does the impact go up to remote code execution. Seeing how XP falls in between of 2k and Server 2003, you'd think XP only suffers from the denial of service vulnerability (-ies) as 2k and Server 2003 do. But if so, would it have hurt to just say it in plain English? 
Still, I would sure expect MS to patch a remote denial of service vulnerability, regardless of whether the "default configuration" is affected or not!
For the MS guys probably reading this thread, can you shed any light on this issue?
--
Limited User Accounts.
Software Restriction Policies. How about the short version? |
|
swhx7Premium
join:2006-07-23
Elbonia | This explains about the severity, and how it's hard to exploit. »blogs.technet.com/srd/archive/20···ies.aspx Nothing about the XP situation tho. |
|
 ABPremium
join:2006-04-04
Leesburg, VA
kudos:3
·Verizon Online DSL
| reply to Tuulilapsi
said by Tuulilapsi:Well, I read the bulletin again, and it's still confusing to me. They have made it really hard to understand exactly which of the vulnerabilities in that bulletin affect XP (meaning, affect those "non-default configurations", which certainly are out there in masses, especially in company networks). It's as if they're trying hard not to make a clear statement on the issue. . . . . . Seeing how XP falls in between of 2k and Server 2003, you'd think XP only suffers from the denial of service vulnerability (-ies) as 2k and Server 2003 do. But if so, would it have hurt to just say it in plain English? Microsoft Corp. employs an entire department to make sure everything gets posted in murky, nebulous, difficult to decipher double-talk. I refer to it as "Micro-speak".
No doubt some form of 'plausible deniability' is involved somehow.
I'm sure Microsoft fires people all the time for attempting to present information in a clear and concise, unequivocal fashion.
I read the bulletin as saying that anyone using XP with a 'non-default' configuration is advised to follow the steps in the 'workarounds' section:
quote:
The mitigations and workarounds listed in the vulnerability details section also apply to Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2.
From "Workarounds for TCP/IP Zero Window Size Vulnerability - CVE-2008-4609":
quote:
. . use the Internet Connection Firewall feature to help protect your Internet connection by blocking unsolicited incoming traffic. Microsoft recommends that you block all unsolicited incoming communication from the Internet.
Best I can make of it. |
|
swhx7Premium
join:2006-07-23
Elbonia
1 edit | said by AB:Microsoft Corp. employs an entire department to make sure everything gets posted in murky, nebulous, difficult to decipher double-talk. I refer to it as "Micro-speak". No doubt some form of 'plausible deniability' is involved somehow. I'm sure Microsoft fires people all the time for attempting to present information in a clear and concise, unequivocal fashion.
Hahahahahaha... so true.
Edit: the rest of my original post may have been premature. |
|
Reviews:
·WestNet Broadband
| reply to dp
Not sure why this is happening for me.
Failed Updates:
Office Genuine Advantage Notifications (KB949810)
Microsoft Office 2002/XP
Running XP pro, 32-bit, sp3
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
 jabarnutLight Years AwayPremium,MVM
join:2005-01-22
Galaxy M31
kudos:2 | reply to dp
Thanks for the heads up dp  ! (And Nick). 
Little late with the thanks, but got the updates Tues...all is well on 4 machines. (2 XP, 2 Vista).
said by norwegian:Not sure why this is happening for me. Failed Updates: Office Genuine Advantage Notifications (KB949810) Microsoft Office 2002/XP Boy, some people are just plain lucky. 
--
I had a life once.....now I have a Computer and a Modem. |
|
swhx7Premium
join:2006-07-23
Elbonia | reply to dp
Ms09-048 has been updated to acknowledge XP is affected.
»www.microsoft.com/technet/securi···048.mspx
Still no fix. The vulnerability is DoS only, according to Msoft.
Comment: »taosecurity.blogspot.com/2009/09···-xp.html |
|
| Oh well, at least the bulletin now accurately lists XP as affected and actually explains which of the vulnerabilities affect it. Fortunately for the world, it's only the denial of service vulns. They aren't anywhere near as bad as the code execution vulnerability that affects Vista. Still, the dos vulns are still an issue, and I don't see why they should not be fixed.
Norwegian, looks like you're in luck. I don't think you really want to install the Office Genuine Advantage Notifications update. You may google for the reason why. If your Office installation is legal, then it is, and the OGA Notify does nothing of benefit to you.
--
Limited User Accounts.
Software Restriction Policies. How about the short version? |
|
Reviews:
·WestNet Broadband
| I realise it isn't a security fix and OGA isn't important, but I can assure you this isn't a cracked licence.
Maybe because this isn't a single end user licence and is an administrator(enterprise) copy, it isn't installable or valid, even though initially Microsoft detected I needed it.
Everything else went fine though. Thanks for the postinf of this topic too by the way. I have it set to manual for updating here and sometimes forget the time of the month.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
Reviews:
·Zen Internet
| reply to NICK ADSL UK
Thursday, September 10, 2009 11:22 AM by MSRCTEAM
Monthly Security Bulletin Webcast Q&A - September 2009
»blogs.technet.com/msrc/pages/mon···009.aspx |
|
1 edit | reply to dp
Speaking of security bulletin MS09-047 it has some inaccurate information pertaining to update KB968816.
The KB968816 updates from MS09-047 DO NOT REPLACE the KB950269 updates from MS08-076 as incorrectly stated in security bulletin MS09-047. Compare the files from KB968816 and KB952069. KB968816 does NOT include the LOGAGENT.EXE & WMNETMGR.DLL files that were present in KB952069.
Spread the word about this until Microsoft fixes the information in security bulletin MS09-047 OR offers revised KB968816 updates to include the missing LOGAGENT.EXE & WMNETMGR.DLL files. |
|
