Microsoft Says No TCP/IP Patches For XP

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

Yeah, right

[DoofusOfDeath]

"Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Re:Yeah, right

[Shrike82]

From TFA they implied that a decent firewall would reduce the risk. Now whether you choose to believe that is entirely up to you...

Re:Yeah, right

[Cryophallion]

I just had to post an invoice to the marine corp's web site. I luckily had one computer at work that was not upgraded to ie8. It would only respect ie6 or 7, and had some issues if I just changed the user agent on FF.

If people keep being forced to upgrade their browsers, no one will be able to use the government systems anymore.

I'm sure it will be an issue for the little companies billing, but you'll never hear about it.

Re:Yeah, right

[commodore64_love]

The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result. It will employ some 10,000 workers at a cost of 1.4 trillion dollars. Then it will fail to come-in on time, so they'll spend an extra 6 months and 0.3 trillion on schedule overrun.

That's SOP for the government.

Re:Yeah, right

Ah so when it comes to patching severe holes the codebase is way too old with its 12 - 15 years, but when it comes to revealing the source it is still very relative. Then how does patching very relative code become "not feasible"? "Can't" or "won't"? Which is it MS?

Re:Yeah, right

[commodore64_love]

Whatever. I'll just keep using XP until it crashes-and-burns, and then I'll toss this PC into the trash and get a new $300 PC at walmart with Windows 8 already-installed. That's my upgrade path.

BTW anyone want to buy a Windows 95 laptop? It's harmless (mostly).

Re:Yeah, right

[oodaloop]

The vast majority of DoD's systems are Windows XP with no plans of moving to Vista. US Central Command (CENTCOM) is the only command of which I've heard that has said it is moving to Vista, and FSM only knows why.

Re:Yeah, right

[EastCoastSurfer]

Sounds like a stimulus to me...

Re:Yeah, right

Your car has a 15 year warrantee I take it. And at your request your car manufacturer gave you all of the blueprints and circuit board diagrams and codes and sensor readouts and dyno information and design documents that helped them design and build your car right?

It's infeasible to support code this old. They didn't say it was impossible. Infeasible means that yes, they could spend lots of their money fixing code that is 15 years old. They could also spend that money to try and make new software that performs better on the whole.

Why do so many people dig into microsoft for something that every company does. In fact, Microsoft is much better at supporting their older software than most companies. (Take a look at Apple for example).

Stop blaming Microsoft for not pandering to your individual needs. They are a company. They make a product. Heaven forbid they try to make money off of it instead of offering insane 15 year + support.

Re:Yeah, right

[commodore64_love]

Many people have compared defense work to "white collar welfare". I think the private companies are more frugal than that, since they are constantly cutting costs & laying-off workers, but having worked at the FAA it seems like a sound argument. I saw government workers sitting around doing nothing but surfing the net day-after-day. The FAA could lay-off 75% of the workforce and not notice any drop in output.

But of course if the FAA did that, then the politicians who represent those workers would scream bloody murder, and the layoffs would be canceled.

Re:Yeah, right

[blueg3]

I think you confuse the words "withhold" and "not provide". You cannot withhold something you do not have in the first place.

Re:Yeah, right

No, no, .... recycle it. Please!

Re:Yeah, right

[MindKata]

"From TFA they implied that a decent firewall would reduce the risk. Now whether you choose to believe that is entirely up to you..."

So a bit like the old saying, "That's like buying a dog, and then having to spend your time barking to scare off any potential burglars."

Re:Yeah, right

[Moryath]

Translation: "Sales of Vista didn't go well due to Vista being crap, and Win7 isn't actually all that much better, so rather than offer a product people actually want we're going to exploit our monopoly and withhold necessary security fixes from others in order to force people to 'upgrade.'"

Re:Yeah, right

[HangingChad]

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP.

I questioned the Navy's IT management for years, failing to see the long term wisdom behind the program and thinking it was a pork spending program awarded to political insiders. But, I'm forced to admit NMCI has been tremendously successful at bringing productivity to a near stand still. Patching computers no one can use is hardly even necessary.

As a bonus the Navy has an inexhaustible supply of boat anchors!

Absolutely brilliant.

Re:Yeah, right

[CaptBubba]

I have to wonder how much of the stickiness of Windows XP is from businesses and government which are tied to IE6 for intranet or custom apps.

Upgrade costs (both in hardware and time lost) for just the operating system would be large, but add in redesigning, debugging, and certifying new versions of the tools used day-to-day in a company/division and it just would be insurmountable.

Re:Yeah, right

If they switched to Linux, it would come in on time and under budget. But when has the customer (DoD) been smart about that?

Re:Yeah, right

[mabhatter654]

Except I bought a brand NEW license of XP on my Acer netbook less than 1 year ago. That means Microsoft received NEW payment for that license in the last year (and a bunch of others) so obviously they're making money on it. Unlike patching cars you don't have to make additional parts, once you fix the problem in one copy of XP it is near-zero to fix the problem for ALL XPs as they're exactly the same.

My local stores still sell NEW netbooks with NEW licenses of XP on them... where's bug support for the new buyers?

Re:Yeah, right

[PBoyUK]

The point is, it's Microsoft's fault that the problem has been allowed to escalate. It's Microsoft that released a hideous "upgrade" to XP and allowed it continue well past the point where it should have been consigned to history. It's Microsoft that continues selling a defunct OS out of a scrambling fear to stop a competitor from making inroads into a netbook market that they had disregarded. How many millions of netbooks with XP on them have been sold over the past 2 years? MS apologists like yourselves harp on about how ridiculous it is to support a 15 year old codebase. But guess what, if you continued selling the product of that codebase until recently, then yes, the consumer has a right to expect it to be maintained.

Re:Yeah, right

[erroneus]

Actually, this isn't funny and may well be the type of attention-getting answer we need to this problem. People should start sending off some emails to their representatives that points this problem out. Microsoft says they are supporting WindowsXP until 2014 for security matters and other serious problems. I'd say this qualifies. This "move" on Microsoft's part represents a squeeze play against all of its customers not the least of which is the U.S. Federal Government. And with all the attention on money problems, it can't be ignored or written off.

I foresee a congressional hearing on the matter should Microsoft continue down this road.

If the government plans to spend trillions on this surprise upgrade requirement, perhaps moving to another OS might be another consideration to weigh in. We KNOW Microsoft will leverage its position as "the" OS vendor to do nearly anything it wants. We can't force them to behave. Perhaps the best thing to do is push the misbehaving child to the curb and use someone else's product.

Re:Yeah, right

And you knew full well what their support policy towards XP was. They've made no secret that they are trying to kill it. Are you one of those jerks who moves next to an airport and complains about the noise?

Re:Yeah, right

[plague3106]

Sales of Win7 are much higher than Vista; where they are at now, it took Vista weeks to get to.

Re:Yeah, right

[plague3106]

They're under no obligation to ever release the source code. Why should they? If they did, it probably would cut into sales of newer OSes, regardless of whether or not the new OS is better or not.

To answer your last question... they never said they couldn't do it, they said they wouldn't. "Not feasible" means "the effort involved would not be worth the benefit."

Re:Yeah, right

Infeasible means that yes, they could spend lots of their money fixing code that is 15 years old.

Yeah about that. I don't buy that "lots of their money" part. Do you? Honestly?

Stop blaming Microsoft for not pandering to your individual needs. They are a company. They make a product. Heaven forbid they try to make money off of it instead of offering insane 15 year + support.

I'm not. Is it wrong to question their lies? You don't want to provide the source because you want to squeeze every last penny from it, then fine it's up to you. But don't give me that "non feasible" bullshit with the intention of pushing a new product (Win7) by force and expect me to eat your lies. Or would you consider that OK just because they are a company?

Look the bottom line is that as you say it is a business, and whatever model they have is theirs to decide, but lying to your customers is not fair game, so don't even try to justify that. And no it doesn't matter that/if everybody is doing it. I'm assuming your mother told you the "if everybody jumped off a bridge"-analogy when you were younger.

Re:Yeah, right

[tbannist]

Apparently they mispronounced "unprofitable". Because that's why they're not doing it, they don't want to spend the money and plus they want everyone to (pay for the) upgrade to Windows 7.

It's pretty much standard operating procedure for most corporations.

Re:Yeah, right

[AngryNick]

So I should install a firewall between my computer and the 29,000 other XP machines on my corporate network? Thanks MS!

Re:Yeah, right

[ItaliaMatt]

Actually - the US Army IS migrating to Vista right now.

Re:Yeah, right

[kimvette]

They are knowingly selling Windows XP right now with known fatal, high priority defects. Also, once a fix is released (which should take all of a few minutes to recompile the code into the correct code branches) it's not like they have to retool a factory and throw away existing stock to get this fix into the channel. They just need to roll it into a .cab, .exe. or .msi file and post it on the Windows Update server. If they can force MSIE 7 and MSIE 8 and keep updating the "genuine advantage" garbage for XP, why can't they patch a fatal defect?

Also, how do you arrive at XP's being 15 years old? Is that the new Obama math or something, where increasing spending will not increase the deficit?

Re:Yeah, right

[MindKata]

Well from a security perspective, thanks to Microsoft's attitude to XP, buying XP has turned into like me buying a dog, and then I have to waste my time with updating decent firewalls just because Microsoft don't want to update their software to support us, because they use that a means to force and manipulate us into buying Windows 7.

So much for them creating a product I want (I want them to support XP and produce more products for XP ... and not keep forcing obsolescence onto us all as a means to extort more money out of us all).

But then Microsoft has the power to extort many people even though we all see, know and hate their tactics against us all.

Re:Yeah, right

[M-RES]

But XP isn't a 15 year old OS. When exactly did they stop shopping it commercially with new PCs? Aren't some OEMs STILL shipping it with netbooks alongside Linux variants?

XP is still very much a relevant OS for millions of users. From what I remember it only started shipping about 7 or 8 years ago anyway - so are MS now admitting to us that their 'brand new' OS from ou2001 was actually already 7 years or more out of date? Sounds like it to me!

So why should anyone believe any of their advertising blurb when they talk about 'NEW' things in Win7? Aren't people justifiable in questioning the underlying codebase and whether it's actually future-proof or perhaps already out-of-date?

To be fair to MS, they have supported XP for a while now since the launch of Vista, but not as long as Apple supported OS 9 after the launch of OS X, and that really WAS a complete paradigm shift in the structure of the OS.

Re:Yeah, right

[lukas84]

Erm, your company doesn't have internal firewalls?

From what i've seen, this seems standard on companies with more than 500 PCs.

Re:Yeah, right

[lukas84]

Limux wants to disagree: http://limuxwatch.blogspot.com/

Re:Yeah, right

[LifesABeach]

I would think that hacking into a cluster users that truly believe the Taliban are not Hard Enough is a group I personally would not want to mess with.

Re:Yeah, right

[Gary+van+der+Merwe]

My local stores still sell NEW netbooks with NEW licenses of XP on them... where's bug support for the new buyers?

Microsoft don't want you to buy the XP version, they want you to buy the Vista/7 version.

Re:Yeah, right

[drinkypoo]

Sounds like an opportunity for a class action lawsuit. When you win, the lawyer will get rich and you will get a coupon for a discounted Windows 7 License.

I hear that if you join the IEEE and wait a week, they'll invite you to join the PC Club for $10 off. It apparently gets you windows and other googies like visual studio. Perhaps after Windows 7 ships they'll get it. Students join for $32, so take an online or local class you've been waiting on to make it cost effective.

Anyone know any other crafty ways to get Windows? :)

Re:Yeah, right

All systems being deployed by the DoD have Vista. They no longer deploy XP machines. Any time a machine gets baselined, its with Vista, no longer XP. So, they not only have plans of moving to Vista, they already have.

Re:Yeah, right

[teshuvah]

I work for Air Force Materiel Command (AFMC) and Vista is being forced down our throats. Almost everyone with AFMC has been "upgraded" to Vista.

Re:Yeah, right

[pleappleappleap]

Well, that, and I think you'd find that the ones getting laid off wouldn't be the cruft. They'd lay off the productive workers preferentially.

Re:Yeah, right

[Rasperin]

Who says XP isn't using the same TCP/IP stack as Windows 95? That would qualify into your 15year old code.

Re:Yeah, right

[OlRickDawson]

The Navy and the Marine Corp are not moving to Vista yet. The Army is, and I don't know about the Air Force.

Re:Yeah, right

[artemis67]

"Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

No doubt they've taken that into consideration, and are trying to force an upgrade.

Re:Yeah, right

[Estragib]

Alternatively, sue Microsoft because they're breaking a sales promise. Windows XP is officially supported ("Extended Support" including security fixes) until mid 2010.

From Wikipedia:

Windows XP Service Pack 2 will be retired on July 13, 2010, almost six years after its general availability. In accordance with Microsoft's posted timetable, the company stopped general licensing of Windows XP to OEMs and terminated retail sales of the operating system on June 30, 2008, 17 months after the release of Windows Vista. However, an exception was announced on April 3, 2008, for OEMs installing to ultra low-cost PCs (ULCPCs) either until June 30, 2010, or one year after the availability of the next client version of Windows, Windows 7 -- whichever date comes later.

On April 14, 2009, Windows XP and its family of operating systems were moved from Mainstream Support to the Extended Support phase as it marks the progression of the legacy operating system through the Microsoft Support Lifecycle Policy. During the Extended Support Phase, Microsoft will continue to provide security updates every month for Windows XP, however free technical support, warranty claims and design changes are no longer being offered.

They still sold/licensed XP as late as June 2008, which means that in Europe they're even in the mandatory two-year warranty period, regardless of whether they claim your warranty expired in the "Extended Support" phase. I hope they get sued to hell and back. And then back again.

Re:Yeah, right

[vandit2k6]

Haha no but I can sell you a comp that has Windows ME on it. It heats up sometimes and sparks but nothing too major :) :)

Re:Yeah, right

[binarylarry]

WTG astroturfer!

You must have an "inside track" to real sales numbers I take it?

Re:Yeah, right

[afidel]

You're still not going to put a firewall between PC's on a broadcast domain, the cost of such a design would be astronomical since linerate firewalls are ridiculously expensive and you'd really need a switch that could perform SPI at line rates, such a beast does not exist AFAIK.

Re:Yeah, right

[alen]

that's your fault for buying an obsolete OS on a new computer

Re:Yeah, right

[Asklepius+M.D.]

Oooh...car analogies are fun! In this case, you're correct about the car manufacturer not realistically releasing all the blueprints etc for the car. Neither do I require a 15 year warranty as there is sufficient information about the operation of the car for a 3rd party (or even an advanced amateur) to keep it maintained for well over that period of time. So if Microsoft doesn't want to release source code....okay.....instead let's have them releae the hooks to their implementation of TCP/IP so I can remove it and replace it with another model. What? It doesn't work that way? Damn car analogies.......

Re:Yeah, right

Honestly MS tried to stop selling XP.

The same people who will complain Microsoft doesn't want to support software that's almost a decade old are the same people that cried they wanted XP over Vista, when honestly Vista was fine (it wasn't at launch but by the time SP1 came out - it was great). Bad PR of the OS hurt MS a lot and consumers followed the usual anti-MS rant that happened even when XP came out (why would i upgrade to XP, Windows 98 is so much better....)

MS already said they'd stop supporting XP a few years ago and even extended it after being requested to do so. People have had time to switch (or should have switched) over the past few years. I believe there are post sale options for upgrading XP to Vista or Windows 7 at a minimal cost. You know Windows 7 is coming, you know Vista has been out a few years, you chose to go with XP which you know will be obsolete sooner than later.

Government agencies and their IT departments have just been putting off the inevitable and will need to address it at some point, it could mean even switching to Linux or OS X (although imagine if the entire government was running OS 9 - what then?)

It's also not as simple as 'all XPs are exactly the same' - millions upon millions of possible software/hardware combinations - any patch can potentially be a headache or open up new bugs.

The solution for security issues in all products, plug-ins, software is to upgrade to the latest version. Should windows still support NT 4.0 and Windows 3.1? People have had 3 years to upgrade (and knowing Vista was coming, longer than that to prepare) - time to upgrade :)

Re:Yeah, right

[Mhtsos]

Maybe they should stop offering XP licenses then. (So what if it makes some room in the market for ubuntu netbook remix)

Re:Yeah, right

[gad_zuki!]

If you read the article you'll see systems with SP2 or SP3 are unaffected:

"By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability"

Dont let the sensionalist summaries fool you. Afterall this is slashdot. Everything is spun a certain way. Shame on you editors.

Re:Yeah, right

[somersault]

I don't particularly like Microsoft, in fact they are still my least favourite company in the world. But do you expect Adobe to keep bringing out patches for 8 year old versions of Photoshop? Would you expect a car manufacturer to offer a 10 year warranty on all of their cars? Anyone who is heavily reliant on old versions of Windows probably only has themselves to blame. If they are relying on popular 3rd party software then chances are that it has a newer version out for Windows. If they are using in house software that can only run on XP then they should have it updated.

Microsoft are perfectly within their rights to "force" obsolescence onto users by concentrating on more recent versions of their software. They would also be perfectly within their rights to stop making Windows altogether and start manufacturing refrigerators. Yes, they use very scummy business and marketing tactics, but as far as stopping support for XP, it is one of the more reasonable of their scummy tactics. They even produced a backwards compatibility plugin to let Office 2003 work with 2007, I was quite shocked at that.

Re:Yeah, right

DoD mandates that all computers be on thier Standard Desktop Environment. 2.0, aka Windows Vista, is required to be installed sometime this fall. You can still get a waiver to remain on XP but they are really looking hard at the justification why.

Re:Yeah, right

[ArsonSmith]

That's the only way to prove that it was a bad idea to lay them off. It's government service at it's best, and we're getting more of it every day.

Re:Yeah, right

[Vorpix]

if it's obsolete it should not be for sale on new computers. but that's not the case here. Win 3.1 is obsolete. it's NOT like you can still go to a store and buy a new PC with Windows 3.1. But you certainly can with XP.

since vista can't run well enough on netbooks and windows 7 isn't ready yet, XP is truly the best option in many situations. don't blame the user for choosing the best option available to them (apart from using either a generic UI on top of Linux, or having to install their own stuff.)

i think the GP's point was that they're still bringing in new revenue on XP sales, and as such they should be able to staff a team to continue squashing bugs until a time when Windows 7 is widely available and has replaced XP on most netbooks.

Re:Yeah, right

[gad_zuki!]

Actually they wont have to do anything if they are running SP2 or higher. They wont be patching VANILLA XP BUT SP2 AND LATER ARE FINE. RTFA:

"In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Re:Yeah, right

[agbinfo]

I guess that decent firewall they are talking about must be running on a non MS machine.

Re:Yeah, right

[gad_zuki!]

How about you read the article before you start yelling at your congressman? RFTA:

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Re:Yeah, right

[poetmatt]

Sales of Win7 are down so low MS isn't even promoting it in most places. There are lots of groundbreaking problems that people will not touch with a 20 foot pole. It is an overall improvement yes, but why would I pay for DRM and a version of Vista that should have been there from the start?

MS needs to relearn basic salesmanship: underpromise and overdeliver. They have been doing the opposite and wonder why people hate them.

Re:Yeah, right

[Oswald]

Hey genius, you do realize that Windows XP is still being sold, right? That brand new computers are shipping by the thousand every single day with Windows XP as the OEM-installed operating system? Can you seriously claim that it's alright for them to just walk away from a product they are still shipping because they have better things to do with their time? Did you give your position even five seconds of thought?

Congratulations, fucktard. Worst post of the day.

Re:Yeah, right

[bpprice]

If MS had simply created a standards-compliant browser years ago, then this problem wouldn't exist. By buying into a Microsoft-dominated vision of the future of computing (which will never come to pass) the government agencies and other business simply hurt themselves. A REAL browser upgrade is simply to one that meets standards. IE doesn't count in that regard.

Re:Yeah, right

I don't want to ruin your argument but Microsoft has usually said that OEM provided copies of Windows are supported by the OEM vendor. However, where does the OEM get support? I think OEMs should put a halt to installing XP on their netbooks immediately.

Re:Yeah, right

[KDR_11k]

It's a bit different from, say, Photoshop because that's an application, not an OS. Photoshop is not security critical and can be replaced on a computer without needing any major changes, just uninstall and throw the new version on it. Replacing the OS means reinstalling everything that is on the system and a major amount of work plus a quite large risk that something will break (especially old software that's uyed on the computer but not compatible with the latest Windows OS).

Re:Yeah, right

[Moryath]

Lets see... Kia, Hyundai, Mitsubishi and GM all offer 10-year powertrain warranties (that's "engine parts, transmission, drive system") on new cars. Chrysler's powertrain is covered for "lifetime" as long as you keep a record of proper maintenance.

Yeah, that's not "bumper-to-bumper" coverage, but TCP/IP is pretty damn close to an "essential" part of the car.

Re:Yeah, right

[dwinks616]

Technet subscriptions are $300-350 for a year, at which point you can download a full copy of pretty much every MS product with no expiration dates (i.e. I'm still using the copy of Server 2008 I downloaded a few months before it was even released). $350 isn't peanuts, but it's a fair price for XP+Vista+Server 2008+7+Server 2008R2+Office+everything else.

Re:Yeah, right

[andersenep]

The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result.

You are high on crack and it is very obvious that you have never dealt with NMCI. NMCI just updated to XP about 2 years ago from Win2k. A lot of apps did break and it took over a year to get some of them working. When you are dealing with a contractor that runs a network of over 300,000 computers for the entire Navy and Marine Corps, mission-critical takes on a very literal meaning.

The Navy does not own these computers and could not sub-contract out any of the work you suggested to third parties. NMCI provides all the computers and the required support for them. Either NMCI will have to find a way to fix the problem themselves or a way to work around it.

Re:Yeah, right

[Philip+K+Dickhead]

F*ck 'em.

Defense in depth. :-)

I bet the cars in the motorpool are rotated to newer models more often than the OSes.

Re:Yeah, right

[Just+Some+Guy]

Heaven forbid they try to make money off of it instead of offering insane 15 year + support.

FreeBSD started as a branch of BSD, which began around 1977. Somehow a group of volunteers manages to support 32 year old code.

Re:Yeah, right

[Lostlander]

Desire has nothing to do with it it's a simple matter, if they want software treated as a hard good is then they need to support it like a hard good. A tire manufacturer who is still making the same classic x model tire still has to support their warranty on the new one as they did on the old ones despite the fact that the mold is over 15 years old... If you're still manufacturing and selling the same product despite the fact it's design is 15 years old you support it as if it was new. Now if these copies of XP were just leftovers on the shelf from an old stamping that's different as the products individual age is great and support ended a long time ago for it. However Microsoft continues to manufacture and has given what equates to a manufacturing guarantee of service and support for the aging operating system. They have an ethical and in some cases legal obligation to follow through with that guarantee.

Re:Yeah, right

[KnownIssues]

XP SP2 and later are fine by default. What does that mean? Does that mean it's the only possible configuration? Or is it reasonable that an XP SP2 computer could end up in a state where it does have a listening service configured in the client firewall? Doesn't Vista include "a stateful host firewall that provide protection for computers against incoming traffic from the Internet [...]"? I should think so, so wouldn't that invalidate their reasoning?

