IT Jobs
Microsoft updates Vista, but not XP
TCP/IP patches "will not be made available"
By Gregg Keizer | Computerworld US
Published: 10:33 GMT, 15 September 09
Microsoft late last week said it won't patch Windows XP for a pair of bugs it quashed in Vista, Windows Server 2003 and Windows Server 2008.
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.
"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast , referring to Windows 2000 and XP.
Windows XP set for early retirement | Microsoft cursor patch causes XP trouble | Hacker offers to sell Vista zero-day exploit | Google releases customised Internet Explorer
"An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast ( transcript here ).
Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible."
The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system . "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."
Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical."
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third, which doesn't affect the older operating systems, was rated "critical."
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if in certain scenarios their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.
Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."
Skipping patches is very unusual for Microsoft. According to Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003 , when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.
"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.
.gif)
Add your commentComments
Rick | Published: 14:03 GMT, 16 September 2009
This is absurd. In another article here on Technet, it is reported that Microsoft on one hand has embraced back-porting changes for Windows XP to defeat the Conficker worm and similar attacks, but here Microsoft is refusing to back-port the necessary changes for fixing the TCP/IP exploit to Windows XP? Microsoft needs to re-evaluate their commitment to their customers before they lose them all.
John P. Guckel - U.S.A. | Published: 13:39 GMT, 16 September 2009
Once again Microsoft has continued it's Trend to promise one thing, and do another. Support until 2014 for XP? I seriously doubt it! They are putting all their "Eggs in one basket". Windows 7 has not even earned rights to succeed yet and they are setting out to cut loose all previously released versions. Will they ever learn about sound marketing? I am waiting for Google, or any other OS, to appear on the market. Then I will make MY move leaving Microsoft in the dust. DIE MONSTER. DIE!