Re: Microsoft Security Bulletin(s) for September 8, 2009

Author	All Replies
Tuulilapsi Kenosis join:2002-07-29 Finland	reply to dp Re: Microsoft Security Bulletin(s) for September 8, 2009 The MS09-048 bulletin is confusing me. Must be the hour. Can anyone else make heads or tails out of which of those TCP/IP vulnerabilities apply to "non-default" configurations of XP that have listening services (because there certainly are some of those configs out there)? Is it only the denial of service vulnerabilities that affect such XP systems? Or does the remote code execution vulnerability affect them, too? The latter would be as bad as it gets, considering that there seems to be no patch for XP. -- Limited User Accounts. Software Restriction Policies. How about the short version?
	to forum · permalink · 2009-09-08 15:19:57 ·
Romney2012 Defeat Obama 2012-Chg we can believe in Premium join:2002-03-03 USA kudos:4 1 edit	said by Tuulilapsi: The MS09-048 bulletin is confusing me. Must be the hour. Can anyone else make heads or tails out of which of those TCP/IP vulnerabilities apply to "non-default" configurations of XP that have listening services (because there certainly are some of those configs out there)? Is it only the denial of service vulnerabilities that affect such XP systems? Or does the remote code execution vulnerability affect them, too? The latter would be as bad as it gets, considering that there seems to be no patch for XP. Some explanations of all the fixes out today. Maybe one of them can answer your question: »www.pcworld.com/article/171597/m···law.html -- My BLOG .. .. Internet News .. .. My Web Page
	to forum · permalink · 2009-09-08 20:18:43 ·
swhx7 Premium join:2006-07-23 Elbonia	reply to Tuulilapsi said by Tuulilapsi: The MS09-048 bulletin is confusing me. ... which of those TCP/IP vulnerabilities apply to "non-default" configurations of XP that have listening services...? Is it only the denial of service vulnerabilities that affect such XP systems? Or does the remote code execution vulnerability affect them, too? The latter would be as bad as it gets, considering that there seems to be no patch for XP. I was puzzled by this too. The article cited by SUNnGOLF does not address this question. This blogger »taosecurity.blogspot.com/2009/09···nst.html raises the same question, and speculates that the non-fix may be intended to deter users from staying with XP (presumably to drive sales of Windows 7). Based on the text of the bulletin, the only way XP would not be affected is if the vulnerability depends on "a listening service with an exception in the client firewall", but I don't see how that would be different from, say, turning off the MS firewall in favor of a third-party firewall, or none. Also, Windows experts: is XP's TCP/IP really so different from 2000's? Maybe there is similarity such that the same considerations have led them not to fix this for XP. And what does this imply about the support schedule for XP? That appeared to be a promise, but if MS feels free to opt out of security fixes, it is meaningless.
	to forum · permalink · 2009-09-09 10:48:54 ·
Tuulilapsi Kenosis join:2002-07-29 Finland	Well, I read the bulletin again, and it's still confusing to me. They have made it really hard to understand exactly which of the vulnerabilities in that bulletin affect XP (meaning, affect those "non-default configurations", which certainly are out there in masses, especially in company networks). It's as if they're trying hard not to make a clear statement on the issue. In the FAQ this is said (emphasis mine): quote: How are default configurations of Windows XP not affected by this vulnerability? By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. For the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall. So, that suggests that it's only a denial of service that XP is affected by (in "non-default configurations"), but that alone is a real issue. But, it doesn't say which of the two DoS vulnerabilities affect XP, or whether it's both. And then there's the affected software list that does suggest the same, as well, although it doesn't actually say it. The maximum security impact is listed as denial of service from Windows 2000 SP 4 to Server 2003, and only with Vista does the impact go up to remote code execution. Seeing how XP falls in between of 2k and Server 2003, you'd think XP only suffers from the denial of service vulnerability (-ies) as 2k and Server 2003 do. But if so, would it have hurt to just say it in plain English? Still, I would sure expect MS to patch a remote denial of service vulnerability, regardless of whether the "default configuration" is affected or not! For the MS guys probably reading this thread, can you shed any light on this issue? -- Limited User Accounts. Software Restriction Policies. How about the short version?
	to forum · permalink · 2009-09-09 13:50:22 ·
swhx7 Premium join:2006-07-23 Elbonia	This explains about the severity, and how it's hard to exploit. »blogs.technet.com/srd/archive/20···ies.aspx Nothing about the XP situation tho.
	to forum · permalink · 2009-09-09 14:11:46 ·

AB Premium join:2006-04-04 Leesburg, VA kudos:3 Reviews: ·Verizon Online DSL	reply to Tuulilapsi said by Tuulilapsi: Well, I read the bulletin again, and it's still confusing to me. They have made it really hard to understand exactly which of the vulnerabilities in that bulletin affect XP (meaning, affect those "non-default configurations", which certainly are out there in masses, especially in company networks). It's as if they're trying hard not to make a clear statement on the issue. . . . . . Seeing how XP falls in between of 2k and Server 2003, you'd think XP only suffers from the denial of service vulnerability (-ies) as 2k and Server 2003 do. But if so, would it have hurt to just say it in plain English? Microsoft Corp. employs an entire department to make sure everything gets posted in murky, nebulous, difficult to decipher double-talk. I refer to it as "Micro-speak". No doubt some form of 'plausible deniability' is involved somehow. I'm sure Microsoft fires people all the time for attempting to present information in a clear and concise, unequivocal fashion. I read the bulletin as saying that anyone using XP with a 'non-default' configuration is advised to follow the steps in the 'workarounds' section: quote: The mitigations and workarounds listed in the vulnerability details section also apply to Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2. From "Workarounds for TCP/IP Zero Window Size Vulnerability - CVE-2008-4609": quote: . . use the Internet Connection Firewall feature to help protect your Internet connection by blocking unsolicited incoming traffic. Microsoft recommends that you block all unsolicited incoming communication from the Internet. Best I can make of it.
	to forum · permalink · 2009-09-09 16:39:30 ·
swhx7 Premium join:2006-07-23 Elbonia 1 edit	said by AB: Microsoft Corp. employs an entire department to make sure everything gets posted in murky, nebulous, difficult to decipher double-talk. I refer to it as "Micro-speak". No doubt some form of 'plausible deniability' is involved somehow. I'm sure Microsoft fires people all the time for attempting to present information in a clear and concise, unequivocal fashion. Hahahahahaha... so true. Edit: the rest of my original post may have been premature.
	to forum · permalink · 2009-09-09 18:24:31 ·

Broadband Tech > Security > Security > Microsoft Security Bulletin(s) for September 8, 2009