I wouldn't be surprised if Microsoft is perfectly correct in not patching XP. The problem is how they communicate it. If they're patching Vista (a client OS) and they're patching Server 2003 (similar codebase to XP), then this makes it seem like they don't want to bother fixing XP, even though it's broken. If Microsoft had said, "the XP codebase is in no way vulnerable", I'd be completely satisfied. But they didn't. They said, "XP is broken, but by default it's protected".

That's not good enough.

Re:Yeah, right

[MobyDisk]

This is not Microsoft's fault. Talk to whoever created a web site that only works in specific versions of a specific browser.

Re:Yeah, right

[somersault]

Good job on getting out of the wrong side of the bed this morning. I was under the impression that they had stopped selling and/or supporting it and that manufacturers such as Dell simply pre-install it using downgrade rights. Genius indeed.

Re:Yeah, right

[hairyfeet]

Uhhhh...You DO know that you can get nice free firewall/antivirus from Comodo right? It is nice, easy to use, and takes care of itself pretty much It also has 32 and 64 bit support for both XP and Vista. So while I am not happy about MSFT lying about XP (what happened to "support until 2014?") it isn't like having a real firewall (who wants the crappy XP default one) is any real work.

So while I bought Win7 HP when it was $50, I think I'll be sticking to XP 32/64 for the foreseeable future, and just play with Win7 so I can learn its quirks to work on new Win7 boxes that walk into my shop. Lucky for me the only "work" I had to do with Vista was customers screaming "Get that $^$# off my PC!" so I didn't need to keep a copy of that turdburger. But am I the only one that thought "support" actually meant support, not "kinda sorta when we feel like it" support? First Win2K which is supposed to get another year, and now XP. MSFT better have a plan B, because if Win7 turns into another Turdburger this bullshit has burnt their bridges with regards to XP. After all, who is gonna want to buy an OS that they ain't even doing security patches for anymore?

Re:Yeah, right

[Philip+K+Dickhead]

How does this rate insightful, when the fellow knows nothing about his topic?

Weird assertion: "Sales of Win7 are down so low MS isn't even promoting it in most places"

Newsflash: There is no retail release of Win7 yet.

Good point? "underpromise and overdeliver. They have been doing the opposite and wonder why people hate them.

Excellent diagnosis. MS should also learn how to sell to the business, preferably the CFO - not keep hyping 'features' to IT - often the most dysfunctional outfit in any org.

Wild claim: "There are lots of groundbreaking problems that people will not touch with a 20 foot pole"

C'mon! Cite a bloody reference, or just yell "FIRE!" in a crowded theatre!

In reality you make claims about Windows 7 sales that cannot be backed up - and use unspecific criticism to support the claim, without evidence. Allow me to explain some basics.

The bulk of Corporation and Government purchases? They already owned Windows 7, before it was released, through the Software Assurance benefit in their contract through their reseller. Microsoft measures "deployment", not "sales" with these folks... You know Home Depot, Wal*Mart, Hewlett Packard, General Motors, even Google.

Despite not even being offered as a public, retail item, Windows 7 will do very well on the day it goes to market. Retail sales are a tricky number. Most are through OEM installation on new computers - not shiny disc SKUs. So, for 2 months, these have been ramped through the manufacturing channels.

Let's talk in February - when the after-Christmas inventory purge is complete. Then we can compare notes.

Re:Yeah, right

[peragrin]

Exactly it is the one example microsft canlearn from Apple marketing.

Promise nothing,show nothing, deny everything wndthenrelease your half finished products. That way morepeople will be amazed at what is included rather than all that you left out.

Re:Yeah, right

[iamhassi]

"Sales of Win7 are much higher than Vista; where they are at now, it took Vista weeks to get to."

Score:+1, Funny, since Win7 has not been released so there are no sales

Re:Yeah, right

[ryanov]

Ah, OK, not covered by warranty. To which repair shop shall I take my Windows XP considering it's no longer under warranty?

Re:Yeah, right

They're talking about vanilla XP, XP SP2/SP3 are already protected from that vulnerability. Anyone still running XP/XP SP1 is crazy.

Re:Yeah, right

[Midnight+Thunder]

BTW anyone want to buy a Windows 95 laptop? It's harmless (mostly).

Bah, I am holding out for a Windows 3.1 laptop.

Re:Yeah, right

[iamhassi]

"Sales of Win7 are down so low MS isn't even promoting it in most places. "

.... huh? it's not out, so yes the sales would be very low when Windows 7 is not for sale yet. How was this marked Insightful? Should be -1, Citation Needed.

Re:Yeah, right

[EastCoastSurfer]

I have a friend who just got hired into group A working for the DOD. His job is to track how the stimulus money gets spent in group B. Actually his entire groups job is to track that money. Guess what group B's job is? Track how the money gets spent in group A. It's so ludicrous that you can't make this stuff up.

It's white collar welfare and has been for years. It's the advanced version of dig a hole and fill it in.

Re:Yeah, right

[Hieyeck]

Good thing I didn't pay for XP, vista, Or 7 (well, I paid for IEEE membership as part of my tuition... so I guess I did?).

Re:Yeah, right

[iamhassi]

"I don't particularly like Microsoft, in fact they are still my least favourite company in the world. But do you expect Adobe to keep bringing out patches for 8 year old versions of Photoshop?"

Apples and oranges. Took M$ 5 years to come out with a new OS and that OS was crap, MS even admits Vista is crap. So it comes out with a new OS 3 years later but it's not released yet, no support for it.

So MS is saying "We won't patch XP because it's old, the Vista OS we patched is crap so don't use it, and the new Win7 OS has not been officially released so no support. Good luck!"

Re:Yeah, right

[whoever57]

Microsoft are perfectly within their rights to "force" obsolescence onto users by concentrating on more recent versions of their software.

Not when people buying their S/W relied upon Microsoft's published lifecycle documents which claim that XP will be supported for some time yet.

Also, your analogy of Photoshop is not appropriate because Photoshop (as a user application) should not create security risks. If it did create such a risk, then I would expect Adobe to patch it.

Re:Yeah, right

[Anonymous+Brave+Guy]

Sales of Win7 are down so low MS isn't even promoting it in most places.

Maybe that's because it won't be released until 22 October?

Re:Yeah, right

They'll just use an drone to attrack their Redmond campus.

Re:Yeah, right

[Lonewolf666]

That's all correct, but I don't really understand Microsoft's position on that.

XP is now reasonably mature, so the maintenance costs for this sort of bug fix should be way lower than when it was new. So why not keep selling it until sales fall off on their own (with Windows 7 being better than Vista that should happen anyway), and support it for a few years after that?

As it is, buyers of netbooks have more reason now to choose Linux. Just when it looked like Microsoft was relenting and keep XP available. Because an OS without support is not so good for connecting to the internet.

Re:Yeah, right

XP is based off of the NT4/2000 kernel, a different branch altogether than the 95-98 family.

Re:Yeah, right

[Anonymous+Brave+Guy]

Do you realise how the DRM/copy protection scheme used by Adobe Creative Suite works? It screws with your boot sector, which is about as big a risk as you can get in terms of system stability.

This is exactly why things like DRM are a bad idea for consumers: even if something works now, it can arbitrarily break later, there could be collateral damage, and the company who set it up might or might not be around to fix the problem.

Re:Yeah, right

[geekoid]

The lesson here is only support standards.

Re:Yeah, right

So, what do you want them to do? to reimburse you and let you go for an other OS? They say they can't fix it, and that's what their developers say. If they can't, they can't. They're not gods, you know.
After that, if their lawyers don't want to reveal the source, that's another matter. A matter of will and greed, but not a matter of feasibility.

Re:Yeah, right

[Disgruntled+Goats]

Yes, because it's quite simple to backport fixes to a codebase that is 10 years out of sync with your mainline.

Re:Yeah, right

[kestasjk]

Or maybe they'll update the browsers, and no-one being able to access their systems will encourage them to update their systems? I can't help but think that'd be a good thing.. I'm not keeping a gopher client around just in case.

Re:Yeah, right

[Binestar]

I know a lot of people who have pre-purchased windows 7 to have on release day. I didn't see that happening with Vista.

Re:Yeah, right

[TheRaven64]

That's not really a fair comparison. The branch that is currently developed of the Windows NT codebase is Windows 7. The branch that is currently developed of the FreeBSD codebase is 8-CURRENT. Fixes are backported to 7-STABLE and 6-STABLE from there. FreeBSD 4 was the stable release series back when Windows XP was released, and it no longer receives updates. The last release from the 4.x branch was in 2005 and, although the RELENG_4 branch is still open for commits, it is not officially supported by the FreeBSD team. Of course, upgrading to FreeBSD 6 was free and easy for FreeBSD 4 users...

Re:Yeah, right

[Inf0phreak]

Exactly. A million things could cause you to listen on a port. Bittorrent for a WoW update? Pretty much any multiplayer game? Did you enable remote desktop?

This argument is pure BS. It's contrived and mangled in such a way that MS can get away with classifying this as a "low risk threat" so they don't have to patch it. To hell with leaving thousand if not millions of paying costumers hanging. "UPGRADE TO WIN7 DANGIT! We need the money!"

In addition, it is my understanding that this is a remote code execution vulnerability. Only in MS-land is remote code execution classified as a low risk threat.

Re:Yeah, right

[blueskies]

Because of course, since you can't fire a gov't worker, i'm sure you think the managers don't get better raises if their department does better. The problem is they can't fire workers. If they had an opportunity managers would sure as hell lose the crappy workers over the good ones.

Re:Yeah, right

The vast majority of DoD's systems are Windows XP with no plans of moving to Vista. US Central Command (CENTCOM) is the only command of which I've heard that has said it is moving to Vista, and FSM only knows why.

Every USAF computer I have used this year is Vista. As the new hardware comes in from HP (who seems to hold the contract for most USAF instalations) they have vista installed.

Re:Yeah, right

Wonder if it would have worked with IE8 in compatability mode - did you try it?

Re:Yeah, right

[Sancho]

Both Vista and Windows 7 were sold as pre-orders for a reduced cost. In fact, Windows 7 is doing better than Vista at pre-orders:
http://www.crunchgear.com/2009/07/15/in-8-hours-windows-7-pre-orders-overtake-vista-pre-orders/

Re:Yeah, right

[commodore64_love]

Here you go. Only $95!!! http://cgi.ebay.com/Vintage-Toshiba-Laptop-T4800CT-500-plus-Windows-3-1_W0QQitemZ190310608796QQ

And here's a lovely 266 megahertz netbook from China. Wow. Even my ancient Win95 laptop has more power - http://technorati.com/posts/xzY7CIHTC7dj1WdoEZan8RTDqpS1hKUfgiQOE8zmLOA=

Re:Yeah, right

[binford2k]

Would you expect a car manufacturer to offer a 10 year warranty on all of their cars?

Yes.
http://www.kia.com/#/warranty

Re:Yeah, right

[TJamieson]

TCP/IP is pretty damn close to an "essential" part of the car.

You just made my head explode

Re:Yeah, right

[multipartmixed]

> As a bonus the Navy has an inexhaustible supply of boat anchors!

I think if you look carefully, you will find that there is a finite number of Admirals.

Re:Yeah, right

[Richard+Steiner]

I suspect *ANY* product released immediately after a crappy product like Vista would do well, at least initially.

Re:Yeah, right

[liquidsin]

directly from http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173 they're showing extended support into 2014. "extended support", according to their own faq, covers security fixes. i'm wondering at what point "inconvenient" to fix becomes "not technically feasible". unless they mean to say "impossible", but i find that hard to believe.

Re:Yeah, right

Would you elaborate on how this helps? It sounds pretty much like "only tuned installs or servers are affected." That's not exactly helpful.

Re:Yeah, right

The lesson here is comprehensive testing against all browsers you know about. "Standards" tend to be kind of slippery when your website hits the user's browser.

Re:Yeah, right

[Dishevel]

You seriously think that the reason the government is expensive and late is due to Windows? It dose not matter what product the government uses. They will come in over budget. Past deadline and with half the promised capabilities if they were using Super Linux 7(Ready for the Desktop Edition). If you think differently then ... You are wrong.

Re:Yeah, right

[poetmatt]

Well, you want more info? How about the fact that Windows 7 hasn't been promoted at the corporate level nor at Microsoft meetings (which I have been to, where in years past Vista and XP received much praise and direct discussion)? As far as sales, it's easy to predict with preorders as well. If corporations aren't willing to pre-order, that says a lot. There is more inertia to this change than you may magically come up with. Very, very few corporations and gov are willing to use windows 7, government specifically on that. It's very shortsighted to use windows, and lots of government IT requirements that require things that can work past a 5 year window as windows 7 is so eloquently breaking. They are migrating to open source for many projects. do you need me to cite or do you think win7 is the bees knees?

Groundbreakers? How about the XP mode issues, the things it won't run? I've only said this like 50 times - it's a bigger issue than people think. Not to mention many things that have trouble in Win7 won't run even in compatibility mode (games again).

Re:Yeah, right

[icannotthinkofaname]

"Never attribute to malice that which can be adequately explained by stupidity."

Why are you so quick to accuse Microsoft of malice here? Clearly, they're just incompetent, and so still not worth your time. Microsoft's programmers are obviously too stupid to backport the patch.

*did not read TFA*

Re:Yeah, right

Will I have to crank the engine a dozen times to get it to boot up? I hated doing that with my last laptop.

Re:Yeah, right

No. Its the niggers that do that.

Re:Yeah, right

[Daryen]

They are still selling Windows XP today. This is not like a car manufacturer failing to offer a warranty on 10 year old cars. This is like a car manufacturer still selling a car they designed 10 years ago, but failing to sell parts, and banning anyone else from trying to sell aftermarket parts.

Re:Yeah, right

[TooMuchToDo]

Would you expect a car manufacturer to offer a 10 year warranty on all of their cars?

Yes.

http://www.hyundaiusa.com/global/warranty/warranty.aspx

http://www.kia.com/#/warranty

http://www.mitsubishicars.com/MMNA/jsp/owners/warranties.do

And for a short period of time, Chrysler had a lifetime warranty on their powertrains. If these companies can warranty a vehicle with an internal combustion engine and hundreds of moving parts for 10 years, Microsoft can suck it up and backport the patch.

Re:Yeah, right

[Hurricane78]

Do you even realize how backwards and stupid that sounds?

Well, if the sir from the marine corps web monkey (obviously no developer would prefer to code for IE) team would move his lazy ass, and just upgrade his fuckin' site... wouldn't that be something?

Seriously. It's like breeding whining self-centered idiots that want you to feed and swaddle them, by having a culture of never exposing anyone to any tiny little expectation of change or self-thinking.
Same thing here. Why do they have this horrible, outdated, IE centered site? Because you let them.
If I were Microsoft, I'd say upgrade your browser, of never call us again, or expect to get any updates to your OS. "Sorry sir, we don't have anyone who is trained to do that, and we don't have software that old anymore. Unfortunately, we can't help you if you keep using outdated software. Our fix to your problem IS the upgrades we provide."
And then I would think "Go ahead. Whine. Insult. Sue. Because you're such a spoiled loser. It won't change a thing!" ^^

Re:Yeah, right

[shaitand]

Apparently the marketing trick worked. People are talking about windows 7 as if it were something other than vista when in reality its vista with a service pack and a rename.

Re:Yeah, right

[HermMunster]

This will make products such as OSX and Linux more viable. Those products likely will be upgraded and patched well beyond the 15+ years Microsoft claims makes it infeasible.

It's not the age of the software. They've been patching it for years. Essentially they've rewritten XP a couple times over in the time that XP has been out. XP hasn't been out for 15 years, it's only been out for approximately 8. Claims of 15 years for a software stack that's incorporated into an 8 year old OS where other OSes such as Unix and Linux which are older than 8 years and readily patched has to be a clear indicator that maybe the overall architecture of Vista isn't that sound. One would have to begin to question Win7 too as it is done by the same company with the same design issues as XP.

Re:Yeah, right

[shaitand]

"Dell simply pre-install it using downgrade rights. Genius indeed."

Selling downgrade rights because nobody wants your new product is the same thing as selling the old product. You know it, I know it, they know it.

Vista bombed so they are releasing the next vista service pack as if it were a new version of windows and calling it windows 7.

He isn't some oddball holdout digging his own grave here he represents the vast majority of users. Most people who are running vista only have it because they couldn't find XP at the retail stores.

Re:Yeah, right

[commodore64_love]

The change needs to come from the top down. The Congress needs to get strict and say, "Everybody's budget is cut 75% across the board. You figure out which workers to layoff to make the new 25% budget work." Then in the following year FAA, FDA, FCC, and other top-level managers can explain how the new 25% budget was sufficient or not sufficient to do their job, and justify why they should get increases. In most cases though I suspect they'll discover they can operate with a 25% budget just fine.

Re:Yeah, right

[cenc]

I say we send the Marines to storm the MS campus.

Re:Yeah, right

[Binestar]

Don't try to explain that to them...

Re:Yeah, right

[steelfood]

It's so that they can figure out what to do in the 15 minutes of waiting for the sysadmin to come over for escalated privileges to open up the missile interface command terminal to respond to an immenent attack on the green zone.

Re:Yeah, right

[http]

The advisory mentions that the problem is related to TCP's receive window size. How is a firewall supposed to say, "Hey! I don't think your RWS is reasonable, no biscuit for you" ? As near as I can tell, this precludes XP from running ANY available service. Or, I could just have the stupid this morning, like many other mornings before coffee.

Re:Yeah, right

[Eirenarch]

I wonder why Linux and Mac didn't do that then.

Re:Yeah, right

[Steauengeglase]

And ruin wars in foreign countries for Gallium? Now way.

Re:Yeah, right

[oodaloop]

Really? I work for DoD and no one has Vista.

Re:Yeah, right

[Steauengeglase]

And freeDOS and OpenGEM will lead them.

Re:Yeah, right

[Digital+Vomit]

But do you expect Adobe to keep bringing out patches for 8 year old versions of Photoshop?

This is one of the reasons why copyright [on software] should last no longer than five years. Typical software is too complex for all known faults to be addressed between the time a program is released and the time it's successive version hits the market. This introduces a situation where customers are *forced* to upgrade or suffer the consequences.

What *should* happen is that the copyright should expire and the source code be released for commercial software that companies refuse to fully support. The computer world is so interconnected that it is simply irresponsible to allow serious software defects to go unpatched for the sake of forcing customers to buy the next version. This has given rise to a new and harmful situation that was not considered at the time original copyright laws were dreamed up: vendor lock-in.

Would you expect a car manufacturer to offer a 10 year warranty on all of their cars?

I wouldn't expect it, given how it's 'the almighty dollar über alles' in the West, but they definitely *should*. We can't afford to be a throw-away society forever.

Microsoft are perfectly within their rights to "force" obsolescence onto users by concentrating on more recent versions of their software.

Perhaps, but I believe there is a solid argument that this is terribly socially irresponsible.

Re:Yeah, right

[armanox]

I got a DOS 3 laptop...

Re:Yeah, right

[Philip+K+Dickhead]

Well.

I am in partner meetings 3-4 times a week with MS Architects and Tech Sales Engineers on customer sales calls, at multiple fortune 500's.

Win 7 is heavily promoted, and actively sought - unlike Vista, which was averred.

"It's very shortsighted to use windows"

Versus what? MacOS? Ubuntu? Both of these present more of the critical difficulties and compatibility issues that you blow like chaff, in place of an actual, substantiated position.

Get on thing straight: I don't like Windows. So, outside of my professional work as a security consultant to large enterprises, I do not chose to use it.

But Microsoft is in the business of selling a car-fleet, so-to-speak. They make a decent "Crown Victoria" and "Geo Metro", appropriate to these ends. Blustering about the poor "car choice" this represents, simply shows you to be a gearhead - i.e. someone who is in possession of only a limited mastery of the various arguments and considerations involved in corporate fleet acquisition and maintenance.

Next time, don't mix arguments against corporate adoption with compatibility for games. It hurts the general impression of credibility you probably want to make. Especially when a right-click will prove you simply wrong.

Re:Yeah, right

[knorthern+knight]

> They would also be perfectly within their rights to stop making
> Windows altogether and start manufacturing refrigerators...

Knowing Microsoft, it'll probably be their first product that never freezes.

Re:Yeah, right

[Sancho]

XP SP2 and later are fine by default. What does that mean? Does that mean it's the only possible configuration? Or is it reasonable that an XP SP2 computer could end up in a state where it does have a listening service configured in the client firewall? Doesn't Vista include "a stateful host firewall that provide protection for computers against incoming traffic from the Internet [...]"? I should think so, so wouldn't that invalidate their reasoning?

Exactly. They patched Vista, whose default configuration is identical, but they won't patch XP.

Re:Yeah, right

[burnin1965]

Windows XP is still being sold, right? That brand new computers are shipping by the thousand every single day with Windows XP as the OEM-installed operating system?

Can you say Class Action Lawsuit? LOL

It appears that Microsoft's compromise to allow cheap XP Home licenses on netbooks in an attempt to block the sudden surge in new linux users could backfire. No biggie though, it seems they can produce crap and just shell out a billion to make it go away.

Re:Yeah, right

[JasterBobaMereel]

Not supporting a product you still sell, as new (even as a downgrade) and is still used by more people than the newer versions is simply bad marketing

"We will continue to support it for as long as the majority of people are using it ...." would be good marketing

Forcing people to upgrade away from a system you made next to no money on, just so you can sell they the new version which you will also make almost nothing on, is a bad idea when they might just get the idea of trying alternatives first ....and then they won't need your other products which are your real money spinners ...

Re:Yeah, right

It's in extended support until 2014 - which means it's effectively EoL. Non-critical updates aren't provided free, though it may be different for payed support, which is still available.

How is EoL'ing an 8 year old product, which is two major versions behind, considered exploiting a monopoly?

It's like complaining that Commodore is evil because they don't support the Amiga 500 anymore.

Translation: "Since when do I actually need a reason to hate on Microsoft?".

Re:Yeah, right

[Sancho]

Microsoft has support for XP through 2014. They're reneging on that by refusing to patch this flaw.

Re:Yeah, right

Who cares what it is, so long as it actually works better than both Vista and XP?

Re:Yeah, right

[Sancho]

If you drop your subscription, you lose the rights to the software though. Also, they're not for general purpose use--they're for testing.

Re:Yeah, right

[Tubal-Cain]

I hope they get sued to hell and back. And then back again.

They would likely be allowed to pay any judgments against them with a lot of "Get 1 free copy of Windows 7" coupons.

Re:Yeah, right

Maybe you should try thinking and realize that the default configuration is not what is used. Is Windows file and printer sharing enabled? How about remote desktop? The "stateful firewall" is a red herring -- that only helps if you don't have a service enabled and a spoof packet is sent faking the initial handshake. If you actually have a service enabled (go ahead, check any random XP system you want, especially in a corporate or government environment) spoofing isn't necessary.

The summary above about "forced upgrades" appears to be spot on.

Re:Yeah, right

[CannonballHead]

no one will be able to use the government systems anymore.

Or maybe the government will change the way it "finds" web developers to make "bids."

Re:Yeah, right

"The FAA could lay-off 75% of the workforce and not notice any drop in output."

Hmmm...I could picture some administration zealous about "reform" doing a "Mad Man Muntz" on the infrastructure by cutting staff one by one until airplanes start falling out of the sky, then hiring back the last individual.

Since the Windows communications stack from Vista forward is supposed to be a complete rewrite, it could be that one of the reasons for Redmond taking this step is that the last of their people who worked on the "old" stack (reputed to be an adaptation of BSD code) are no longer there.

Re:Yeah, right

[JasterBobaMereel]

Microsoft gave people the tools to make IE6 only websites and pushed hard to get people to use them

So IE6 Only Web applications are very common inside businesses (and the Navy)

Microsoft have not given an easy upgrade path for any of these applications, and IE7/8 break them, and so it is 100% Microsoft fault ....

Re:Yeah, right

If you are not invulnerable, then you can't not patch nearly too much, or at most, too little.

Re:Yeah, right

[w000t]

And if you (re)read the article you'll (hopefully) see systems with SP2 or SP3 are vulnerable too...

"By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability"

Don't let PR spin on things fool you either.

Re:Yeah, right

[slazzy]

That's okay, I found a good upgrade from Windows 2000 after they stopped releasing patches. It's called "Ubuntu"

Re:Yeah, right

[shutdown+-p+now]

In addition, it is my understanding that this is a remote code execution vulnerability.

It is in Vista and Win2008, where it is fixed. In XP, it's just a DoS attack.

Re:Yeah, right

[MrCrassic]

As I'm sure other comments below have already addressed, systems that have Windows Firewall on and left at default AND/OR systems behind a firewall that supports SPI will not have problems. A really, really, REALLY big part of me says that the Navy's covered.

Re:Yeah, right

[plague3106]

Funny, b/c I seem to remember that from a story posted on this very site a few days ago.

And I easily found this story: http://www.pcadvisor.co.uk/news/index.cfm?newsid=119190

How stating a simple fact became astroturfing I'll never know.

Re:Yeah, right

I quit my job as a software developer on combat control systems for the Navy when the base I was working at converted to NMCI. I couldn't understand how I was supposed to develop software with the computer they issued me. At that time (2006) they were downgrading computers to windows 2000 because that was "more secure".

Re:Yeah, right

[plague3106]

Wow... I'm replying to you even though there are plenty of similar posts... but I'm amazed people are posting such nonsense.

Win7 is available for pre-order. So yes, you can have sales for it even though its not officially released yet.

Re:Yeah, right

Hopefully he/she/other was talking about pre-sales, but I dunno

Re:Yeah, right

[drinkypoo]

I wouldn't drop my sub, and anyway, using windows is testing windows, like it or not. There's even an automated bug reporting tool built right in. It gets a lot of use...

Re:Yeah, right

[JasonBee]

Well the obvious solution to that is that everyone respect and honor as best as possible the established standards. It makes backwards compatibility far easier if a browser must "flip modes" to respect say, current or past specs, rather than worrying about version "x" of browser "y" etc.

IE is moving towards that now, thankfully, but it also creates the awkward backwards looking issues you describe. The solution? For you possibly this: http://www.vmware.com/products/thinapp/using.html

You can package older or newer versions of IE inside a standalone EXE, and run that as needed. Very handy. Licensing costs I can't cite, but I've seen the demos working for FireFox and MS Office and it's super useful.

JB

Re:Yeah, right

Not only that, but they've dropped the price just so it can compete with Linux. Sounds to me like they still want people to use it, huh?

Then again, it doesn't really matter cause the sheep don't ask questions or do their research, they just focus on the inane detail that they won't have to transition to something different (but better). Win for MS....

Re:Yeah, right

I would love showing up for work one of these days and be told to read up on how to make things cold instead of debugging m$ products.

Re:Yeah, right

[Blakey+Rat]

Microsoft gave people the tools to make IE6 only websites and pushed hard to get people to use them

And they've spent the last 5+ years with the message: "Whoa, sorry about that whole ActiveX thing, please don't actually use that."

Microsoft's been doing nothing but DISCOURAGING IE-only technologies for ages now, it's not Microsoft's fault that huge, lumbering corporations with sub-par programmers haven't figured out the fucking message yet.

Microsoft have not given an easy upgrade path for any of these applications, and IE7/8 break them, and so it is 100% Microsoft fault ....

They should be thanking their lucky stars that ActiveX works at all in IE7, considering everybody, even Microsoft, is sick of it and wants it to go away. Seriously, if Microsoft could wave a magic wand and make that code disappear, they would-- but you're deluding yourself if you think that Microsoft has any control over this.

Re:Yeah, right

[relguj9]

The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result. It will employ some 10,000 workers at a cost of 1.4 trillion dollars. Then it will fail to come-in on time, so they'll spend an extra 6 months and 0.3 trillion on schedule overrun.

That's SOP for the government.

Sounds like US Software and IT job creation to me.

Re:Yeah, right

[Blakey+Rat]

What they're saying is that, using the default settings in the latest service pack, those OSes are immune to those exploits. It's still possible to change the default settings in such a way as to make the exploit work.

Considering that, I don't think Microsoft's action here is unfair. Windows XP and 2000 *are* resistant to this exploit, as long as the user doesn't go out of their way to do something stupid (like disabling security features.)

Re:Yeah, right

[Theoboley]

Yes, I'd do this, but i can't figure out where to put the CD to install leopard on my Apple II E

Re:Yeah, right

[Estragib]

You're right, my fault. I misread the Wiki article. Two paragraphs down, it actually says exactly what you say.

On April 8, 2014, all Windows XP support, including security updates and security-related hotfixes will be terminated.

But hey, who are we to criticize Microsoft for making their new OS more appealing, right? Can't have people unreasonably keep using XP, when Vista and up have all the good trusted computing support.

Re:Yeah, right

[TClevenger]

Would you expect a car manufacturer to offer a 10 year warranty on all of their cars?

No, but I expect them to honor the warranty they already offered. Microsoft said that they would provide critical security updates to Windows XP until 2014. This is a pretty critical bug, but they decided to downgrade it so they don't have to fix it.

Re:Yeah, right

Actually, it *is* Microsoft's fault. They created a browser that wasn't compliant with HTML and Javascript standards, forced it down everyone's throat with Windows, then kept changing the behavior with each new version. What the hell is a web developer supposed to do? Ignore IE and most of the population trying to access your e-commerce site?

Do you even have a clue about the cost associated with making a website behave properly for all the stupid things Microsoft has done to their browser over the years?

Re:Yeah, right

[hrimhari]

Here's something else to help with your day. Mitsubishi does offer 10-year limited warranty on their cars

Re:Yeah, right

[lorenlal]

Actually that shouldn't matter a damn. XP is in extended support, which means: security update support is still active. It's completely bogus, and against their own terms to not offer a security fix, especially for something that suffers the same exact bug (likely from the same exact code) in a newer, fixed OS.

This is MS trying to string arm companies into paying them for upgrades.

http://support.microsoft.com/gp/lifepolicy

Re:Yeah, right

[afidel]

Wow, stating facts is now considered trolling?

Re:Yeah, right

[RightSaidFred99]

Right, because the web standards around as of IE6's lifetime were so _powerful_ right? I mean who could have needed more than some simple buttons and drop down boxes, aye?

Re:Yeah, right

It works, though.

A client of mine just spent a lot on "upgrading" from Win2000 to XP because of the lack of support for the time changes ( daylight savings / standard time ).

Re:Yeah, right

"I saw government workers sitting around doing nothing but surfing the net day-after-day. The FAA could lay-off 75% of the workforce and not notice any drop in output."

Sad thing is, the contractors register barely above that level of activity. The wonder of revolving doors.

Re:Yeah, right

[John+Hasler]

> Anyone know any other crafty ways to get Windows? :)

No, but I can suggest some crafty ways to get an STD. Wouldn't that be preferable?

Re:Yeah, right

[Rockoon]

Suppose instead of refusing to patch an XP flaw that they fixed in Vista/7, suppose instead they refuse to patch an XP flaw that they also didn't patch in Vista/7.

Is this also reneging?

No, no its not. Support doesnt mean "microsoft is my bitch"

Re:Yeah, right

Yes, but from the transcript linked in the summary:

Q: Is Windows XP vulnerable to MS09-048 without the Windows XP firewall?

A: Yes but only for the two DoS vulnerabilities. The bulletin has been updated to indicate this and the severity for XP is low.

This means in some corporate environments where IT has disabled the Windows FW, SP2 and SP3 are still vulnerable to DoS. And that vulnerability still hasn't been patched.
So at its core the XP TCP/IP stack will still have this problem.

Re:Yeah, right

[Uncle+Rummy]

Actually, it probably would be more like coupons for $50 off a retail purchase of Windows 7. Meanwhile, the plaintiffs' lawyers, having successfully consolidated the various claims into a class action, would receive several million in cash under the terms of the settlement.

Re:Yeah, right

[poetmatt]

So you're saying you're a MS partner/salesperson? wow, I'll pass on arguing with someone whose position defines bias.

Re:Yeah, right

[poetmatt]

oh and just a fyi, I actually work with enterprise as well, and that and consumers are what matter the most. Neither of those wants windows 7, and plenty have outright banned it. I can cite every bank in the US (every major banking corporation) as an easy example of that.

You think they plan on running lotus symphony on windows? Har har.

Re:Yeah, right

[oatworm]

Well, sure, but you have to admit, "7" is a much better name than "Vista". I mean, "Vista" reminds me of an old station wagon, while "7" reminds me of the only reason to watch old Star Trek: Voyager reruns. That alone makes it worth my while!

Re:Yeah, right

[Fulcrum+of+Evil]

Would you expect a car manufacturer to offer a 10 year warranty on all of their cars?

You mean, like kia and hyundai? You do know that MS can still sell XP and maintenance is pretty much the only cost to it, right?

If they are using in house software that can only run on XP then they should have it updated.

What about those medical PCs running 95 where the company who made it no longer exists? Sure, just buy another $100,000 gadget because win95 isn't patched.

Microsoft are perfectly within their rights to "force" obsolescence onto users by concentrating on more recent versions of their software.

Nobody's saying that they should be forced to do otherwise

They even produced a backwards compatibility plugin to let Office 2003 work with 2007, I was quite shocked at that.

You shouldn't be. if MS Office loses data compatibility, they lose the monopoly.

Re:Yeah, right

[oatworm]

From the halls of 1 Microsoft Way,
To the shores of Sammamish...

Re:Yeah, right

[b0r1s]

Because no vendor has ever said run iptables/ipchains/ipfw to prevent exploitation of a bug in Linux 2.0/2.2, Freebsd 4.x, etc, right?

Re:Yeah, right

[fahrbot-bot]

Kia, Hyundai, Mitsubishi and GM all offer 10-year powertrain warranties (that's "engine parts, transmission, drive system") on new cars. Chrysler's powertrain is covered for "lifetime" [cars.com] as long as you keep a record of proper maintenance.

Assuming the Chrysler lasts longer than 10 years, you may have a point. I'm betting it won't.

I'm not trying to start a fight, but Chrysler cars generally are crap.

Re:Yeah, right

And I assume it came with SP2 or later, right? Or at least, you have installed SP2 or later, right? RTFA again, and look at some of the "Informative" posts here that talk about XP SP2 and later. You'll figure it out eventually.

Re:Yeah, right

[Sancho]

It wouldn't be reneging. But that's the point. Two operating systems from the same vendor, the same bug affects each, both are still under support, but they refuse to patch one of them. And all of the Microsofties come out of the woodwork to defend Microsoft for not wanting to support an 8 year old OS that they still sell and promised to support.

Re:Yeah, right

[Uncle+Rummy]

Never happen. All it takes is one accident after the cuts, and all fingers point back to the Congressmen who championed the cost cutting bill. No politician worth his salt will put himself in the position to be the target of a statement like this:

We at the FAA told the Congressional committee that we couldn't afford to reduce staffing levels without impacting the safety of the air transport system. They bulled ahead in spite of our clear and repeated warnings, and now we have the proof of our words - a tragic midair collision of two commercial aircraft resulting from inadequate staffing of the ATC system necessitated by the budget cuts mandated in the Make Government More Efficient Act.

Re:Yeah, right

[PitaBred]

It sells them with licenses of XP SP2 or SP3, which are fixed. I don't like Microsoft as much as the next guy, but call a spade a spade.

Re:Yeah, right

[EXrider]

Yes, because it's quite simple to backport fixes to a codebase that is 10 years out of sync with your mainline.

I call bullshit, 2003 Server is basically the same codebase as XP with some extended (server) features. This is purely a strategic move to scare people into upgrading. You can even copy DLL's from 2003 to XP to enable server features like multiple concurrent users in Terminal Services. Perhaps we can do the same thing to fix TCP/IP in XP?

Their reasoning that XP is safe because it comes with the firewall enabled by default is bullshit too, soon as you join the machine to AD it's going to be vulnerable to any rouge device on the local broadcast domain.

Re:Yeah, right

Of course it's their fault! if they produced a W3C compliant browser there would be no such problems.

Re:Yeah, right

[Fulcrum+of+Evil]

Sure, it's immune as long as you don't run remote desktop on your XP box. I mean, who does that?

Re:Yeah, right

[westlake]

How does this rate insightful, when the fellow knows nothing about his topic?

The Win 7 RC stands up very well against Linux in the most frequently quoted stats: Operating System Market Share, OS Platform Statistics

Re:Yeah, right

[binarylarry]

What a reputable looking and sounding website!

Re:Yeah, right

[0ld_d0g]

Its funny how the actual development of software happens BEFORE its release date. The codebase obviously IS greater than 8 years old. A little hard to grasp for some people, I know.

Besides, have you ever heard of code branches? Vista a branch off of the XP/Windows 2003 codebase after XP was released so applying any fix from the Vista tree to XP is not as easy as SP1, SP2 and SP3 development has happened on the XP tree since then. Its definitely possible to back port, but its not a simple task. Maybe you disagree.

Also, since you're so confident that Linux has a longer service period, let me know where I can get free patches for Ubuntu 4.0. or Redhat 7.1 in 2009.

Re:Yeah, right

[JAlexoi]

The short name CENTCOM - does not do it justice, it should be called MULTIBILLIONDOLLAR-BEJEESUS-COM :)

Re:Yeah, right

[harmonise]

It's the advanced version of dig a hole and fill it in.

Two blonde girls were working for the county public works department. One would dig a hole and the other would follow behind her and fill the hole in. They worked up one side of the street, then down the other, then moved on to the next street, working furiously all day without rest, one girl digging a hole, the other girl filling it in again.

An onlooker was amazed at their hard work, but couldn't understand what they were doing. So he asked the hole digger, "I'm impressed by the effort you two are putting in to your work, but I don't get it... why do you dig a hole, only to have your partner follow behind and fill it up again?"

The hole digger wiped her brow and sighed, "Well, I suppose it probably looks odd because we're normally a three-person team. But today the girl who plants the trees called in sick."

Re:Yeah, right

[bootup]

MS Windows 7 has many of the same problems as Vista. It still has issues regarding DRM. The interface still sucks. MS Office 2007 hasn't exactly changed-and don't tell me that this isn't part of MS Windows cause every single user almost has it and you can't buy an older version. It is for all intensive purposes the MS package that we're talking about- and that has largely gone unchanged in any significant manner. The whole MS ecosystem is crumbling before us. Even if you ignore MS Office 2007 nightmare the system is supposedly leaner according to the hype- yet I know for a fact that what hasn't been cut is still bloated just like Vista. The reviews pre-release are just like Vista- great. Now you say it has been released? Not it hasn't. Not in practice. You can't get it. Until you can actually get it on a computer it isn't out. The fact we still don't have it makes everything hype. Until I actually see it running for more than 6 months on a low and mid-range machine I'm calling it crap. Nothing more than hype suggests otherwise. Microsoft is bound to release lots of services packages that screw it up. We also don't have the compatibility that Microsoft Windows XP has- and definitely nothing like what GNU/Linux has. GNU/Linux actually has the best compatibility - despite what all the MS Windows fanatics claim. You aren't forced to upgrade every time Microsoft releases a new operating system because the printer manufactorers fail to provide updated drivers to the proprietary crap they release on MS Windows.

Re:Yeah, right

I just bought a eepc and it was only offered with XP on it. This is such a terrible move, it seems likely they'll reverse it, or they sure deserve a ton of bad press for it: "They provide security patches, unless it's inconvenient for them." Seems like Apple and Linux can honestly advertise that they provide *much* better support in that regard.

Re:Yeah, right

"In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

It's a huge issue that affects almost the entire platform if changed, and it does not cause any problems to users.

Re:Yeah, right

[Zoxed]

> I say we send the Marines to storm the MS campus.

I say nuke it from orbit, just to be sure.

Re:Yeah, right

[JWSmythe]

Citations ... err ... clarification please.

    Toyota Vista (Rebadged Toyota Camary)

    Indica Vista (Indian made/sold car)

    Dodge/Plymouth Colt Vista Wagon (Rebadged Mitsubishi Chariot)

    Eagle Vista (Rebadged Mitsubishi Space Wagon)

    Thomas Vista a mighty big station wagon. :)

    Oldsmobile Vista Cruiser The "That 70's Show" classic 1969 Vista Cruiser. :)

    The only Vista I'd want to own is This One (More Information), but fuel is kinda expensive.

Re:Yeah, right

[oatworm]

I was leaning toward the Vista Cruiser, though, you have to admit, the Colt Vista was an interesting concept. Strange looking, to be sure, but no worse than a Nissan Axxess.

Re:Yeah, right

[csartanis]

Well hell, hire me and give me the credit card. I'll bring my receipts over to group B myself!

Re:Yeah, right

[frovingslosh]

Also worth mentioning that, far from dead, XP is still being actively sold for Netbooks. Microsoft aggressively went after that market to take it away from Linux. Now you have Microsoft saying that it will not fix problems in a currently selling product because, well, lets be honest about it, they don't want to. Heck with the military, the consumers should start a class action suit over this one.

Re:Yeah, right

[Onymous+Coward]

Well since MS saw fit to let their browser development languish for five years, yes. IE6 was their browser from 2001 to 2006. That's half a goddamned decade while the net at large was trying to move on. CSS 2 predates IE6 by three fucking years. Plenty of sophisticated and standards-compliant web development happened during IE6's time, geez.

Trying to rewrite history to say IE6's peculiarities were needed? That the standards weren't adequate? Please knock that the fuck off.

Re:Yeah, right

[Runaway1956]

"The U.S. Navy's and Marine Corp's"

A bit of redundancy, there. The US Navy includes a medical corps, a supply corps, and a marine corps. Just pointing out an obvious fact that most people never seem to notice.

Re:Yeah, right

I work in IT at a bank. We've been playing with Windows 7 MSDN since it came out. We can't wait for Windows 7. But you'll just call me a Microsoft shill.

Re:Yeah, right

[cyber-vandal]

That's SOP for most large organisations, public and private, since the people making the decisions usually have no idea what they're buying.

Re:Yeah, right

[RightSaidFred99]

I don't know if you ever noticed it, but the web pretty much sucked dirty balls as an application platform until just a few years ago. CSS wasn't the problem or the solution. The problem was "click"...wait..."redraw".

Re:Yeah, right

[Runaway1956]

Ditto - running on a 286 chip!! Rugged sucker, it was built for the DOD, then handed off to the Department of Agriculture. HUGE 40 MB hard drive, among other features.

I sure wish it had a 386 instead of the 286 - even Linux doesn't like it very much!

Re:Yeah, right

[Disgruntled+Goats]

I call bullshit, 2003 Server is basically the same codebase as XP with some extended (server) features.

And you know this how? Please enlighten us to how you have privy access to the codebases of XP and Server 2003 to definitively state this.

This is purely a strategic move to scare people into upgrading.

That's funny because they mark this as low risk for Windows XP which would seem to run contrary to a point of scaring people into upgrading away from it.

Their reasoning that XP is safe because it comes with the firewall enabled by default is bullshit too, soon as you join the machine to AD it's going to be vulnerable to any rouge device on the local broadcast domain.

If you're dumb enough to let rogue devices on the local broadcast domain, you probably deserve the consequences.

Re:Yeah, right

[Pathwalker]

ELKS Linux should run on it; start digging through the files in http://sourceforge.net/projects/elks/files/.

Re:Yeah, right

[Runaway1956]

Thanks for the link. I've looked at a couple of distros, but I've never downloaded them. This one is downloading now - next time I move that laptop out of my way, I'll put it on my workdesk. All I need to do is overcome my lazy arsed inertia.

Re:Yeah, right

orly.jpg

Re:Yeah, right

[plague3106]

Ok, troll, I'm not going to bother with you anymore, since anyone with half a brain can google and find dozens of sites all saying the same thing.

Re:Yeah, right

[Philip+K+Dickhead]

I am an Information Security Architect.

I ride the big fish - so I come into accounts with Microsoft and Sun, among others. My independence is credibility for the vendor and assurance for the customer.

I see the MS people up-close, plying their solutions sales tradecraft.

They are selling to the wrong people, in general. IT is full of knob-turners, who wouldn't understand a business problem, proper requirement or risk-management strategy if it were beaten over their head. These were how MS built its first business, but will kill them against the Oracles of the world, as they try and grow their next.

Go for the CFO. He's the one who whistles, and the CIO comes running.

Re:Yeah, right

Microsoft still sells XP....

Re:Yeah, right

[fireylord]

not having a firewall protecting your machine from 29 THOUSAND others even if they're supposedly 'safe' is crazy in all situations, not just now theres a known hole

Re:Yeah, right

[Philip+K+Dickhead]

Whatever you say, mate.

Give a big "Hi" to the FFIEC auditors for me.

Re:Yeah, right

[armanox]

It wasn't an NEC by anychance was it? Mine is (and a 286), with a DOD sticker on it. Also, it does run ELKS too.

Re:Yeah, right

[armanox]

Also have a Toshiba T1000 with an 8088 running DOS 3. Full 640KB (yes, KB) of RAM too.

Re:Yeah, right

[Philip+K+Dickhead]

Were you typing all of that on one line, to get it done before your boss came back in the room? :-)

One argument per paragraph please.

It makes it easier to see the transparency and subjective nature of your assertions.

A minor quibble. Back to the ridiculous gaming topic - I have had next to no luck in getting the various incarnations of Spore to run on my Jaunty Jackalope. I understand a good deal more about compatibility than you ever will, it appears.

You paint me as a "MS Windows Fanatic" which is farcical. I ran FWTK on SLS Linux, back when it appears you were watching Thomas the Tank Engine. As the 2.1 series kernels were emerging, I built my own on a near daily basis. My principal computers are Ubuntu boxen, with perimetre and net handling duties capably managed by OpenBSD on Soekris boards. But these are details. You and your poet friend are arguing about Snap-on-Tools versus Home Depot house brands. Ultimately, I am concerned with carpentry and house building. You want to show off your tool.

Re:Yeah, right

[poetmatt]

There are issues with security and governmental banking regulations that will not allow windows 7.

Re:Yeah, right

[alragh]

Really?

The Windows XP support policy was detailed on the all display stands and web pages where WinXP has been sold on a Netbook in the past year?

This isn't just about people who read tech websites, Microsoft have sold plenty of WinXP licences in the last year to people who won't have had a clue about Microsoft's support policies.

Re:Yeah, right

[croddy]

well, my advice to them would be to stop selling it, of course, but it seems that the marketing scum have been running too much at microsoft, and the people who build their actual products running too little ... and it finally caught up with them. it's difficult to claim with a straight face that windows XP is a supportable configuration except on legacy boxes. microsoft should run, not walk, away from that train wreck.

Re:Yeah, right

[poetmatt]

eh, I don't deal with banks in that sense, I deal with IT consulting and I have seen the idiots too as you mentioned in your other reply. However, lots of people don't want win 7 as plenty of companies were planning migrations away from Windows that are coming to fruition now. It's not really linked to Win7, just happens to be around the same time frame.

Re:Yeah, right

[Runaway1956]

http://www.sinasohn.com/cgi-bin/clascomp/bldhtm.pl?computer=gridcs3

That's the mfgr, and that particular model looks very much like mine. The model number is 1520, with the 286 chip instead of the 8088.

Other, similar models pictured here: http://www.pd.com/GRiD.html I see no external difference between my 1520 and the 1530 shown there. Apparently, the 1530 came with either a 286 or a 386.

Long ago, I had several sites bookmarked with info on GRiDcase machines, but I've lost them all.

These machines were originally engineered specifically for the DoD, and as I recall, the Army, Navy, and Air Force had exclusive access to them for quite some time. Only near the end of their "support life" did they become available people outside the DoD.

At least, that's what I read.

Re:Yeah, right

In a few weeks, Windows 7 is being released. Of course there are no plans to move to Vista by just about every organization.

Re:Yeah, right

I questioned the Navy's IT management for years, failing to see the long term wisdom behind the program [ ... ] I'm forced to admit NMCI has been tremendously successful at bringing productivity to a near stand still.

True, they should have gone with Linux. It has been the most usable/productive platform for years.

No one serious is buying any operating system expecting it to last forever. If they are, then they should be fired. Technology is rapidly changing in every single operating system, resulting in the eventual release of a newer version for every version, and the eventual discontinuation of support for every version. Where was the long term wisdom using a Dell system? There's no way they will last beyond 2015!

Please become a whistle blower and self-touter for a real issue.

Re:Yeah, right

[ILuvRamen]

They're actually calling it "The Ocho" didn't you hear? lol

Re:Yeah, right

Open source 2k and XP and let the community solve your errors, since you are incapable of doing so Microsoft.

Re:Yeah, right

[Lehk228]

at first i read your post as "assuming Chrysler lasts 10 years" which is also in question.

Re:Yeah, right

Not only a decent firewall, but it won't even affect anyone out of the box:

"In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Re:Yeah, right

[tendrousbeastie]

Surely it is more likely that, assuming the article on the pcadvisor website is incorrect, the poster was wrong.

Why must is be the case that because the article might be incorrect then they must be 'astroturfing' (i.e. grassroots campaigning for a cause in a clandestine fashion)?

(I've not even read the article, might be right, might be wrong, but nothing in the conversation suggests that the poster is being deceitful)

Re:Yeah, right

Perhaps you don't recall the controller's strike in 1980. Regan fired every union controller that went on strike. I know, because my father was one of the few to not go on strike.

They went on strike because they did not believe they were getting paid enough (starting controllers in 1978 made 40K a year! in 1978!). Congressman have nothing to do with the FAA.

Maybe 30% could go. Believe me, the controllers have plenty to keep them busy.

Of course we could just rip out the whole system and let GPS handle it. (Oh yeah, that's in the works) The Government will upgrade to Windows 7 because the TARP program specifies it as part of the IT spending budget attached to it. As far as Obamacon is concerned, this "will create jobs and revenue at a time when Americans need it most".

Re:Yeah, right

"The vast majority of DoD's systems are Windows XP with no plans of moving to Vista. US Central Command (CENTCOM) is the only command of which I've heard that has said it is moving to Vista, and FSM only knows why."

Praise be to his noodly appendages.

Re:Yeah, right

[HermMunster]

Yes, fully aware. And yes, I read where it stated that the code had been developed before XP. I also know that when you start weak you end weak when it comes to software design due to how difficult software is to design.

This doesn't change the fact that they have ample time and resources to fix a significant problem with an OS without forcing consumers to purchase it again just to overcome the issue, even though it is likely only for a short time.

15 year old software is still being supported by other OSes. Unix still has components being developed that are over 15 years old. OSX uses Unix as its core. Linux is updating software (the kernel) even today after over 15 years.

Forking and branching is a non-point. The software is maintained by Microsoft and they have access to it. It means that they'd rather spend their money on something we don't want instead of properly supporting what we do want. You do realize, right, that the vast majority of people use XP and not Vista/Win7?

Re:Yeah, right

Should they go back to the 486 PC's with Windows 95?

Re:Yeah, right

So you want to *buy* a patch for XP?

Re:Yeah, right

[rennerik]

http://en.wikipedia.org/wiki/Features_new_to_Windows_7

Really? That's quite a bit of new features for a service pack. Compared to this the list is exponentially larger.

Re:Yeah, right

[petermgreen]

Indeed but I'd bet the way layoffs would be handled would not give them the opportunity. First they would probablly offer all the most experianced guys early retirement packages that were hard to resist. Then if that wasn't enough they would probablly go down the line of voulantry redundancies (read: all your best people take the redundancy package and go elsewhere while the not so good ones who can't find a better job stay). If they still couldn't get rid of the number of people they wanted only then would they move onto compulsory redundancies and even then I bet they would be handled in a way that didn't allow cutting the dead wood.

Note that this is not a problem limited to government, it often happens in big buisnesses too especially if a union is involved.

Re:Yeah, right

[zuperduperman]

You seem to be under the illusion that the purchase contract for your steeply discounted OEM netbook copy of XP included some kind of promise of ongoing support from Microsoft. It didn't. Zero. Nothing. None. Go read the EULA. Even if you did have a case, your case is with the OEM supplier of your netbook. That's the whole point of OEM copies of windows. So go talk to them about it. Microsoft provides updates and bug fixes AT THEIR DISCRETION.

If you really want to pursue it, you can start by purchasing incident support (or a technet or msdn subscription which includes it). Then you can raise a case. And then if you are extremely lucky they may provide you with a hotfix that will be unsupported (as in, you have problems, you are paying more support money). Of course, you will have paid far more than just the cost of updating to Win7, but hey, why do something sensible when it would ruin a perfectly good Slashdot rant?

Re:Yeah, right

[petermgreen]

True but there are going to be a lot of windows XP machines that do have ports open in the firewall for whatever reason.

P.S. I wonder if the patch for server 2003 x64 will work on XP proffesional x64 edition. Afaict they are essentially the same OS (unlike 32 bit XP and server 2003).

Re:Yeah, right

[Bill+Dog]

If MS marketing worked, Vista would have been viewed positively.

It's more about guilt, and attempted justification. Guilt for jumping on the idiot bandwagon of painting Vista as much worse than it was. And trying to justify one's past position on the supposed awfulness of Vista by painting what is, as you said, essentially just a service pack to Vista, as somehow worlds better.

Re:Yeah, right

[dcam]

That excuse from MS is only so much BS. On my XP desktop at home I would have listening ports for 80, 433, 3389, 1433 and 22. That is just off the top of my head, I might well be running more.

This is just an excuse to:
a) not do some work
b) push people off xp

Re:Yeah, right

[Bill+Dog]

It's a bit easier to warrant for a time something with hundreds of moving parts vs. something with hundreds of thousands of interacting lines of code.

Re:Yeah, right

The U.S. military's M.O. is to avoid change. If what they have is working for them, even if there is a patch, they won't necessarily get it.

Re:Yeah, right

[DJRumpy]

I have to agree. People on /. love to hate Microsoft, but expecting them to continue to support such old software is a bit much. The only unique thing about this situation is the fact that such a large population of folks are still on XP. Should that force MS to produce patches? No, but it should at least come into consideration.

I think from a PR perspective, it would have been wiser to support XP at least until Windows 7 was available for retail. It's not as if Vista is an alternative when W7 is just around the corner. You couldn't reasonably expect someone to purchase Vista and then immediately turn around and drop another $200 - $300 bucks for Windows 7.

I would think it would be rather trivial to continue to support XP until W7 is out. The support infrastructure hasn't suddenly disappeared. If anything, it should be a well oiled machine at this point. What's another month?

Re:Yeah, right

Windows Vista is not 'great'. I had 4 home PC's with it. They took over a minute to boot up with the bare minimum in startup services and programs launching on startup. All of these are Core 2's that are at least 2GHz or faster, with 1-4 GB of ram, and Sata 2 or Sata 3 drives. This on a fresh install with Vista SP1 applied. They still continually thrashed the hard drive, and even when you finally got to the desktop, it was another 30-60 seconds before the system would become responsive. Linux doesn't suffer from that issue and neither does OS X or Windows 7 oddly enough.

It also suffers from Wireless issues where the same downgraded XP boxes have no issues maintaining a connection on the exact same hardware. The service packs may have improved things, but they most certainly did not fix the OS overall. In addition, copying large (+GB) files causes the copying PC to disconnect from the wireless router. I can repeat this on all 4 PC's that had Vista. This is post SP1. I also lost two hard drives on a media PC with Vista. Western Digital drives. I've never in 15 years had a WD drive fail and I've gone through plenty over the years. All of them due to size rather than mechanical failures. I had two fail in a single year while the PC was on Vista. I was forced to downgrade it after the second failure. No problems since. Either I've been extremely lucky for 15 years, or the constant drive thrashing/caching caused undue wear. Since the issue seemed to resolve after downgrading two years ago, and not another failure since, I have to consider that the OS was a factor.

Had the above problems all been on similar hardware or even the same manufacturer, I could see that it was possibly just a lemon batch of PC's and laptops, but these were across a variety of hardware (2 home built desktops, as well as a Sony Viao notebook, and a high end HP laptop).

You can put lipstick on a pig, but it's still a pig...

Re:Yeah, right

[shaitand]

"The start orb now has a fade-in highlight effect when the user moves the mouse over it."

Truly I was mistaken. Clearly these are the sort of things that distinguish one operating system from another and are not merely a fluff list.

Its not the size of the feature list, but how you use it. Quite frankly, if fade-in highlight effects are even on the list then it is obviously a slow newsday.

Re:Yeah, right

[Cathbard]

Some things run by the government need to be staffed for peak, not average loads. If everybody only hired staff according to cost effectiveness (ie average load) then there wouldn't be enough staff to deal with emergencies. If that means that a lot of the time the staff have nothing to do then so be it. Some things are more important than money.

Re:Yeah, right

[Meski]

Is it connected to the internet?

Re:Yeah, right

If you believe Windows 7 is just vista with a service pack you are either a fucking moron or just took a break from stroking your Mac long enough to post here.

Windows 7 has thousands of change from bottom to top. Pull your head out of your ass.

Re:Yeah, right

[Alsee]

I was going to make a joke confusing Slashdot with Wikipedia and pretending to think your post was a disambiguation page (wheres teh edit buton?), but apparently your post *is* the Vista_(disambiguation)#Vehicles page.

-

Re:Yeah, right

[Alsee]

I was going to chastise you for being unfair and pointing out how the page also lists new themes for Windows 7, but then I came across this line and I totally lost it:
The Windows Taskbar has seen its most significant revision since its introduction in Windows 95. The taskbar is 10 pixels taller than in Windows Vista

-

Re:Yeah, right

[0ld_d0g]

This doesn't change the fact that they have ample time and resources to fix a significant problem with an OS without forcing consumers to purchase it again just to overcome the issue, even though it is likely only for a short time.

So? Its not a significant bug. They've labeled it as low priority. Hence its their judgment that they don't want to spend time on this. So far they have been accurate in assessing severity of their own OS bugs. Your claim of "forcing" people is only backed by bullshit.

15 year old software is still being supported by other OSes. Unix still has components being developed that are over 15 years old. OSX uses Unix as its core. Linux is updating software (the kernel) even today after over 15 years.

Since Windows 7 contains code that originated in NT 6 and before, they've already demonstrated that they can maintain ~15+ year old code. You really have no clue what you're talking about.

Just as nobody is maintaining the NT6 branch, older kernel branches in Linux are ABSOLUTELY NOT getting ANY security patches. Tell me who is officially releasing patches for Kernel v2.0.39 (released ~2001). I'll tell you.. a grand total of ZERO people, that's who.

Hell, Ubuntu forces you to upgrade the OS every two years since they stop giving out patches. And hey if the upgrade managed to break any existing functionality (which has happened.. only in in EVERY release so far) then sad day for you. You *have* to upgrade.

Thats not even looking at the fact that there has been a significant increase in minimum system requirements from Ubuntu 4.x to Ubuntu 9.x. Tough luck. Ofcource, that gets sweeped under the rug on Slashdot. And yet being the hypocritical bunch of Zealots that they are they find no issues in quarreling about how Vista dropped 5 frames per second compared to XP in some random game benchmark and therefore is the worst OS, etc etc.

The software is maintained by Microsoft and they have access to it. It means that they'd rather spend their money on something we don't want instead of properly supporting what we do want

So far it looks like people want Windows 7. What are you talking about? Software doesn't have infinite service periods. And in the end they are a business, not a charity. If people don't like the fact that Microsoft didn't fix a low priority bug on an 8 year old OS, then maybe the consumers should go to Apple or a Linux vendor. I only keep hearing constantly on this site that switching to Linux is sooo easy and there is a clone for almost any important app. If it is true, then why aren't more people switching?

Microsoft has the one of the longest service period among modern consumer operating systems. Maybe that's not good enough for you.

Re:Yeah, right

[Alsee]

oblig: And vacuum cleaners, their first product that don't suck.

-

Re:Yeah, right

[Psilax]

But most of us disable the build in firewall because my dog keeps out more virusses than it does in XP and install a 3rd party firewall of which we cannot yet be sure it well filter out the problem and it shouldn't have to do so either. So i have to agree with the mentality of most readers here, microsoft is ending support of XP 4 years earlier then what they promised when they extended the support to 2014. 2 simple solutions, we force microsoft to fix it, or we fix it our selfs. And the last one is no option because it would be illegal according to most copyright laws.

Re:Yeah, right

[Yvanhoe]

Been there, done that. There needs scream linux but the Powers That Be said it would be Windows.

Re:Yeah, right

[JasterBobaMereel]

Discouraging the use of is not the same as providing an upgrade path away from ....

Where are the tools to transform the IE6/ActiveX web application written with Microsoft tools, into a Ie7/8 webstandards friendly application? Microsoft does not seem to have put any effort into this, just saying you know those tools we gave you, well we don't support them any more there is no way of converting the apps, and we would prefer you to rewrite your code from scratch is not a good way to get people to stop using them ...

Re:Yeah, right

The default setting may be to not let anything through, but that's only until you start using the machine.

You can't install or enable anything that might use the network nowadays, without being told that it needs to open a port in the firewall, with the cancel button being "cancel the install". Even games require this, even with the firewall disabled.

Re:Yeah, right

This is not true. It should be impossible to legally buy a copy of Windows XP.
Look this table:

http://www.microsoft.com/windows/lifecycle/default.mspx

Re:Yeah, right

[Rockoon]

Went right over your head, didnt it?

Microsoft didnt refuse to support XP. They simply refused to patch THIS bug.

Re:Yeah, right

[Sancho]

Where's the distinction? They chose to patch the same bug in another OS, so they must think it's worthy of being patched.

Selectively patching critical bugs is not support.

Re:Yeah, right

Oh come on... I havent had a Windows based desktop or laptop for the last twelve years, and even I can see that Windows 7 represents a big change in the development of Windows, there has *never* been a version of Windows that runs faster than it's predecessor on the same hardware, there hadn't been a substantial change to taskbar for more than ten years.

It may still be Windows but there is definitely substantial change afoot at Microsoft, when even a person who avoids Windows like the plague has heard about how much of an improvement over XP from people who hated Vista with a fiery passion.

Re:Yeah, right

[JWSmythe]

    hehe. I added a couple extra links. :) I didn't find any others, so for the most part the wiki page was as complete as I wanted to get for a joke. :)

Re:Yeah, right

[Life2Death]

And none of you get that they totally can fix the bug and already have for XP;

Windows 2003 is running basically a slightly modified XP kernal. FAIL.

They are purposefully backing users into an upgrade or die corner

Re:Yeah, right

[Blakey+Rat]

How could they?

Seriously, you're talking about some magical "rewrite all your software, changing it from a compiled language into Javascript, making sure it functions identically even though it's technically impossible for Javascript to do many things ActiveX applets can do."

You can't rag on Microsoft for not making a product that's IMPOSSIBLE TO MAKE.

Re:Yeah, right

[Blakey+Rat]

Unless I'm very mistaken, this exploit uses the Windows file-sharing ports, not the ports used for Remote Desktop. If you have evidence otherwise, please present it. Until then, I think you're just pulling stuff out of your ass.

Enabling Remote Desktop doesn't turn off the Windows Firewall, and it doesn't open ports used for file-sharing.

Re:Yeah, right

[Fulcrum+of+Evil]

this vulnerability is allegedly present on every listening service, so it wouldn't matter which service it was. Starting up remote desktop does poke a hole in the firewall, though.

Re:Yeah, right

[bruceslog]

I'm looking for work. Who do I have to know to get a job there ?

Re:Yeah, right

[KevinColyer]

I was intrigued to see the following tucked away in the "Other Features" section http://en.wikipedia.org/wiki/Features_new_to_Windows_7#Other_features:

A new font "Gabriola" is included.[63] There is also Office Open XML and ODF support in WordPad.

If ODF is built into Win 7 at this level then a lot of things change. Admittedly WordPad's new ribbon interface gets higher billing up on the page, but the ODF support is the real gem. And a surprise for me to see it included.

Re:Yeah, right

[blueskies]

Actually, in reality it is even worse than that.

Since a union is involved, they would furlough people based on lack of seniority. So Gov't would keep all the 55-60 year old people that are waiting out their time until retirement and can't leave because they have non-transferable pensions unlike the less senior workers.

Seniority is the only important things to Unions. That's why there are so many really bad and lazy employees in the unions.

Re:Yeah, right

[HermMunster]

You have no clue about what's at stake. XP is a highly insecure OS. It's the swiss cheese of OS security. Any holes that can be exploited will. What, we have to have millions of exploited machines before you get off your astroturfing MS ass?

Re:Yeah, right

I'm afraid things are getting worse than that. I keep three computers at home. Two use windows XP and one has windows vista.

Recently my Outlook Express stopped servicing hotmail. It happened simultaneously on both XP.

The same is happening to the WiFi software on both XP, including their Bluetooth capabilities. On Vista everything remains sound.

Quite a racket!!

Re:Yeah, right

[0ld_d0g]

Haha nice move. Instead of responding to my actual points, call me an astroturfer... w/e.. seems like you were just trolling. Enough time wasted on you..

Re:Yeah, right

[Zonnald]

Can someone please provide the steps to reproduce this DRM problem?
I have played CDs, DVD, Blu-ray, Mp3 (from the afore-mentioned CDs),
recorded televison, recorded cam-corder movies, computer games,
I have done programming, manipulated spreadsheets, word documents and PDFs,
read my mail, used Skype, MSN, video conversions, created digital music, sent and received faxes.

So far I haven't experienced any effects of this DRM you speak of.

Please provide steps to reproduce.

Re:Yeah, right

[DaVince21]

If everybody upgraded to browser that actually followed standards, maybe governments would put some effort in making systems that actually work for everyone.

Re:Yeah, right

[bruceslog]

>> They would also be perfectly within their rights to stop making
>> Windows altogether and start manufacturing refrigerators...

>"Knowing Microsoft, it'll probably be their first product that never freezes."

Now, THAT was FUNNY !

Re:Yeah, right

[Rockoon]

Where's the distinction? They chose to patch the same bug in another OS, so they must think it's worthy of being patched.

The other OS's are in a different situation. A freshly installed XP + SP3 does not have a problem, but a freshly installed Vista + SP2 does.

Support does not mean what you are claiming. Your tactic has been used time and time again in religion. Make up your own definition, then vilify your target. In modern times we have a name for this sort of horse shit from fuckwads like you.

Re:Yeah, right

[indi0144]

I was about to ask for a link but there you go:

http://forums.adobe.com/thread/257204

acrotray.exe is the offender. Good thing I always kill that SOAB after the install of CS2 (HijackThis & SpyBot SD FTW!), just in case because this DRM is related to CS3 AFAIK.

Way to go Adobe! way to go.. Just waiting for Inkscape to be stable on windows so I can ditch Illustrator once and for all, then, no more CS here.

I salute the Inkscape Win port devs, thats a fine piece of software, the only limiting thing it's crashing on handling huge and complex objects with a lot of nodes.

Re:Yeah, right

[Sancho]

but a freshly installed Vista + SP2 does

Does it? Are you guessing, or do you know? A clean install of Vista SP0 does not have any services listening through the firewall, and an nmap scan of the host does not find anything. I'd be shocked if this was changed for SP2, but I'll know once the install is done.

Support does not mean what you are claiming

Can you point me to Microsoft's definition of support, then? I couldn't find it with a brief search. Does it mean, "If we deign to release an update, you may download it?"

http://support.microsoft.com/gp/lifepolicy isn't really useful for my question, because it uses circular definitions. "Extended support" means you get "security update support" (this falls under a security vulnerability) but they never say what they consider "support" to mean.

Also, by not patching XP, they're saying that you shouldn't have any services listening on XP. I might be able to buy that argument if the same was said for Vista, however they patched Vista. Both are OS that are used for workstations and home support (i.e., not a server OS.) Both have similar services that can run (e.g., file and print sharing).

Also, the name-calling seems unnecessary. Why can't we have civil discourse anymore? If I'm misunderstanding the definition of "support", why not enlighten me? And no:

Support doesnt mean "microsoft is my bitch"

doesn't really count. You've told me what support isn't, not what it is.

Re:Yeah, right

[Sancho]

Nevermind. I've read through some of your comment history, and I've discovered that you're not the kind of person who's likely to be capable of intelligent, rational, cordial debate. You might the the first two, but you're a jerk while you're doing it. I'm not interested in hearing your responses or debating with you further.

Have a nice day.

Re:Yeah, right

[mabhatter654]

Well, if they really wanted to stop selling XP they could have. Linux was starting to pick up on Netbooks because Vista was inadequate for the assigned task. So Microsoft made a choice to sell XP and continue to profit and keep it's market share so they need to offer the proper amount of support for new licenses as they don't exactly offer "clearance sales" on "old" licenses do they.

If Microsoft isn't capable of dealing with so many combinations of hardware and software, maybe they need a smaller market share... room for somebody else to step in. So what you're saying is that a company with tens of billions of dollars of CASH on hand can't/won't handle support for one of it's key products just because it's "old"? If we wouldn't have allowed Microsoft to get so big, maybe they wouldn't have these kinds of problems... This is where those pesky statistics get you. Microsoft's market share is long past the point of diminishing returns and yet they throw money holding every single OEM tightly, pushing "dead" products so that fledgling new ones don't get a single chance to get cash flow to start fixing their flaws and growing up.

Unclear

[coastwalker]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Re:Unclear

[MyDixieWrecked]

My first reaction to this news is that MS is using this as a tactic to get people to upgrade to Win7. From what I understand, Win7 runs pretty well on netbooks; or maybe that's just what MS wants us to think. heh.

I'm incredibly curious, but I don't think I'm about to replace my S10's (Lenovo Netbook) Ubuntu OS with Win7.

Re:Unclear

[FlyingBishop]

They might be hoping to position Windows CE for that space. It is, after all, what it's designed for.

Which would actually be pretty nice. ARM would no longer be completely a second class citizen, which can only ease porting in general for those of us using Linux.

Re:Unclear

[Corporate+Troll]

It reminds me a bit of NT 4.0 back in the day. They stopped giving out patches for critical vulnerabilities 6 months before the EOL of NT 4.0. The reasons were similar: "It cannot be done". How far away is the official EOL of Windows XP? Somewhere in 2012, no?

Re:Unclear

[noundi]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Excellent point. I wonder if this could put MS into legal trouble. Does anybody know what software distribution laws say about distributing software with known security issues without the intention of filling them? Are they at least bound to notify the user? I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified. Surely this should be a more valid suit, as you don't even need to be a complete moron to get affected.

Re:Unclear

[Markus_UW]

January 31st, 2009, looks like. That'd be what, 8 months back? http://www.microsoft.com/windows/lifecycle/default.mspx

Re:Unclear

>Somewhere in 2012, no?

April 2014 (!)

Re:Unclear

[Corporate+Troll]

No, that's the availability of licenses, not the end-of-life for support.

Re:Unclear

[Drakkenmensch]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.

Re:Unclear

[Corporate+Troll]

Here you go. Extended support is well into 2014. Mainstream support has already ended though.... Which is very strange considering XP is still sold with netbooks.

Re:Unclear

[TheP4st]

I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified.

Coffee very rarely comes with a EULA explicitly removing responsibility from the vendor in case the coffee is too hot, or at least it used to. Most software come with EULA's covering exactly the points you've brought forward.

Re:Unclear

[blueg3]

There are essentially no software liability regulations.

Re:Unclear

[David+Gerard]

It does if you have 2 gig of memory. Bit cramped with 1 gig. Unusable with 512MB.

Windows 7 is more user-responsive than Vista, but its arse is just as fat.

Re:Unclear

[noundi]

I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified.

Coffee very rarely comes with a EULA explicitly removing responsibility from the vendor in case the coffee is too hot, or at least it used to. Most software come with EULA's covering exactly the points you've brought forward.

Well that's given, my concern is if the law mentions anything, in which case a EULA, in that sense, wouldn't be effective. You can't put whatever you want within the EULA.

Re:Unclear

[BlueStrat]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.

Well, this is just MS's own business practices backfiring. MS with XP, Vista, and Win7 is now competing with itself, so MS's own aggressive monopoly defenses/dirty tricks dept. is seeking to derail it's own most successful OS! I wonder if they'll try to embrace, extend, and extinguish themselves next?

Yes kiddies, that was sarcasm.

Strat

Re:Unclear

[Markus_UW]

I think netbooks get a weird exception clause for 2 years after the purchase of the netbook or something like that IIRC. Also thanks for catching my little mistake there.

Re:Unclear

[noundi]

What about software which ends up damaging your hardware? Or software which ends up damaging other software? How is malware defined? Surely this must be related to the topic at hand.

Re:Unclear

[VGPowerlord]

They might be hoping to position Windows CE for that space. It is, after all, what it's designed for.

Either that or its sibling Windows Mobile.

Re:Unclear

[Nimey]

It'd be interesting where this falls under European "fitness for purpose" laws.

Re:Unclear

[John+Hasler]

CE was (supposedly) designed for embedded systems.

Re:Unclear

[Corporate+Troll]

No problem... When I Googled for "Windows XP EOL", I got that page too...

Re:Unclear

Microsoft XP SP2 isn't vulnerable if you would read the article instead of wasting your time digging up useless information. XP sp2 doesn't run by default any client listening services and the built in firewall already protects it, if of course you choose to open things up then you get what you asked for

Re:Unclear

[Corporate+Troll]

To the moment one actually wants to use an operating system, for let's say that very uncommon thing called "pinter and file sharing", you're toast? How wonderful.

Re:Unclear

[Disgruntled+Goats]

What part of "no software liability regulations" did you not understand?

Re:Unclear

[shentino]

The McCoffee case was interesting.

Yes she was a moron for putting hot coffee in her lap, but any substance that can give you THIRD degree burns is outrageously dangerous and could have burned her mouth anyway.

As for knowingly selling defective software, the EULA is full of disclaimers so unless it can be proven that MS is somehow grossly negligent or reckless or otherwise beyond the protective reach of the EULA, it is immune.

Re:Unclear

[ThaReetLad]

As I understand it these PC are technically sold with a Vista licence, which is then downgraded to XP. I don't know whether that's enough to cover them, but I'm sure the MS lawyers are betting on it.

Re:Unclear

[noundi]

Look this has been thrown back and forth, but the bottom line is that water in liquid form won't get hotter than 100 degrees C, and as far as I know when you make coffee you boil the water up to 100 degrees C, always.

Re:Unclear

[shentino]

100 C is 212 F and that's friggin hot.

Re:Unclear

[noundi]

100 C is 212 F and that's friggin hot.

How did you think one made coffee? She was a moron and the case was ridiculous. Anybody with half a brain knows that you boil water up to 100 C when making coffee. It's actually ridiculous that I'm trying to convince you of this.

Re:Unclear

[shentino]

Actually, McD's was on the high end for coffee temperature. Not even Starbucks made it that hot. Nor, mind you, does my coffee machine.

I find it ridiculous that I have to convince you that it was at least partly McD's fault here. She should have gotten most of the blame, I happily concede that without being asked.

Serving boiling hot coffee is reckless. Even if she didn't put it in her lap, careless handling by the server could have just as easily caused the same injury.

Re:Unclear

[noundi]

Actually, McD's was on the high end for coffee temperature. Not even Starbucks made it that hot. Nor, mind you, does my coffee machine.

I find it ridiculous that I have to convince you that it was at least partly McD's fault here. She should have gotten most of the blame, I happily concede that without being asked.

Serving boiling hot coffee is reckless. Even if she didn't put it in her lap, careless handling by the server could have just as easily caused the same injury.

Really!? Here I thought any professional coffee machine, such as those used in restaurants and cafes boil it to 100 C, and sometimes above if it's an espresso machine, in which case you shoot even hotter steam through the ground beans. Go troll elsewhere. Oh and buy a new coffee machine, yours seem to be broken.

Re:Unclear

[shentino]

The bottom line is that giving someone a cupful of boiling hot liquid is just asking for trouble if you do not warn them first. As far as coffee machines and boiling temperatures, the drops of coffee that percolate out of the grounds have cooled quite a bit by the time they get into the carafe, so they aren't boiling anymore.

We expect warnings for all sorts of things these days, such as peanut allergies, toxic hairspray.

Hell, even microwaved popcorn has warnings on it about hot steam.

I'm tired of arguing this with you, and since you clearly can't see how dangerous it is for any place, McD's or no, to serve boiling hot liquid of any sort without proper warnings, I'm going to end this discussion here and now.

If you're willing to fight to the bitter end to get the last word in, go right ahead. As for me, I have better things to do with my time than pound a cluestick into someone with a head as thick as yours.

Re:Unclear

[noundi]

If you're willing to fight to the bitter end to get the last word in, go right ahead. As for me, I have better things to do with my time than pound a cluestick into someone with a head as thick as yours.

Bravo, clap clap! You pull out claims out of your ass without providing anything proving your case, I provide a wikipedia(!) link which clearly shows that you did infact pull your "facts" out of your ass. Now you walk away as the bigger man. Bravo, that's just fantastic of you. As if it wasn't enough instead of actually being the bigger man and admitting you were wrong you try to prove your case by trying to angle it with:

We expect warnings for all sorts of things these days, such as peanut allergies, toxic hairspray.

So in your world knowing that "coffee is boiled, thus coffee is hot", is equal to knowing that some substances in your hairspray, which you have never even heard of before, are toxic.

No really, you are the bigger man here -- clearly. Go spend your time in that wise way of yours, while the rest of us idiots stay here and provide data with our claims.

Re:Unclear

What nuance of "essentially" did you not understand?

Re:Unclear

[camg188]

It is unclear how large a threat this is to the end user.

http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
For XP SP2 and SP3, maximum security impact is denial of service attack, no remote code execution.

Re:Unclear

[coastwalker]

Thanks, that makes it pretty clear:
"Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks."

So the built in firewall should provide protection.

Re:Unclear

No, support for XP w/o service packs has ended. Still supported if you've installed SP3

Re:Unclear

[EvanTaylor]

The part of that case that no one remembers is that McDonalds in particular had been warned on multiple occasions by whatever inspector (health?) for the local gov that it's coffee was too hot.

Hence why they deserved to lose that case.

IIRC it was something over 170 degrees. It was crazy hot.

In other words

[mc+moss]

"not feasible"

yeah right, more like MS wants people to move onto Windows 7

Re:In other words

[DrWho520]

How well will 7 run on a netbook? Considering the main purpose (in my mind, anyway) of a netbook is as a thin web client, having an un-patched hole in the TCP/IP stack of an OS makes it "not feasible" for installation on a netbook in my mind. I am not certain anyone with a XP netboook can move on to 7.

Re:In other words

[tgd]

Better than XP, actually.

My old Dell X1 and my Mini9 both run far better on W7 than XP, although the Mini9 has OSX on it now.

XP/2003

I thought the Code for windows 2003 and windows xp was mostly identical. As a currently shipping product isn't that a violation of some states/countries warranty/merchantability laws.

Re:XP/2003

[bsharp8256]

Well, they are mostly identical. XP was released in 2001, in the dark age of computing. 2003, released in (you guessed it!) 2003 is two years newer, so it's still patchable. Duh.

Re:XP/2003

[Malc]

XP x64 and 2003 Server, not the 32-bit version of XP. That said, the difference NT 5.2 and 5.1 is much smaller than that between 5.1 and 5.0.

Re:XP/2003

[xOneca]

And I thought Windows XP was based on NT (New Technology). Then why are we talking about code that is 12 to 15 years old in its origin?

Re:XP/2003

[VGPowerlord]

And I thought Windows XP was based on NT (New Technology). Then why are we talking about code that is 12 to 15 years old in its origin?

Because, despite being released in 1993, Windows NT is still built on newer technology than the existing Windows line of the time. Remember that Windows 95-ME still ran on DOS, even if it was built in and they tried to hide it.

Windows NT 3.1 (the first version of NT) was released in July 1993, making it 16 years old.

Re:XP/2003

[bami]

Windows NT was released in mid '93, so if they kept parts of it in their current codebase of XP, then yes, it has parts that are 12 to 15 years old.

Re:XP/2003

[Gallomimia]

I'm waiting for companies to drop Microsoft Operating Systems solely on the basis that they will be able to finally fire the IT guy on their staff whose sole job is to keep track of all the different versions of "windows", and which of their computers are running them and why.

Infeasible?

[YuppieScum]

That's unpossible!

Re:Infeasible?

[L4t3r4lu5]

You're speaking nosense!

Re:Infeasible?

[commodore64_love]

There's nothing wrong with inventing words.

"Colonize" didn't exist until the printer Benjamin Franklin started using it (and the British printers criticized him for turning a noun into a verb). These are called inkhorn words, because it's as if they magically sprung from the ink well. Some succeed while others like Bush's "misunderestimate" or Jefferson's "undamage" did not.

Re:infeasible?

[zotz]

Kind of like inflammable huh? But not quite.

Re:Infeasible?

[kimvette]

What's your problem? "infeasible" is perfectly cromulent!

Re:Infeasible?

[Chapter80]

Verbulating is commonstuff. What's surprisamazing is that the hypermajority of communicenglishers can simpquickly graspulate the vocabulextension.

Re:Infeasible?

[Chapter80]

Verbulating is commonstuff. What's surprisamazing is that the hypermajority of communicenglishers can simpquickly graspulate the vocabulextension.

2 sentences. 16 words, 8 of which were made up. Yet you probably understood.

Re:Infeasible?

[Artefacto]

Actually "infeasible" is a valid word: http://www.dict.org/bin/Dict?Form=Dict2&Database=*&Query=infeasible , it's the same as "unfeasible". Moreover, "in-" is the typical prefix for words of latin origin, so it would be more likely to exist than "unpossible".

Re:Infeasible?

[radish]

All words are invented at some point. This particular one was invented in 1525 according to dictionary.com. I have to say this little thread confused the hell out of me for a while because I use "infeasible" pretty commonly, I guess some people just aren't familiar with it. Thought I was going mad...

Re:Infeasible?

[Minwee]

Verbulating is commonstuff. What's surprisamazing is that the hypermajority of communicenglishers can simpquickly graspulate the vocabulextension.

Horror show. You could peet it with vellocet or synthemesc or drencrom or one or two other veshches.

Re:Infeasible?

This is an historic post.

Re:infeasible?

[Yosho]

Oh, Dusty. In-feasbile is when you're MORE than feasible. This TCP/IP fix, it's not just feasible, it's IN-feasible.

Um, there's not much else to say about this other than you're completely wrong. http://dictionary.reference.com/browse/infeasible says:

-adjective
not feasible; impracticable.

Re:Infeasible?

[geekoid]

And that is why English is a fantastic language.

Hard to learn to use it 'by the book' but easy to learn and communicate complex ideas in without following all the rules.

Re:Infeasible?

And that is why English is a fantastic language.

Hard to learn to use it 'by the book' but easy to learn and communicate complex ideas in without following all the rules.

Or, English is to natural languages as Linux is to operating systems.;)

Re:Infeasible?

"Colonize" didn't exist until the printer Benjamin Franklin started using it (and the British printers criticized him for turning a noun into a verb)

Thats because verbing weirds language!

Re:Infeasible?

[wiredlogic]

Most of us figured out how to aspirate our aiches years ago.

Re:Infeasible?

[Kenshin]

"Or, English is to natural languages as Linux is to operating systems.;)"

Nah, French is closer to Linux: Spoken by a vocal minority who are infuriated and don't understand why people most people would choose to speak the "inferior" language of English.

English is like Windows: A clunky mess full of inconsistencies, but everyone uses it and it gets the job done.

Re:Infeasible?

[ThatsNotPudding]

Sounds like a perfectly cromulent argument to me.

Re:Infeasible?

[PitaBred]

I heard someone much more clever than I once say that verbing weirds language

Re:Infeasible?

[oatworm]

So... it's Perl? Dear God... we are through the looking glass!

Re:Infeasible?

Mod parent up +1: MSPaint adventures.

I am going to use the word 'graspulate' frequently in conversation from now on.

Re:Infeasible?

[Dachannien]

Vizzini: Infeasible!
Inigo: You keep using that word. I do not think it means what you think it means.

Re:Infeasible?

[mjwx]

Verbulating is commonstuff. What's surprisamazing is that the hypermajority of communicenglishers can simpquickly graspulate the vocabulextension.

Congratulations, you've turned English into German.

Re:Infeasible?

Note that google returns only 12 hits for the word 'Verbulating'.

Ain't that the ultimate arbiter for E'glish?

Upgrade or Else

[Cryophallion]

So, basically, upgrade or you'll be hacked?

Two questions:
1. Does 7's XP mode potentially have this issue, or is there a compatibility layer so xp doesn't talk directly to the network?
2. They seemed to be able to make massive security updates for code that was that old, and still patch a number of other issues. What about this REALLY makes it so hard to code?

In the end, while I understand not wanting to waste resources on way older products, I think it is a marketing move.

Re:Upgrade or Else

[jonbryce]

The XP virtual machine is not accessible from outside as it talks via a NAT router. Any attack would need to come from the Windows 7 host machine, but if that was pwned, there are many other ways to attack the XP virtual machine.

Re:Upgrade or Else

[FaxeTheCat]

>So, basically, upgrade or you'll be hacked?

No. It is a DoS attack. It will not even crash your computer. For the average user, it is harmless.

Quote from MS:
The DoS attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity Low for Windows XP.

Re:Upgrade or Else

Can people PLEASE actually read the security bulletin? I'm not an MS fan by any means, but a quick review of the actual notice shows that the impact on 2000/XP systems is denial of service, not remote code execution. That's still bad, but nobody on XP will get "hacked" this way.

Re:Upgrade or Else

[b4dc0d3r]

We don't know what the impact is. Several security holes have been classified as "important" because it's only a DoS, then someone figures out how to exploit it, and all of a sudden it's "critical".

We don't have the source, so we can only trust them. They have a vested interest in making security problems look as innocuous as possible.

I spent 15 mins moderating, then got here and had to post. We can't trust someone with a history of getting it wrong, when that person won't show us proof.

One flaw reclassified (read the first comment):
http://voices.washingtonpost.com/securityfix/2005/11/exploit_for_unpatched_ie_flaw_1.html

Outlook DoS reclassified as remote code execution:
http://www.computerweekly.com/Articles/2004/03/15/201044/ms-outlook-hole-is-more-serious-than-first-thought.htm

Re:Upgrade or Else

[Cryophallion]

Read my post - I was saying this will turn into marketing speak to get companies to upgrade. I was not alluding that such hacking could/would occur.

Most Ceos don't read security bulletins - they do however hear that flaws are no longer being fixed.

making Vista/Win7 look good

[Clover_Kicker]

How very serendipitous for Microsoft, people now have a reason to upgrade from XP.

I ran W2K on my desktop until a couple of years ago, i.e. until the patches stopped coming W2K did everything I needed.

Guess I'll have to consider Win7 now...

Re:making Vista/Win7 look good

[polar+red]

W2K did everything I needed.

it still does.

Re:making Vista/Win7 look good

[Clover_Kicker]

Yeah but hardly any bugfixes make it to W2K these days, why tempt fate?

Re:making Vista/Win7 look good

Whatever happened to MS's lifecycle support policy?

From their site:

Microsoft will offer a minimum of 10 years of support for Business and Developer products. Mainstream Support for Business and Developer products will be provided for 5 years or for 2 years after the successor product (N+1) is released, whichever is longer. Microsoft will also provide Extended Support for the 5 years following Mainstream support or for 2 years after the second successor product (N+2) is released, whichever is longer. Finally, most Business and Developer products will receive at least 10 years of online self-help support.

Take a look

Considering XP was released on Dec 31 2001, I'd say they're still 'on the hook' until 2011. They even say "5 years or 2 years after the successor product [Vista] is released, whichever is longer". That makes it 2012. Or "2 years after the second successor product", whichever is longer (2011). And that's just the Mainstream support, they say they'll continue with "security patches for 5 years" after mainstream support fades. I would consider remote code execution a security risk, guess Microsoft feels differently.

Re:making Vista/Win7 look good

[polar+red]

Mine never crashes. and a good firewall + antivirus should cover *nearly* every contingency. (AS IF Xp or vista/win7 is perfect HAH!)

Re:making Vista/Win7 look good

[VGPowerlord]

Personally, I think Microsoft should be on the hook to fix it, too, but I at least understand their logic.

Considering XP was released on Dec 31 2001, I'd say they're still 'on the hook' until 2011. They even say "5 years or 2 years after the successor product [Vista] is released, whichever is longer". That makes it 2012. Or "2 years after the second successor product", whichever is longer (2011). And that's just the Mainstream support

Your math is funny.

"5 years or 2 years after the successor product [Vista] is released, whichever is longer".

XP was released in December 2001.
Vista was released in January 2007.

2001.12 + 5.0 = 2006.12
2007.01 + 2.0 = 2009.01

2006.12 < 2009.01

In other words, Mainstream support for XP ended back in January 2009.

they say they'll continue with "security patches for 5 years" after mainstream support fades. I would consider remote code execution a security risk, guess Microsoft feels differently.

The extended support phase is currently underway, and will end in... well, lets figure that out really quickly.

2009.01 + 5.0 = 2014.01
2009.10 + 2.0 = 2011.10

2014.01 > 2011.10

Extended support ends in January 2014.

However, this is a DoS attack, which isn't a security problem. It's also mitigated with a firewall.

Re:making Vista/Win7 look good

I considered Ubuntu instead, so far I'm pleased.

Re:making Vista/Win7 look good

[Clover_Kicker]

Does it play Civ 4 and City of Heroes?

Re:making Vista/Win7 look good

it still does.

Not if one of the requirements he has is a constant stream of security bugfixes. Microsoft is not going to be releasing any patches for any exploits found in Win2k, so if security fixes are something that he needs then it does not "still do" what he needs.

I also am part of that small community of people who used Win2k until they stopped releasing security related bug fixes. I switched to Windows XP. But I regularly install new Linux distros. If I someday fins one that supports all my hardware I will leave MS for good. But right now there is no distro that lets me use WPA with my wireless card and most distros do not easily recognize my SD card from my camera when I insert it. So until Linux catches up with my hardware, I am stuck with XP.

Re:making Vista/Win7 look good

[Clover_Kicker]

If I hadn't bought a new PC I probably wouldn't have bothered to reformat and upgrade, but I just couldn't see installing W2K on a new machine in 2007.

Seriously!

[ShivSena]

So now they are going to force us to upgrade to Windows 7 sooner rather than later?

Re:Seriously!

What do you mean "sooner?" This is later already. How many times has Microsoft pushed back the date they'd cease supporting XP?

Re:Seriously!

He means sooner rather than later because he is talking about upgrading to Windows 7 not upgrading from XP. Take a reading comprehension class.

Re:Seriously!

[cepayne]

MS is probably pondering the ways to sell all of the exploits in XP/2K to the worlds hackers to ensure that everyone upgrades to Win7.

That's why I like open source

[jgardia]

well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.

Re:That's why I like open source

[Archeopteryx]

The exploit is known...

So somebody needs to turn the exploit into a patch.

Shouldn't be that hard.

Re:That's why I like open source

That's exactly why MS should release MicrosoftBob open source.

Re:That's why I like open source

[timeOday]

The exploit is known... So somebody needs to turn the exploit into a patch. Shouldn't be that hard.

No, it's "infeasible," Microsoft said so! Are you calling them a liar !?

Re:That's why I like open source

[rpgdude]

well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.

Looks like Richard Stallman was right.

Re:That's why I like open source

but most of the time they dont

Re:That's why I like open source

[Kanasta]

too bad nobody wants to fix 99.9% of open source bugs
"the code is here, fix it yourself" and "get off my lawn"
are the most common responses to a support request

Question

[bjackson1]

Isn't the codebase for XP and Windows 2003 essentially the same? Why can't the 2003 patch be modified? I don't remember reading that the TCP/IP stack was that different in 2003.

Re:Question

You are forgetting that code ages overtime. I think it has something to do with the proteins and atoms. That is why they have to make new versions.

Re:Question

[Amnenth]

XP and 2003 are distinct at the 32-bit level.

However. XP x64 is actually just Server 2003 x64 rebadged.

Re:Question

Ya. I agree - I'd think 2003 & XP similar to fix.

Also - what about the netbooks that are still sold today with XP because Vista's such a hog?

Re:Question

[mcgrew]

No, it's rust. If Microsoft would just use more oil in their software it would last longer.

Re:Question

[lightperson]

You are forgetting that code ages overtime. I think it has something to do with the proteins and atoms. That is why they have to make new versions.

Actually, it's telomeres, strings of non-coding characters at the ends of programs or parts of programs. Each time a program is used, but mostly when it is copied some of the non-coding characters are lost. That's fine until it's used up. Then actual code is lost and the software starts to misbehave. This process guarantees that software ages and dies, ensuring profits for the designers of future iterations. This process works so well that the original designers of biological forms on this planet used the same process, adding strings of non-coding DNA to the ends of chromosomes. The even called them telomeres. Molecular biologists are trying to add telomers to the shortening ends with something called telomerase. Microsoft is bribing and suing them to stop their work.

Re:Question

Starting with XP Service Pack 2 they limited the XP TCP/IP stack to 10 half open connections. This is more likely a licensing thing than hardcoded, I'm not sure there are any other differences.

Re:Question

[tsstahl]

You are forgetting that code ages overtime. I think it has something to do with the proteins and atoms. That is why they have to make new versions.

Close. Code depends on jacksons and benjamins for sustained life. Now if only Microsoft were still receiving some that for their code... :o

Re:Question

[ElmoGonzo]

My guess would be that MS won't be all that unhappy if people get the idea that XP is "dangerous" compared to Vista and 7.

Re:Question

[afidel]

Actually Server 2003 X64 is the XP x64 code path with the Server specific stuff built on, remember that XP x64 came out quite a bit before Server 2003 x64 did.

Re:Question

Win2k3 is a significantly newer codebase than WinXP. However, WinXP64 and Win2k3 are the same codebase (which means WinXP32 and WinXP64 are significantly different under the covers).

Re:Question

[Duhavid]

"You are forgetting that code ages overtime."

That is why I don't pay my code overtime. That way it does not age.

Re:Question

[Amnenth]

Sorry, I should've been more specific. I refer specifically to 'Windows XP Professional x64 Edition,' the version actually made for amd64 architecture.

The Itanium version came before Server 2003, yes. Amd64 codebase came around in 2005, though.

Wikipedia: Windows XP Professional x64 Edition

15 years old

[vxvxvxvx]

While the code may very well be 15 years old, that does not really matter to the user. What matters is how long ago Microsoft sold the product. If they sell software today that uses some code written 15 years ago you should be able to expect security updates for some period of time. Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.

Re:15 years old

This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.

Re:15 years old

[ericlondaits]

From the article:

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,

Microsoft has been selling Windows XP SP2 and SP3 for some time now. I really wouldn't expect them patching plain old XP.

Re:15 years old

[mcgrew]

Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.

If a defect in a 1994 Taurus was found, Ford would recall the vehicles at great expense to them. Especially if it was a design defect in an engine that was basically used in an engine still produced for a 2003 Taurus.

There is NO excuse for any software company to NOT patch security holes in any product, no matter how old.

Re:15 years old

[Spad]

Microsoft stopped selling XP as a product last June.

Re:15 years old

[kimvette]

And yet, it is still available through OEM channels. Maybe distributors are ordering it through a wormhole?

Re:15 years old

[tepples]

This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.

The article mentioned an effective workaround: turn on Windows Firewall.

Re:15 years old

2009-15=1994.... ? So they just used the same TCP stack for XP that they used in 95 or NT 3.51? Windows XP was released in 2001, which would place the "first public release" of code at 8 years old. It's been patched a few times since then.

I'm starting to believe one of the other posts above, where the poster believes Microsoft is just trying to find an excuse to use to get people to bump up to Windows 7

(and on a side note, since the XP stack is built off of the FreeBSD stack, couldn't it be claimed the code, or at least part of it), is even older than 15 years but Microsoft still patched it in XP?)

Re:15 years old

[cjjjer]

You also have to look at who you bought the product from. Only OEM builders get XP now and MS has a policy that if you have a problem with your Dell, Acer, HP, Compaq, etc., etc. guess who you go to when it comes to support, not MS but the OEM. If OEMs want to buy and sell out of date software to its users then why is its MS duty to support it. Especially when they have already given the end of life support to the OEMs.

To me this is an OEM issue now not a MS issue.

Re:15 years old

[drinkypoo]

If a defect in a 1994 Taurus was found, Ford would recall the vehicles at great expense to them. Especially if it was a design defect in an engine that was basically used in an engine still produced for a 2003 Taurus.

Actually, you have that totally backwards. An engine defect in a 1994 Taurus would IN NO WAY prompt a recall. It's not life threatening. A seatbelt defect, or a major design defect in a hub carrier, would be worth a recall. And the same engines aren't used in 1994 and 2003 Taurii. Even if they were, Ford changes numbers and meaningless design details which introduce incompatibilities. They would claim it doesn't happen on the older vehicles, and push out a TSB for the new ones. Only vehicles which failed within a certain period would be eligible for the recall.

Those who do not understand the lessons of history...

Re:15 years old

[Nimey]

Hush, you're interrupting our fifteen-minute hate.

Re:15 years old

[L4t3r4lu5]

This needs to be the first post so people stop flaming.

Wait, this is /. ...

Re:15 years old

[dnahelicase]

Except, I bought a brand new Dell just yesterday that has XP. It's not a netbook either, but a high-end business machine. It's also available in retail boxes at my local Staples store and Wal-Mart, in both Home and Pro versions - even the upgrade versions! It seems if it were old enough not to support then retailers wouldn't still be carrying it. I might not be the greatest businessman, but I know stores don't tend to keep inventory on the shelf that is too "old" to sell.

Re:15 years old

[dnahelicase]

stop pointing out stuff like that. We don't RTFA!

Re:15 years old

[DrWho520]

Does buying a new netbook with XP installed count as a product?

Re:15 years old

[VGPowerlord]

Except, I bought a brand new Dell just yesterday that has XP. It's not a netbook either, but a high-end business machine. It's also available in retail boxes at my local Staples store and Wal-Mart, in both Home and Pro versions - even the upgrade versions! It seems if it were old enough not to support then retailers wouldn't still be carrying it. I might not be the greatest businessman, but I know stores don't tend to keep inventory on the shelf that is too "old" to sell.

If a store or company bought X of a product, they're not going to stop selling it just because the manufacturer stopped making it.

Particularly if people are still willing to buy it. They may clearance it to get rid of it if they think it won't sell, but they're not going to just throw it out; they've already paid money for it!

Re:15 years old

[giorgist]

The fix is an upgrade path to Windows 7

G

Re:15 years old

[loupgarou21]

Yeah, turn on windows firewall and make sure you're not running any listening services like remote desktop. It's not like anyone would ever want to run Remote Desktop, especially not the IT department in a large company. And even if the IT department in a large company was running Remote Desktop on everyone's computers, it's not like anyone would ever write a virus capable of exploiting the hole that someone could accidentally install on their computer, behind the company firewall.

Re:15 years old

[hughk]

Microsoft has tried to kill off Linux in the Netbook world, so most Netbooks ship with an OEM copy of XP, being far too small for Vista.

Re:15 years old

[mcgrew]

Yes, yours is a better analogy. A security hole that allows an attacker is akin to a defective seat belt, and security hole that allows your PC to become part of a botnet is akin to defective brakes since it affects more than just you.

Re:15 years old

[penguinbrat]

...do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability

Why couldn't other software have this 'listening service' and there for be vulnerable?

From the security bulletin, XP SP2/3 and XP PRO x64 SP2 are vulnerable (DOS). "This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing." - Just because one certain piece of software isn't vulnerable to this attack vector, doesn't mean another wouldn't...

The bug(s) are still there, sounds like they are just searching for reasons not to fix them, FTFA...

Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."

Re:15 years old

It's still a bug in SP3, unless you consider it acceptable to say I can't every turn on a listening service.

I agree

[ZekoMal]

When you release something and then release something else, you should stop supporting the previous thing so that everyone is forced to buy the new one, even if it isn't necessarily better. You know, kind of like if Sony told you to take your PS2 and stuff it if something went wrong with it because the PS3 is out now.

MS hate aside, they're just doing what they've always done. We don't get our panties in a knot when they don't release a Win 98 patch, do we? With Win 7 on our doorstep, there is no reason for MS to be supporting three separate OS. Well, aside from customer service. I just sort of shrug my shoulders and deal with it. Anyone running XP knows they're doing it because Vista/7 don't appeal to them; deal with the consequences.

Re:I agree

[commodore64_love]

You make a good point. Microsoft's other main competitor, Apple, doesn't provide service updates for anything older than 10.5 (2007). Why should MS support anything older than that?

Re:I agree

Because Microsoft has to compete by functionality not marketing alone. Because Apple doesn't have the massive market share to lose in corporate environments that MS has.

Re:I agree

And that's the kind of reasoning that screws over the customer time and time again - "Competitor X does this, so we can get away with it too". Competitor X are a bunch of DICKS, and shouldn't be doing that in the first place.

Re:I agree

[mcgrew]

You know, kind of like if Sony told you to take your PS2 and stuff it if something went wrong with it because the PS3 is out now.

Well, I guess since Sony rooted their customers' computers it's ok for everybody to root their customers' computers then?

We don't get our panties in a knot when they don't release a Win 98 patch, do we?

I do. If your 1998 Chevy is found to have a safety defect (akin to a security hole in software), Chevy will recall the cars at great expense. Fixing safety or security defects is NOT simply customer service. If YOUR win 98 PC becomes part of a botnet, that affects ME, even if I have a Mac or Linux, and Microsoft is the only one who can remedy the situation that their own incompetence. If an engineer designs a defect into a machine, he fucked up. Nobody's perfect, but one should always fix their mistakes whenever possible.

Re:I agree

[theapeman]

Because MS is still selling XP?

Re:I agree

[99BottlesOfBeerInMyF]

Microsoft's other main competitor, Apple, doesn't provide service updates for anything older than 10.5 (2007).

Apple isn't really competing as they don't license their OS to OEMs. OEMs putting together computer systems have Windows as their only choice in most cases, with Linux distributions being the largest alternative (from a market perspective).

As for support duration, the relevant figure here is how long after a company stops selling an OS do they continue to provide security patches. Apple is still providing patches for 10.4 as they released a patch 5 days ago. That's 4.5 years and counting since they stopped selling it. They have not provided a patch for 10.3 since April 2005, meaning they supported it for about 2 years after they stopped selling it.

Compare this to MS's licensing of XP, which last I heard they were still selling to OEMs for inclusion in new NetBooks. Just because they created it many years ago does not matter one bit if users are still buying new products with that component. That would be like buying a brand new car, having the brakes fail and then having Ford tell you they are not covered by the warranty because they designed those brakes ten years ago, so they're too old to provide decent pads for.

In short, if Windows XP is too old for MS to provide support for, they should have stopped licensing it to OEMs many years ago. Which they of course wanted to, but they failed to provide OEMs and large enterprises with anything as good as XP with which they could replace it.

Re:I agree

[ZekoMal]

Microsoft XP is not hardware. This would be like if your 1998 Chevy's....air conditioner broke down and you threw a fit that they wouldn't fix it. Buy a new A/C. Now, if Microsoft XP was the actual computer and IT had a safety defect, yes, your car analogy would make sense. Right now you're claiming that software is just as deadly and impossible to replace as hardware. In the case of replacing a computer, unless you buy the same thing it'll probably cost several hundred dollars, thousands if you buy it premade and snappy. If you need to replace software because it's no longer supported...it's not like it's particularly expensive (some options are free).

Or, uh, this would be like saying "Catz 3 doesn't work on my Vista computer, the makers of Catz 3 MUST fix this problem even though Catz 5 is out and works with Vista".

Re:I agree

You make a good point. Microsoft's other main competitor, Apple, doesn't provide service updates for anything older than 10.5 (2007). Why should MS support anything older than that?

Ummm, because THEY PROMISED THAT THEY WOULD SUPPORT IT, and many customers factored that into their purchasing decisions.

You probably can't sue Microsoft for flaws in their products, but I'm sure you can sue Microsoft for false advertising.

Re:I agree

Because MS is still actively selling XP?

Re:I agree

[ffreeloader]

Stop beating your straw man to death. Your argument is not only irrelevant, it's completely misleading. Why? Because MS is still selling XP on new computers.

If you could go down to your local Chevy dealer today and buy a brand new 1998 Chevy Impala, and the AC broke on your new Impala Chevrolet the day after you drove it off the lot, General Motors would have to repair the AC under warranty. What's more, they would still have to be manufacturing replacement parts. How long a product has been on the market is irrelevant, if it is still being sold as a new product on a daily basis.

The above example holds true for XP. I can go down to BB, go online to NewEgg, or to any one of hundreds of different retailers, and buy a brand new netbook with XP on it. That means MS is still selling shiny new copies of XP. That makes the the age of the code in XP irrelevant as XP is still a current product.

Re:I agree

[VGPowerlord]

Stop beating your straw man to death. Your argument is not only irrelevant, it's completely misleading. Why? Because MS is still selling XP on new computers.

Speaking of straw men, Microsoft doesn't sell computers.

If you could go down to your local Chevy dealer today and buy a brand new 1998 Chevy Impala, and the AC broke on your new Impala Chevrolet the day after you drove it off the lot, General Motors would have to repair the AC under warranty. What's more, they would still have to be manufacturing replacement parts. How long a product has been on the market is irrelevant, if it is still being sold as a new product on a daily basis.

As I understand it, GM has partial ownership in its dealerships. That's why GM is closing down dealerships because it can't meet demands. The dealership I bought my last GM car from is closing... I'm don't remember when, but they sent letters out to all their customers about it.

The above example holds true for XP. I can go down to BB, go online to NewEgg, or to any one of hundreds of different retailers, and buy a brand new netbook with XP on it. That means MS is still selling shiny new copies of XP. That makes the the age of the code in XP irrelevant as XP is still a current product.

See what I said about GM and partial ownership.

Microsoft sells boxed copies to Best Buy and NewEgg. Once they have those copies, they own them until they re-sell them. Under the doctrine of first sale, Microsoft can't say "Stop selling these and throw them away." MS can offer to buy them back, but BB can choose whether or not to do that.

Dell buys licenses in bulk. The same rule as above applies to those. Microsoft can try to pressure them, but Dell is a gigantic company with lots of resources... and lawyers.

Re:I agree

[mcgrew]

If the AC breaks you pay to have it serviced. If a factory defect or design flaw is found, it will be fixed at Chevy's expense.

Indeed, XP is not hardware, which makes the situation even more intolerable. Software doesn't break. If it doesn't work properly it was poorly designed.

Now, if Microsoft XP was the actual computer and IT had a safety defect, yes, your car analogy would make sense.

If there's a bug that simply crashes your computer that could be argued (not by me) that it was akin to your AC breaking. A security hole on XP IS a danger, both to you, the XP user and me, the Linux user.

Can't get software for Win 98 any more? That's not MS's problem, it's yours. Win 98 has a security hole that makes it easy to pwn? That IS Microsoft's fault and damned well should be their problem.

Re:I agree

[ffreeloader]

Speaking of straw men, Microsoft doesn't sell computers.

Who said they did?

As I understand it, GM has partial ownership in its dealerships. That's why GM is closing down dealerships because it can't meet demands. The dealership I bought my last GM car from is closing... I'm don't remember when, but they sent letters out to all their customers about it.

So?

See what I said about GM and partial ownership.

Microsoft sells boxed copies to Best Buy and NewEgg. Once they have those copies, they own them until they re-sell them. Under the doctrine of first sale, Microsoft can't say "Stop selling these and throw them away." MS can offer to buy them back, but BB can choose whether or not to do that.

Dell buys licenses in bulk. The same rule as above applies to those. Microsoft can try to pressure them, but Dell is a gigantic company with lots of resources... and lawyers./quote?

So, you're claiming the doctrine of first sale says MS doesn't have to support its products? Wow. What a masterpiece of irrefutable logic. I guess that means that any product a retailer buys from a manufacturer to sell to consumers is never covered by any warranty. You do know that every household appliance, piece of computer hardware, garment, TV, stereo, entertainment center, piece of furniture, etc... would fall under your idiotic claim don't you? Every retailer of manufactured goods purchases every product they sell, before they sell it to their customers. So, I guess you'll never make a single warranty claim on any product you buy now from on as you believe every product you buy is covered by the doctrine of first sale. Thus no matter what you're buying, you're buying it second hand.

I can't believe the imbicilic arguments I see put forth when people try to defend the indefensible.

Re:I agree

[ZekoMal]

So what you're saying is that every OS ever released needs to have absolutely 0 lines of exploitable code; if it doesn't, then the OS maker needs to repair bug ever to appear on it. If you believe that, you should be foaming at the mouth just as much over Apple.

Re:I agree

[TheRaven64]

Really? Because when I booted my PowerBook (which runs 10.4) last week, Software Update popped up telling me that there were three updates, including a set of security fixes, to install. Maybe you should tell Apple...

Re:I agree

[mcgrew]

If you believe that, you should be foaming at the mouth just as much over Apple.

If I had a Mac I would be.

Re:I agree

[c]

> Anyone running XP knows they're doing it because Vista/7 don't appeal to them ... or they can't buy a netbook with anything other than XP.

c.

Re:I agree

[ceoyoyo]

Apple released a security update for 10.4, Tiger (2005) on August 6.

So Apple is still supporting Tiger, which they haven't sold in two years, while MS is not supporting XP, which I can still pay for today.

Re:I agree

[tsstahl]

Why should MS support anything older than that?

Because they are still selling it today?

Re:I agree

[CAIMLAS]

Except we're not talking about consumer toys and electronics (though some might argue that Windows XP is a 'toy OS'). We're talking about the OS with the largest corporate/business install base, ever. And there has been an official EOL date known for some time now - and this falls before that date.

Re:I agree

[JimR]

... Apple doesn't provide service updates for anything older than 10.5 (2007)...

Check out: http://support.apple.com/kb/HT1222.

Apple released a security update for OS X 10.4 just 5 days ago.

OS X 10.4 was released in 2005.

Re:I agree

[ffreeloader]

So what you're saying is that every OS ever released needs to have absolutely 0 lines of exploitable code; if it doesn't, then the OS maker needs to repair bug ever to appear on it. If you believe that, you should be foaming at the mouth just as much over Apple.

Every current OS needs to be supported by the manufacturer. MS refusing to fix security vulnerabilities in just because XP code has been around a long time is just wrong. They are still selling XP to customers so they still need to support it. If they had stopped selling XP entirely a few years ago that would be another matter. The way things are they are abandoning users of one of the products they currently sell.

Re:I agree

They provide security updates for 10.4 still and dropped 10.3 only last year.

Wait

Looks like all of those netbooks microsoft allowed to be shipped with XP in the last two years will be tasty targets.

Re:Wait

[rbochan]

Not just netbooks...

In other News: XP not affected by Vista/W7 bugs!

[kevingolding2001]

From the FA. (Emphasis mine)

The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."

Yes, it's easy to take the "We won't be backporting this fix" stance when the old OS isn't vulnerable in the first place.

Remote code execution is LOW impact?

[Ancient_Hacker]

For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.

And somehow, the TCP stack, perhaps the most modular and with the most well-defined interfaces, can't be replaced wholesale.

This makes no sense, unless they're trying to get people to spend $$$ on moving to "Windows 7",
or as the congnoscenti call it, "Vista SP2".

ooooohhh.....

Re:Remote code execution is LOW impact?

Simple. Figure out a way to use this exploit to break windows media DRM. Watch the exploit get fixed the very next day.

Re:Remote code execution is LOW impact?

No, Microsoft rates a temporary denial of service vulnerability with no default attack vector as a low impact problem for XP.

While I agree that "low" is probably not the correct severity of the problem, it's certainly not the huge issue that you make it out to be.

Re:Remote code execution is LOW impact?

[nielsm]

There's no remote code execution possible with this on XP, only DoS. You can make the system essentially freeze while the packeting is going on but that's it. Only Vista and Server 2008 have remote code execution exploits from this bug.

Also you can only exploit this if the machine has software accepting TCP connections. If you have an (application) firewall blocking all incoming connections with no exceptions (such as XP SP2+ has by default) there's no real problem.

Re:Remote code execution is LOW impact?

DirectX 10 deja vu anyone? :)

Re:Remote code execution is LOW impact?

For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.

No they don't. They list it as a low impact DoS vulnerability only on XP. I think the confusion arises because they have released one security bulletin for multiple bugs.

The ones they aren't fixing are the DoS ones which probably do need quite a bit of reengineering to fix. CVE-2009-1925 does not list XP as vulnerable.

Nothing to see here, move along.

Re:Remote code execution is LOW impact?

[WMD_88]

This makes no sense, unless they're trying to get people to spend $$$ on moving to "Windows 7", or as the congnoscenti call it, "Vista SP2".

I believe Vista actually has an SP2. So, 7 would be Vista SP3 ;)

Re:Remote code execution is LOW impact?

[Daltorak]

For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.

But that's not what they're doing! There is no remote code execution vulnerability on Windows 2000, XP, or Server 2003. Only Vista and Server 2008 are susceptible to remote code execution. This is a Denial of Service vulnerability on NT 5.x systems, and you have to have the firewall disabled (and, indeed, no stateful hardware firewall at all) in order to be vulnerable.

The details are here:

http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx

It's fine to criticise Microsoft for not releasing a patch for XP, but let's at least get the facts about the vulnerability straight, first, yeah?

Re:Remote code execution is LOW impact?

[jte17]

Perhaps you should refer to the bulletin (http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx) in which it clearly states that XP is not affected by remote code execution. Those operating systems which remote execution are marked as critical.

Re:Remote code execution is LOW impact?

The "experts" calling it Vista SP2 are fucking morons. http://en.wikipedia.org/wiki/Features_new_to_Windows_7

Re:Remote code execution is LOW impact?

[Ancient_Hacker]

Sorry if I missed something.

Perhaps you should read the second sentence of the thing you reference:

>The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. ... now later on they may backpedal on that but to the average casual peruser of critical words, the second unequivocal sentence sure stands out.

Re:Remote code execution is LOW impact?

[Ancient_Hacker]

I don't know if we're quite f***ing morons. I seem to recall somebody compared Vista and Windows 7 installs and found something like 97% commonality.

In my book, a 3% change is barely a service pack, much less meriting a new version number, much less meriting dropping a moniker.

Re:Remote code execution is LOW impact?

[neiras]

...or as the congnoscenti call it...

A new clique involving conga drums and Glade Plug-Ins?

Please subscribe me to your newsletter!

Re:Remote code execution is LOW impact?

[CAIMLAS]

The really irritating thing is that, while XP SP3 is being patched (apparently) they're not patching the earlier releases. That's really, really frustrating, because the main computers which will be running those earlier releases are the more expensive ones that you simply can't replace: things like $500 thousand medical scanner interface computers, industrial interface PCs, and the like. They need to be network connected for one reason or another, but it will be impossible to do so securely.

Re:Remote code execution is LOW impact?

[Bovius]

Sorry if I missed something.

Yep, you missed something. A table a little further down the page clearly declares the type of vulnerability for each OS, and XP is clearly marked "denial of service". I can understand your reaction, though. The sentence in the summary would lead you to believe it's a remote code exploit across the board.

Re:Remote code execution is LOW impact?

3% by what measure?

And by that same measure, what warrants a service pack (in a non-barely capacity), a version number, and a new name?

And what are the approximate metrics of other Operating System providers, as well as Microsoft's earlier releases? And what trajectory do they have (linear, concave curve wrt the x-axis, etc.)?

Re:Remote code execution is LOW impact?

[GF678]

or as the congnoscenti call it, "Vista SP2".

Which is great fun to read because Vista already HAS a Service Pack 2

When the trails can't even base their flames around information that makes sense, you know they're idiots.

Re:Remote code execution is LOW impact?

[Ancient_Hacker]

Thanks for playing "When you can't fight the numbers, Obfuscate, Obfuscate, Obfuscate"

Noted author P.J O'Rourke is famous for this. He gets my kudos for using actual numerical arguments. but when he knows the numbers are not in his favor, he resorts to inserting a cute personal vignette or self-deprecating humor.

As an analogy, if a car company changed the color of the taillights on a car, most people would consider this mayhaps meriting adding a "-A" or at most "-Series 2" to the existing model name. Not many would consider it normal to be changing the name of the car from "The Extravaganza" to "Ford 7".

XP Still uspported on netbooks.

[Chrisq]

Since XP is still being shipped and supported on netbooks this seems a little strange. What's the message - spend extra on memory and hard drive so that you can run XP instead of Linux but we won't give you security patches?

Re:XP Still uspported on netbooks.

[MartinSchou]

Where are the money going on memory? You can't buy a Windows equipped netbook with more than 1 GB of memory.

Some of us would like a netbook with a lot more memory than that.

Re:XP Still uspported on netbooks.

[gad_zuki!]

If you read the article you'll see systems with SP2 or SP3 are unaffected:

"By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,

Re:XP Still uspported on netbooks.

[dave024]

Not completely unaffected since lots of people using XP probably are still running servers of some sort.

I think if people are that concerned over this then maybe it is time they upgrade.

Re:XP Still uspported on netbooks.

[Loki_1929]

It's not as though it's a huge issue on XP. Not only is there no remote exploit vulnerability on XP, but XP isn't even vulnerable to the denial of service by default. You must specifically configure XP to be vulnerable to this attack before it's vulnerable to this attack.

So yeah, if you specifically modify XP's default settings in such a way as to be vulnerable to this attack, and if you don't run any sort of firewall or other connection filtering software, and if you don't have any kind of hardware firewall or NAT router between you and your internet connection, then someone can hang up your Windows XP computer.

It'd be nice if they fixed the problem, but frankly, this one shouldn't have any effect whatsoever on 99.999% of the people running XP, especially since many DSL and cable internet providers are now shipping modems which have simple NAT routers built into them.

'We're talking about code that is 12 to 15 years'

[Lord+Lode]

I've worked with older code than that... nothing unfeasable about it.

In other news...

[Temkin]

In other news... 10 year old Linux 2.4 kernel patched yesterday...

Re:In other news...

Yup, and through the release of Windows 7, the windows kernel was patched to 6.1. Your point? The only difference is that with Windows, you are paying for the release, update, whatever you want to call it.

Re:In other news...

[UnderDark]

Link in case you think this is sarcasm: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=summary

Re:In other news...

[c]

> In other news... 10 year old Linux 2.4 kernel patched yesterday...

Wouldn't surprise me. My organization still has a few 2.4 systems kicking around, and we have the 2.4 source, so if something came up that we absolutely had to patch, we'd be able to. I'm sure there are plenty of others in similar situations.

c.

Re:In other news...

[CAIMLAS]

Actually, that isn't the only difference (as the topic for this thread illustrates): with Windows, not only are you paying for it, but you don't get it.

Kernel 2.4 was no longer 'current stable' as of sometime in early 2003, IIRC. Since that time, it's been in 'maintanance'. It's roughly the same age as XP, yet it is still actively maintained. XP isn't being maintained for one reason, and one reason alone: they're trying increase their costs by decreasing their maintenance overhead on XP and bringing fresh/increased revenue in with W7.

Meanwhile, the Linux 2.2 tree, which is actually a full 10.5 years old right now, has a patch for this. And what's more, there's modern, current, and secure support for quite a bit in the 2.2 tree due to patching.

I'm not saying MS should be doing this, and I wouldn't expect them to. I am saying your argument (or lack thereof) is full of shit, and that it is completely unacceptable for MS to EOL a product unofficially, while it is still being sold as "new" to customers, ~half a year before the "official" EOL date.

Re:In other news...

[Exception+Duck]

You would think the masters at MS would know that this kind of attitude is good ammo for the FOSS movement.

Soon some CEO's will be thinking,

a) expensive upgrade to Win7 and another forced upgrade in 5-10 years.
b) look at other alternatives.

Re:In other news...

[Volguus+Zildrohar]

they're trying increase their costs by decreasing their maintenance overhead

So you're saying Microsoft can't even follow basic accounting?

My job is to apply "The Formula"

[Stenchwarrior]

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

Re:My job is to apply "The Formula"

[insertwackynamehere]

Ooh I liked that movie. Let's arbitrarily quote it some more!

Re:My job is to apply "The Formula"

[jollyreaper]

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

The first rule of screwing the public is we don't talk about screwing the public.

The second rule of screwing the public is WE DON'T TALK ABOUT SCREWING THE PUBLIC!

Re:My job is to apply "The Formula"

[jabuzz]

Ford tried that one, and when found out C became much larger. It is not a good business plan.

Re:My job is to apply "The Formula"

[Stenchwarrior]

arbitrarily

Hello, my name is Inigo Montoya...and I do not think that word means what you think it means.

Re:My job is to apply "The Formula"

[R2.0]

"Ford tried that one, and when found out C became much larger. It is not a good business plan."

Kind of. The Pinto gas tank issue had far more to do with Lee Iacocca when he was at Ford. In order to compete with the imports, he gave the designers and engineers a simple directive: "2000#, $2000". Whenever an issue made it up to his office, that was the answer the engineers got - including the gas tank issue. That way, he could deny having "decided" anything. The cost/benefit analysis was more a matter of cover for decisions that had already been made.

"Class Action" may have borrowed elements from the Pinto, but it was fiction.

Re:My job is to apply "The Formula"

[Bill_the_Engineer]

Rule #1: No one talks about that movie...

Re:My job is to apply "The Formula"

[mdm-adph]

A new computer built with my company's OS gets on the Internet. The TCP/IP stack is exploited. The customer's identity is stolen. Now: do we spend the money to patch it? Take the number of installations in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average cost of a new Macbook (C). A times B times C equals X...

If X is less that the cost of fixing the patch, we don't do one.

Better?

Re:My job is to apply "The Formula"

[machine321]

Stop talking about Usenet!

Re:My job is to apply "The Formula"

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

Um, that's what Ford thought with the Pinto... They were wrong.

infeasible?

[hal2814]

Oh, Dusty. In-feasbile is when you're MORE than feasible. This TCP/IP fix, it's not just feasible, it's IN-feasible.

"Infeasible": Translation..

[multipartmixed]

...we lost the source code, we kept it in Microsoft Source Safe and it ate it.

Re:"Infeasible": Translation..

True.

Re:"Infeasible": Translation..

OMG! You too???? And to think the bugs that causes random reversions and corruption of the database were know issues at the time Microsoft bought the technology from One Tree Software in 1994! It was also claimed, that those would be the first bugs corrected, now that the full resources of MS were available to work on the issue.

Re:"Infeasible": Translation..

[steelfood]

Your code is so safe with VSS even you can't get to it.

Re:"Infeasible": Translation..

[bill_mcgonigle]

...we lost the source code, we kept it in Microsoft Source Safe and it ate it.

bologna, it's on the same backup tapes as the e-mail the DOJ was looking for.

Re:"Infeasible": Translation..

Going open source would have helped there...

US Navy already ditching M$

[SgtChaireBourne]

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Since 2008, the US Navy will acquire only systems based on open technologies and standards. That excludes M$ products explicitly in every way but name. The TCP/IP being just one example of failure on M$ part to implement standards. US Navy is ditching M$.

They'll probably go with an American company like Red Hat or roll their own spin of Red Hat.

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not? If you've got Windows on your network, then you have a personnel problem, not just a network security problem.

Re:US Navy already ditching M$

[commodore64_love]

>>>like Red Hat or roll their own spin of Red Hat.

So in other words the Navy has come full-circle to where they were in 1997. Prior to that the Navy (and military in general) did all hardware and software development internally. They switched to Commercial products on the theory that it would be cheaper to just buy the stuff off the shelf. Now after having experienced the Microsoft world, I guess they decided to go back to self-developed software.

Re:US Navy already ditching M$

[oodaloop]

Interesting article. I work with the Navy, as well as other services, DoD, etc and have never heard this. I've also seen the DoN purchase proprietary systems this year alone, so at least some people haven't gotten that memo. Perhaps for areas where viable open source alternatives exist, I could see that, like for servers. But many of the workstation applications have no alternative. And with changes in command every few years, his successor is just as likely to continue with MS as not.

Re:US Navy already ditching M$

[icebraining]

Red-Hat is commercial product. They're moving to the best of the two worlds: a cheap commercial product which they *can* adapt to their needs.

Re:US Navy already ditching M$

That article can only be talking about the few networks and computer systems it has
control over, because it's main contractor, EDS/HP, I can guarentee you will not be
upgrading their 250,000+ desktops and laptops to an open source os.
By contractual agreement I am pretty sure they have to use Windows.

If that article was true, we wouldn't be trying to upgraded 30,000 windows 2000 machines
to windows xp, just to upgrade them to an open source os months/years later.

Re:US Navy already ditching M$

[drinkypoo]

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not?

You are being ridiculous. Microsoft under Bill Gates got a free pass from Ashcroft. The Gates Foundation is part of a program to push western IP law throughout the world; if you don't provide patent and other protections for big pharma, you don't get any inoculations. At the same time, the Gates foundation is making for-profit investments in things like oil refineries which are causing lung bleeding in children they're providing inoculation to. Meanwhile, the stated goal of eliminating certain diseases is impossible because the restrictions the foundation is placing mean that not all nations will pick up the inoculations, and a partial cure is no cure.

Bill Gates is now part of the power structure controlling America and attempting to use it to control the world. Barring some one-step-away-from-a-persian-cat-and-a-monocle actions by BillyG, his future is secure.

Re:US Navy already ditching M$

Good answer. Linux rocks!

Especially when it comes to fixing security bugs

Re:US Navy already ditching M$

Baloney. The Navy still purchases Office/XP/etc. My company sells plenty of proprietary stuff to the navy. The meaning is OPEN technologies and standards. Windows has an API thus is "open" from this persepective.

Re:US Navy already ditching M$

Really? The army uses quite a few Linux based systems. The Combat ATC system happens to be a modded version of my favorite distro. Cant give much more info than that since its technically a secret system and thats all the info avaible to the public.

Re:US Navy already ditching M$

[chainsaw1]

I have heard of this, but context is key. Open systems are "preferred" in acquisition, and my take is the Admiral is referring to operational use. Neither addresses NMCI, which is contracted directly by Congress and out of the Navy's hands with the exception of program management.

It will take many years for this to flow down, assuming the Admiral can beat on heads enough to make it happen. Programs won't toss out Microsoft is M$ can offer reduced rate consulting and development. Red Hat, et. al. can't do that because they make no revenue from the software. if the developmental PM staff get promoted before the overall life cycle cost hits, then the PM staff believes they have done their job and the cycle continues. Press Releases are not requirements.

See also: DoD going to IPv6. There was a nice press release saying DoD would be fully IPv6 by 2006...

Re:US Navy already ditching M$

[jim_v2000]

That article doesn't say what you think it does.

Re:US Navy already ditching M$

[oatworm]

Knowing our luck, they'll get confused and use Red Flag Linux instead.

Re:US Navy already ditching M$

haha, "M$" that's very clever!

Re:US Navy already ditching M$

[Lennie]

IPv6 by 2006, no, but _possible_ to run IPv6 on the backbone and other infrastructure by the start of 2009 or whenever it was, but much later then 2006

Re:US Navy already ditching M$

[prehistoricman5]

If you actually read the article you linked to, you'd know that the military is NOT ditching proprietary software., they are ditching " systems that couple hardware, software and data" What this means is that Microsoft will not have any problem because Windows is not specifically linked to any specific hardware.

the true cost

[mach1980]

The true cost of releasing a patch is not in compiling and distributing the fix. The money is spent on verification. By not releasing the patch to XP and w2k my estimates are that Microsoft is saving man-years in verification.

Re:the true cost

[knarf]

Bogus, don't be a tool. The patch for WS2003 most likely works on XP as well given the shared heritage of these systems. They just want current XP users to move to Vista7.

Re:the true cost

[guruevi]

Microsoft does release non-tested patches sometimes. They're called hotfixes in MS jargon and you have to call Microsoft Support to receive them. They are said to be unstable and after you install one, that part of your system might no longer be eligible for support. I had to do it several times back in the day when I was working with their latest SharePoint product (which is by the way not very stable).

I ended up doing iframes into a LAMP backend because after you modify a list to look the way you want it to be with FrontPage, the list will no matter what break for no good reason and Microsoft Support will tell you after a few days on the phone with the engineers that built it that modifying a SharePoint site with FrontPage voids the warranty and thus the support on the whole system.

Re:the true cost

[drinkypoo]

If they don't want to patch XP, they should stop selling it.

Oh, wait! Intel and Microsoft made a deal to keep selling it because Windows 7 isn't out and Windows Vista is a gigantic piece of shit when you put it on a netbook. I know, I have the most powerful machine you can almost call a netbook, and it came with Vista Basic. Windows 7 rocks it. (This is a Gateway LT3103u. I have got overclocking to work up to 1.4 GHz. Beats Atom like a bitch.)

Re:the true cost

yeah, if Microsoft is truly putting so much effort on *verification* why those security holes are there in the first place?

Re:the true cost

What? They don't just go by my policies? "It compiles! Ship it!!"

Re:the true cost

[mach1980]

Your comment is very true but you are thinking like a good engineer. To the sales department every released patch is a liability. Releasing patches without proper verification is neglecting "due diligence" (spelling?) and is a cause of getting you're ass sued to kingdom come. Pardon my french.

Also said in was "afeasable"

[BlueBoxSW.com]

"retrofeasable," "antifeasable," "inflamafesable," and "!feasable."

Re:Also said in was "afeasable"

I don't know why you people are making such a big deal about a perfectly cromulent word.

Xubuntu (or your favorite) for Netbooks

[Archeopteryx]

There is really no reason for XP on a netbook any more. You aren't using it a high end gaming platform. You aren't running Adobe Creative stuff on it.

You are using it to run FireFox, edit documents, read, IM and send email.

Linux has all that covered and is even document-compatible with Windows.

I have a Eee 900A with a 32GB SSD in it running Xubuntu and I connect to a corporate Radius network, bluetooth tether to my phone, and even use the web version of outlook on it to get at calendars.

Flash even works.

The only thing I can't do that would be nice is play Netflix movies as the Moonlight package does not have DRM in it (and likely never will.)

Re:Xubuntu (or your favorite) for Netbooks

There's really no reason for XP, but then in your same post you go and give a reason for XP. Brilliant!

Re:Xubuntu (or your favorite) for Netbooks

[mdm-adph]

But granny can't install the Mah Jong CD she got 10 years ago on Linux, therefore, it just won't do.

Re:Xubuntu (or your favorite) for Netbooks

[Archeopteryx]

No, that's a reason for OSX (which does run on this machine.) :-D

Re:Xubuntu (or your favorite) for Netbooks

[Corporate+Troll]

Netbooks come with CD Rom drives?

Re:Xubuntu (or your favorite) for Netbooks

[mdm-adph]

No, but they can sure download that Mah Jong application from the website. You know, the totally legit Mah Jong website you get when you search for "Mah Jong" on the Intertubes?

Good Bye Microsoft

[curmudgeon99]

This is just another reason to abandon Microsoft. I am so happy with my Mac, open office and a variety of other non-Microsoft technologies. The last time I spent money on one of their "products" was Windows 98. No reason to ever drop a dime again on their crap.

Re:Good Bye Microsoft

[Yosho]

This is just another reason to abandon Microsoft.

Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?

Re:Good Bye Microsoft

[BOFslime]

This is just another reason to abandon Microsoft. I am so happy with my Mac, open office and a variety of other non-Microsoft technologies. The last time I spent money on one of their "products" was Windows 98. No reason to ever drop a dime again on their crap.

I'm sure your reasoning is sound, nobody should buy software from a company that drops support for its previous generat, oh.. oh wait.

Re:Good Bye Microsoft

[curmudgeon99]

Dude, How often do you hear of Mac Viruses running rampant? The reason Microsoft has to constantly patch their crap is because it's terrible. Mac is much more solid and the whole issue goes away... You are showing your Microsoft-centric world view. In the Mac world, the need to constantly fix old mistakes just is not a problem. It's a non issue.

Re:Good Bye Microsoft

Dude,Mac is much more solid and the whole issue goes away... You are showing your Microsoft-centric world view. In the Mac world, the need to constantly fix old mistakes just is not a problem. It's a non issue.

Reality-Distortion-Field-o-meter: over 9000.
Yep. the issue just flies away.

Re:Good Bye Microsoft

[99BottlesOfBeerInMyF]

Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?

Apple hasn't sold a computer with Mac OS X 10.4 on it for 4.5 years. They released a security patch for it 5 days ago. How long ago did MS stop licensing WinXP for sale on computers? Oh yeah, you still buy computers with WinXP on them because MS is still selling licenses.

Re:Good Bye Microsoft

[Yosho]

Apple hasn't sold a computer with Mac OS X 10.4 on it for 4.5 years. They released a security patch for it 5 days ago. How long ago did MS stop licensing WinXP for sale on computers? Oh yeah, you still buy computers with WinXP on them because MS is still selling licenses.

You're missing the point. The original poster claims that MS no longer patching XP is a reason to abandon Microsoft; no, it's a reason to upgrade to an OS that was released in the last few years.

MS still sells XP licenses because there's a demand for them. There are some people who will continue to demand XP as long as MS keeps supporting it, so the only way to make them upgrade is to stop supporting it. I'm sure Apple would still be selling 10.0 if there was a demand for it, but fortunately for them, the incremental style of Apple's releases makes it easy to see that their older OSes are crappy compared to the new ones.

Re:Good Bye Microsoft

[Yosho]

You are showing your Microsoft-centric world view.

That's hilarious. Before jumping to wild conclusions about who I am, you should know that I've got four computers current in the room with me, and the only MS operating system is running in a virtual machine on one of them.

All I'm doing is pointing out that the argument in your original post is faulty.

To be honest, this...

In the Mac world, the need to constantly fix old mistakes just is not a problem. It's a non issue.

is pretty bad, too. So what do you do about old mistakes in the Mac world? Sweep them under the rug and pretend they didn't happen? Or are you saying that Apple just doesn't ever make mistakes?

Re:Good Bye Microsoft

[VGPowerlord]

Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?

I would put [citation needed] but I'd rather just say you're wrong and point out the release dates:
OSX 10.0 - released March 2001
OSX 10.1 - released September 2001
Windows XP - released December 2001 ...and I don't even own a Mac!

Re:Good Bye Microsoft

[VGPowerlord]

Whoops, XP was released in October 2001, not December 2001. That's what I get for believing another poster... still later than OSX 10.1 though.

Re:Good Bye Microsoft

[Yosho]

I would put [citation needed] but I'd rather just say you're wrong and point out the release dates:

Oops, sorry about that. Off the top of my head I thought 10.0 was early 2002, but I suppose not.

For what it's worth, you're wrong, too, because XP was released in October 2001.

You could just as easily put 10.2 in my original post, though, which didn't come out until August 2002, and Apple still doesn't port updates back to 10.2

Re:Good Bye Microsoft

[curmudgeon99]

Certainly not. Macs are made by humans. However, you must have lived on Mars the past decade to not notice the constant stream of viruses and other trojans that are so successful finding new exploits in the MS ecosystem. Though indeed problems do occur in the mac, they are on a vastly smaller scale than on Windows. So, though I did make an exaggeration by making an absolute statement, it does jive with reality. Having been a software developer professionally for 13 years and privately for 20, I stand by my assessment that MS makes crap.

Re:Good Bye Microsoft

[VGPowerlord]

I would have pointed out that I was wrong about XP's release month sooner, but Slashdot's idiotic "you can't make another comment so soon!" (in addition to the "you can't edit posts") system prevented me... I didn't come back to it until a bit later.

Re:Good Bye Microsoft

[99BottlesOfBeerInMyF]

The original poster claims that MS no longer patching XP is a reason to abandon Microsoft; no, it's a reason to upgrade to an OS that was released in the last few years.

So you propose looking up all the components of the products you buy and only buying products made with recent components? Computers with XP on them are selling today. It is a current product. Computers with OS X 10.4 haven't sold for 4.5 years and they're still getting support. That's why your comparison is garbage.

MS still sells XP licenses because there's a demand for them. There are some people who will continue to demand XP as long as MS keeps supporting it, so the only way to make them upgrade is to stop supporting it.

Sorry that doesn't wash. If MS is going to keep selling it they need to keep supporting it. If they determine they can't support it anymore, they need to stop selling it several years prior to that time. You know normal companies respond to customer demand, rather than dictate terms to customers. MS should have broken up years ago so the market could solve this problem.

I'm sure Apple would still be selling 10.0 if there was a demand for it, but fortunately for them, the incremental style of Apple's releases makes it easy to see that their older OSes are crappy compared to the new ones.

That's because Apple is about creating products to satisfy the demand of their customers, instead of creating products with new mechanisms for extracting money from their customers and then trying to force people to pay for the privilege.

The root problem is MS doesn't care about their customers because they don't have to to make money because they criminally leverage their monopoly as a revenue source.

Re:Good Bye Microsoft

[Gallomimia]

As opposed to the... decremental? style of windows releases? Spotty? Roller coaster? Wait. Isn't "upgrade" a synonym to increment? Oh.

Wouldn't SynAttackProtect work here? (on 2000 too)

The DOS/DDOS possible via the latest weakness in Windows 2000's IP stack @ least (uses RDR20.DLL as the LSP (layered service provider) vs. MSWSOCK.DLL (the LSP used in XP/Server 2003 onwards, by way of comparison, & this is where I think the problem lies largely, as it is the "most radically different part" of the IP stack in Windows 2000 vs. the more current builds of Windows that I could see @ least)?

WELL - That's taken care of by the SynAttackProtect setting here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

What does it do??

http://msdn.microsoft.com/en-us/library/aa302363.aspx

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

TcpMaxPortsExhausted
TcpMaxHalfOpen
TcpMaxHalfOpenRetried

Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)

This SynAttackProtect registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).

2: Set SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in theory, around it... & iirc, "Scalable Windows", via setsockopt API calls from an attacker are what the problem is here anyhow & this ought to 'stall it'... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above) SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is stopped by SynAttackProtect too, so an attacking system/app sending a setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, OR, single systems as well you either ALLOW or DENY to talk to your system, still can help also... vs. a DDOS though? SynAttackProtect is your best friend here... you'd use netstat -b -n tcp to see which are held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR WAY (or just by doing it in a router or routing table)... takers anyone, on these thoughts (especially for Windows 2000)?

Thanks for your time... apk

This degrades the internet

There are how many XP machines on the web? Who won't issue a repair for that many machines? If they won't do it, release the code to someone else who will. Car companies tried to do this - not releasing spare parts. Other companies won the right to make the parts.

Its not just an issue of upgrading to Vista or Windows 7 - Microsoft has a responsibility to fix their stuff because of their place in the market and their presence on the web.

They're still minting XP disks. They'll have to make the patch for big\secure customers. They should be made to release the patch.

AC

All the military stuff is old.

[tjstork]

Procurement times are so long in the military that everything is old. I understand the Seawolf is powered by 68030 processors...

Re:All the military stuff is old.

[Truekaiser]

So you want unproven, unstable tech running engines of mas destruction? Especially when they carry nuclear weapons?

Re:All the military stuff is old.

FWIW the Seawolf is an attack sub (SSN) not a boomer (SSBN) It does carry Tomahawks which could be nuclear armed, but of course they won't tell you. (MCMD). Certainly its primary mission is not for launching nukes.

So will you buy a new Mac then?

[tjstork]

This is just another reason to abandon Microsoft. I am so happy with my Mac

So... because you don't want to update Windows from XP to Windows 7, you will instead update your entire computer to a brand new Macintosh running a brand new operating system.

I mean, if you are shopping for a new computer, isn't Microsoft's abandonment of XP kind of irrelevant? If you are not shopping for a new computer, why would anyone care?

Re:So will you buy a new Mac then?

[scrib]

Bingo. Leaving Microsoft can be difficult, but it is an investment in one's own future.

Using OO.o, I don't have to think about what the WGA tracker is doing. My brother had a MB fail. I replaced it, using the same CPU, RAM, video card, and HD, but Windows XP was "smart" enough to see the hardware change and demand revalidation. New MB meant new network card meant I had to call MS and read nine six-digit sequences over the phone and type in the nine six-digit sequence key. Sure, they were polite and happy to help, but what happens when that support number goes away? What if they decide that I've had too many hardware failures? What if they decide that my OEM license from Dell doesn't count because Dell no longer makes BTX MBs? Hardware failures put me at Microsoft's mercy and I am not comfortable with that.

I'm not going to throw away my Windows computers or quit using the licenses for it that I have, but when I do decide that it is time to upgrade, it will not be to Microsoft. Until this year, I had been all-Windows since '95. I have a Mac Mini, an XP laptop, and a Linux desktop.

Okay, we get it. This is leverage for 7 migration

[erroneus]

Clearly, this is something Microsoft is leveraging to get people to move to Win7. (You know, in some fonts "Win7" looks rather similar to "Win?") But I have to wonder:

There will be large government installations that still need to use Windows XP. Will they get this impossible patch? Also, does Microsoft's support claims for Windows XP fit within this windows and if not, how can Microsoft pull a stunt like this? Doesn't this mean they are dropping support for Windows XP "early"?

What really needs to happen is that "the public" needs to be aware of what is happening and, in Fox News style, be instructed how to feel and respond to it.

Unsupported New Computers

[ViViDboarder]

They are still selling computers with WinXP on them. It's unfair for them to just not support it. This is all a ploy to sell more copies of Windows 7 and we all know it.

If we thought Windows was insecure before, just wait to see how vulnerable it's about to become with all the unsupported XP boxes that are going to be around!!!

Re:Unsupported New Computers

[Douglas+Goodall]

It is worse than just not supporting the computers they are currently selling. Quitting support for XP is going to mean hardware upgrades for all the users that have only the hardware resources to run XP. As if we the people need this expense right now with the economy the way it is. My last round of PC computers were underpowered as part of the Vista Capable debacle. These machines aren't going to upgrade to Windows 7 because they are light on hardware. So what am I expected to do now, turn the other cheek again. Well Surprise, I don't have to. I am a confirmed switcher, and although I am still stinging from the Vista Capable lies, I love my Macs, and there will be no more money from me for Microsoft or the hardware OEM buddies. This should be a wakeup call to those on the fence.

2014 ????

[m0s3m8n]

I guess these guys did not read: http://support.microsoft.com/gp/lifepolicy XP extended support goes thru 2014 and supposedly covers security fixes. I would think this counts as a security fix.

Re:2014 ????

[jornak]

There's absolutely no obligation for them to create a security fix.

Re:2014 ????

[MartinSchou]

It's not a security fix. Security fixes are only for high impact threats, and remote code execution is a low impact threat according to Microsoft. That means it's not a security fix but a simple bug fix. Or removal of a feature if you will.

Re:2014 ????

[terminal.dk]

That webpage will son be Photoshopped with their usual success to say August 2009.
Otherwise they would be break contractual obligations. At least here in Europe, you can demand from your reseller that the product does what the manufacturer says it should do.

Or in another way, all consumers who bought a laptop within the last 2 years (so still under warranty) should go to the shop. Demand to have this defective product repaired, and if the store denies, then they should demand to have the purchase reversed. Getting back the $1000 they bought for the machine, so they can get the faster fancier Windows 7 equipped machine for $800, and $200 in the pocket.

Microsoft is shooting itself in the foot here. I recommend that you look around for a trustworthy company to upgrade to.

Re:2014 ????

[Gallomimia]

Whatever the argument about whether this is a security fix or not results in, you will find it interesting to note the following:

Non-security hotfix support X Requires extended hotfix agreement, purchased within 90 days of mainstream support ending.

It is now more than 90 days after the mainstream support is scheduled to end, and thus purchasing this so-called hotfix agreement is not possible. Interesting timing

Re:2014 ????

Win2k is also supposed to be receiving critical security fixes and is not being fixed either. In other news MS has been caught violating other people's intellectual property (patent violations in Word) which has resulted in a court injunction against the sale of Word. There are other indicators as well, but in short, MS needs money.

Re:2014 ????

[HermMunster]

Yes, it is absolutely a security fix. Saying otherwise is a pathetic joke. It is a security fix in that the issue is one of security that affects the TCP/IP stack. Alleged minimization can be overcome by using security software.

So, YES it IS a security fix.

Here's an idea...

To: Steve Balmer, CEO of Microsoft

Dear Steve

Here's an idea for you. If you're not going to support XP any longer, open source it! The community will be happy to fix your dirty work for you. Just don't blame us when noone buys Windows 7 afterwards.

Regards

XP_phantom

Windows 7's 15 Year Old Code

[Doc+Ruby]

Microsoft didn't write all of Windows 7 from scratch. It's surely got plenty of "15 year old code", and probably older. So Microsoft's policy says that it cannot patch some Windows 7 bugs.

Maybe there indeed isn't any 15 year old code, as MS cycles its codebase slowly through "new" OS releases over the years. But there's doubtless 10 year old code, and certainly 5 year old code. So in 5-10 years, everyone buying Windows 7 today (and tomorrow) will be forced to buy the next "upgrade". And the one after.

Or run seriously insecure code that the bad guys have had 5, 10, 15 years to figure out how to exploit.

Microsoft: job security through product insecurity.

Re:Windows 7's 15 Year Old Code

[canajin56]

There necessarily is 15+ year old code in Vista and Windows 7. If the TCP/IP code wasn't in Vista and Windows 7, they wouldn't have needed the patch, either, not unless MS made the exact same mistake twice when they rewrote the stack from scratch.

I am DITCHING M$FT FOR GOOD

I will never feat the miscreant attacking and then commanding MY PC AGAIN !! I hearby swear to all mighty GOD that I am though with M$ and will abandon everything I've spent for it over these past 20 YEARS because some miscreant will, might, maybe could, DENY ME MY SERVICE of MY COMPUTER !! I have seen these SMALL WINDOW SIZE TCP PACKETS and they are HORRIBLE, HORRIBLE I tell you !! And they WILL, might, maybe, could DEMY ME MY SERVICE of MY COMPUTER. Well, I won't STAND FOR THAT. I am hearby DENYING MYSELF of MY SERVICE of MY COMPUTER before the miscreant CAN, might, maybe could DENY ME MY SERVICE of MY COMPUTER.

God bless and keep you,
Right Reverend M$ Can Suck My Balls Kartmann

Halliburton

[Doc+Ruby]

Why not? The Pentagon continued using Halliburton for years, on huge no-bid contracts, even when its divisions were installing showers in Iraq that electrocuted our servicemembers. And that's just the worst failure the public heard about, after most of a decade of abusive cronyism.

Microsoft is much richer than even Halliburton, and its failures much less publicly scandalous. Why would it face a tougher standard? I'm sure Dick Cheney owns a lot of Microsoft stock, too.

Re:Halliburton

[dkleinsc]

Maj Gen Smedley Butler (yes, that's his real name) put it best:
War is a Racket

General Butler has another notable footnote in history, bringing to the attention of Congress and the military the alleged Business Plot to overthrow Franklin Roosevelt.

Re:Halliburton

[Fujisawa+Sensei]

Why not? The Pentagon continued using Halliburton for years, on huge no-bid contracts, even when its divisions were installing showers in Iraq that electrocuted our servicemembers. And that's just the worst failure the public heard about, after most of a decade of abusive cronyism.

Microsoft is much richer than even Halliburton, and its failures much less publicly scandalous. Why would it face a tougher standard? I'm sure Dick Cheney owns a lot of Microsoft stock, too.

I don't see what the problem is, capitalism and competition will take care of everything, let the market decide.

Bad Car Analogy. You know it is coming ;-)

[140Mandak262Jamuna]

Would we really accept the following situation?

Today GM announced that the GMC trucks have some fundamental flaw and they are prone to explode randomly. GM said it wont fix the issue because the design is very old, and fixing it is unfeasible. When asked if they will when they stopped shipping trucks with the fatal flaw, GM spokesman said, "we have not stopped building or shipping them yet. We need to compete with the low cost competitors in the net-truck market and so we continue to make and ship the trucks, but we wont fix the safety issue. The drivers may wrap themselves in bags filled with thermocol peanuts to get some measure of protection.

If not, why do we let Microsoft get away with it?

Re:Bad Car Analogy. You know it is coming ;-)

[99BottlesOfBeerInMyF]

Your analogy is flawed in three ways. First, MS doesn't make cars. Cars are useful. MS makes on OS which is a system component and pretty much useless by itself. Second MS is a monopoly, whereas GM is not. Third, the flaw in XP is unlikely to result in fatalities or even serious injury. Allow me to fix your analogy:

Today GM announced that the GMC trucks have some fundamental flaw in the lock mechanisms and they are prone to open and start the truck randomly. GM said it can't fix the issue because the component is supplied by EvilCorp and current law makes it illegal for them to change anything inside the locking mechanism device. Further GM can't buy locking mechanisms from anyone else because EvilCorp has a monopoly on selling them and has used criminal acts to drive all real competitors out of business. EvilCorp has already lost court cases to that effect, but after making campaign contributions to your elected officials decided not to punish them. EvilCorp says the design is very old, and fixing it is unfeasible. When asked if they will stop shipping trucks with the flaw, GM spokesman said, "we have not stopped building or shipping them yet. We don't have any real options here. We did try partnering with a company that repackages locking systems made for free by a nonprofit organization, but they aren't compatible with existing trailer hitches, AC systems, or tires and switching all of those is hard to do since all the component suppliers out there build them to work with EvilCorp products. Also EvilCorp gives away free gas tanks with every lock mechanism, but because they are really weird, gas has had to be reformulated so it has problems working in gas tanks from any normal company and nobody really sells standards compliant gas anymore. Car buyers are encouraged to remove the batteries from their trucks whenever they stop and park them in locked garages if they contain anything valuable."

Re:Bad Car Analogy. You know it is coming ;-)

[BeardedChimp]

Because "think of the children they could be killed!", is a lot more convincing than "think of the children they could turn into spam bots!"

Re:Bad Car Analogy. You know it is coming ;-)

Well gee one kills people the other is a software bug. That was difficult.

Re:Bad Car Analogy. You know it is coming ;-)

Probably because there are other car dealers than GM, and the differences between cars from the different dealers is minimal.

Re:Bad Car Analogy. You know it is coming ;-)

[machine321]

Probably not, but a better analogy would be cars that are easy to break into. Since almost all cars are easy to break into yet we still buy them, yes, we would really accept that situation.

Re:Bad Car Analogy. You know it is coming ;-)

Well, at least you acknowledge it's a bad analogy.

Today GM announced that the GMC trucks have some fundamental flaw and they are prone to explode randomly.

Random explosions = potential loss of life. Getting DoS'd = far less dire. Also, this is a denial of service *attack*. There's nothing random about it - it's a vulnerability that must deliberately be exploited.

More importantly, comparing an operating system to an automobile is simply asinine. Automobiles can operate perfectly fine independently of each other. Operating systems need to work with thousands (millions?) of third party drivers and applications. And they need to be able to communicate with millions of other operating systems around the world. Assuming a patch would take too long or would break the functionality of a bunch of applications, maybe a fix could lead to even more problems. Don't get me wrong though, I'm not denying the fact that this is shitty.

why do we let Microsoft get away with it?

Because there's really nothing that can be done beyond taking your business elsewhere. The only customer that has enough leverage to get them to release a patch would probably be the US government. Who knows how they're going to handle this.

Re:Bad Car Analogy. You know it is coming ;-)

[QuietObserver]

First, MS doesn't make cars. Cars are useful.

I know what you wrote doesn't actually say it, but what you wrote could be interpreted as 'Microsoft doesn't make anything that's useful.' Anyway, thanks for the laugh.

Re:Wouldn't SynAttackProtect work here? (on 2000 t

[The+Yuckinator]

Alex P. Keaton is an MCSE? Is there anything that guy can't do?

Microsoft extends XP downgrade option to 2101

[David+Gerard]

Microsoft Corporation has announced a limited one-off extension of availability of its Windows XP operating system to April 2101 after criticism from large customers and analysts. This is the fifty-sixth extension of XP's availability since 2008.

Through successive releases of Microsoft's flagship Windows operating system, demand for XP has remained an important factor for businesses relying on stable XP-specific software and installations, who have pushed back strongly against the software company's attempts to move them to later versions. Windows administration skills have become rare in recent years and consultants have demanded high fees. Reviving Windows administrators from cryogenic freezing has proven insufficient to fill the market gap, as almost all begged to work on COBOL instead.

"Windows XP is currently in the extremely very prolonged super-extended support phase and Microsoft encourages customers to migrate to Windows for Neurons 2097 as soon as feasible," said William Gates V, CEO and great-grandson of the company founder. "Spare change?"

Microsoft Corporation, along with Monsanto Corporation and the RIAA, exists as a protected species in the Seattle Memorial Glass Crater Bad Ideas And Warnings To The Future National Park in north-west Washington on the radioactive remains of what was once the planet Earth, under the protection of our Linux-based superintelligent robot artificial intelligence overlords. Company revenues for 2098 were over $15.

illustration: A background wallpaper for your insecurable XP desktop. (Anyone got a pointer to the 1024x768 version?)

Re:Microsoft extends XP downgrade option to 2101

Be aware of David Gerard:

- Editor at Wikipedia
- Fellow citizen and personal friend of Roy Schestowitz, mastermind at BoycottNovell.
- Wears leather pants and other bondage/goth accesorites.
- Married a huge curly-haired bisexual woman who is a goth like himself.
- Spams Slashdot for the purpose of promoting his shitty news and rock websites.
- Creator and owner of disgusting shock websites such as "LemonParty".
- All around douchebag and asshole.

More info will be release later as this document progresses.

Re:Microsoft extends XP downgrade option to 2101

[rantingkitten]

A background wallpaper for your insecurable XP desktop. (Anyone got a pointer to the 1024x768 version?)

Yo!

http://farm1.static.flickr.com/25/49346772_0ee70562a6_o.jpg

I'm busy setting this as the wallpaper for all the XP machines in the office.

Re:Microsoft extends XP downgrade option to 2101

[David+Gerard]

win!

INFEASIBLE = Money

[Spinlock_1977]

So the patch code for Vista et al won't fit on XP? Hardly suprising - I believe that was a different tcp/ip stack. What MS is actually saying is they won't spend the time/effort/money to develop a patch tailored for the XP stack. There's no such thing as infeasible in this business, only 'too expensive' or 'not in our political best interest'.

Re:INFEASIBLE = Money

[asdf7890]

But they have fixed 2003, including the pre-any-service-pack builds which IIRC have pretty much the same stack as XP.

I wonder if Asus will mention this issue to the customers who took an XP netbook instead of an alternative because the marketing bumpf had "better with Windows" plastered on it...

Best Buy's Training FUD

Best Buy's recent "training" slide #9, where they say that "Linux is safer than Windows" is a myth, the "Real Facts" states (referring to Linux) 'There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own.'
Here's proof that that statement is really talking about Windows...

31 days.

[Orbijx]

I say give 'em a month, tops, and then there will be a patch (or news of a coming patch) for Windows XP.

Now would be a terrible time for Microsoft to alienate all those big corps that have XP and force them into another OS, if they want to keep their customers.
It'd be great for everyone else, as customers may start looking into things they would never have considered otherwise, such as various open source operating systems, and the necessary apps it would take to keep them going in their workflow, post-transition.

The way it looks is, some people (usually companies) will view this as a threat from Microsoft that reads: "Upgrade if you want protection."
Some of them in this group will obediently upgrade to Fista or 7.
Some of them will reluctantly upgrade to Vista or 7.
Some of them will stay with XP and find other ways to secure themselves.
Some of them will [cross their fingers and hope|pray] that Microsoft changes their mind and offers a patch.
Some of them will be offended and migrate to another OS outside of Big Red Robotland.
And of course, some of them will feel that litigation solves everything, and want to take MS to court for "refusing to patch an OS that is in such widespread use" (or) "intentionally posing a security risk".

Refusing a patch like this, in my humble opinion, isn't something you want to do until a few months after your new OS lands, at the bare minimum. That way, you've already got people migrating.

XP's patching lifecycle isn't up yet, from what I can see here, though: XP SP2 should be good until July of 2010, and SP3 should be good a bit longer than that, so I'm surprised no-one has really called 'em out on that.

Coming to a law court near you

[L4t3r4lu5]

1. Buy Netbook with Microsoft WIndows XP installed.
2. Run all updates.
3. Browse web, get hacked by this exploit. Lose money through "identity theft" / bank fraud.
4. Turn up in court with the receipt for the netbook & windows license stating when purchased, and the date and time Microsoft refused to patch the hole which caused your loss.
5. State that Microsoft is profiting from a product which is unsuitable for purpose, and it knows is unsuitable.
6. ...
7. Read Microsoft fine print and realise that you have to now give Microsoft your first born child for ever doubting that their asses are covered.

Yeah, consumer loses out on this one.

Re:Coming to a law court near you

SP 2 is one of the updates that patches this.

Re:Coming to a law court near you

1. Find a netbook running XP no service packs

all the rest of the made up crap that follows, would all you linux apple fanbois get your heads out of your arses and read the frickin article. XP SP2 and above are not affected. The only person I know who has an original non patched version of XP , is running it on a 8 year old computer and has patched it. They can phone MS and get s free shipped to them CD with SP2 on it, in fact I think they now supply SP3 for free. Which linux company sends out free cd's with their patches on them? And we all know how generous and giving apple is....

wow this article just reminds me of the tremendous amount of complete morons who still fell they are intelligent because they jumped on the "new cool" whatever technology bandwagon. Don't you all remember how you felt when everyone made fun of you because you were such geeks. Can't you see your obsessive fanboism is worse than the cliques you hated in high school. Give your heads a shake and maybe they will be dislodged from your arse and you can stop smelling the shit your are preaching, and wake up to the fact that it is an OS. Who cares what flavor. Put down the koolaid and understand you have been brainwashed by and advertising campaign, your not different, your not special, your still the same geek you were before your heard of open source....

Re:Coming to a law court near you

[Gadget_Guy]

This isn't a remote exploit bug for XP, just a denial of service so you can't get hacked using this vector. Also, you would have to add the step "2.5 turn off your firewall" to list to be affected by the bug. If you do that you will be taken down by one of the many other security holes first (and you would deserve it).

Re:Coming to a law court near you

[Gadget_Guy]

They can phone MS and get s free shipped to them CD with SP2 on it, in fact I think they now supply SP3 for free. Which linux company sends out free cd's with their patches on them?

I am sure that you are aware that "linux companies" give away their entire operating system for free. I think they are beating Microsoft in the generosity department.

Fanbois for any operating system are always tiresome, but there is really no need to start abusing people like that. Perhaps a valium might help.

Re:Coming to a law court near you

[westlake]

1. Buy Netbook with Microsoft Windows XP installed.

Which will almost certainly be XP SP3. You want a point of entry? You will have to open the door yourself.

Re:Wouldn't SynAttackProtect work here? (on 2000 t

Good points, but can you start writing in that funny old language English? Shit it was hard to decipher ;)

Typical Microsoft

[hyades1]

What an excellent advertisement for Apple (or even, gasp, Linux)! Just as soon as they decide you should be forced onto a new operating system, Microsoft decides to leave bugs in XP that could create a gap in security and lead to millions of machines getting infected.

Nice work. I know what my next operating system WON'T be.

Re:Typical Microsoft

[RMH101]

Apple's not a terribly good example here. You buy software AND hardware from Apple. That nice G5 you bought 5 years ago? No parts available from Apple anymore, sorry. Oh, and Snow Leopard's dropped PPC support so won't run on it. One thing Apple's never been is scared of breaking backwards compatibility.

Re:Typical Microsoft

[hyades1]

What can I say? You nailed it.

Re:Typical Microsoft

Leopard will receive patches for a few years and it takes about 6 months in release cycle before software updates on third party software starts to require the next OS - Microsoft and Adobe being the most conservative and will probably have it working in 2-3 years still, with apple being middle of the road.

backporting is essentially not feasible?

[...]backporting that level of code is essentially not feasible[...]
Okay, so if I get this straight, there's a bug that's in Vista on TCP and that same bug's in XP. So I take it (and knowing m$ a bit, why wouldn't they?) the code is essentially the same or these idiots made the same mistake twice. So if the update for Vista is possible, then what's the big deal about XP?

They could, they just dont want to...

[hesaigo999ca]

Please..all underlying architecture has not changed from xp to vista, even though they want you to believe this...and for them to correct the wrapper on xp, would be trivial, however, they are testing the waters about phasing out xp, and want to see what the backlash will be like, seeing as no one wants vista garbage, and maybe even no windows7!

I prefer, being given the opportunity of just paying a yearly fee to keep getting updates on a system that runs properly compared to their new bloated versions of vista etc... too bad no one can pick it up like a linux distro and start their own version of windows...

Re:They could, they just dont want to...

Well, you could... Just modify ReactOS with the Windows source code from the leak in 2004. Of course it wouldn't be legal.

Re:They could, they just dont want to...

Incorrect. Vista had a new driver model, among many other architectural changes. (That is actually where almost all of the Vista performance problems came from: 3rd party drivers of poor quality because the developers had not yet become fully experienced in writing drivers for it. That is why a year or two after Vista was released, its performance had increased to be on par with XP.)

Re:They could, they just dont want to...

ReactOS is doing something close to that. They are building an OS from scratch with binary compatibility with Windows API.

http://www.reactos.org/en/index.html

Re:They could, they just dont want to...

Try ReactOS!

Re:They could, they just dont want to...

[hesaigo999ca]

Thank you !...I will...never heard of it until now!

In other words...

[AlgorithMan]

backporting that level of code is essentially not feasible

in other words:

buy windows 7, damn it!

it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....

Re:In other words...

[DrXym]

it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....

It isn't a feigned argument. Having development resources, development environments, build engineers, QA testers, release engineers + assorted managers to fix vanilla XP when it's already fixed by a service pack is a monumental waste of time. Just keeping a shoestring operation running would probably cost MS tens of millions of dollars in resources.

Of course they're not going to want to do it. I'm sure if you paid them enough money they might of course, but who could blame them?

Re:In other words...

There's no working DX10 on XP. The driver architecture is too different. All they change is the label. The effects don't work.

Re:In other words...

[brkello]

Except that it isn't an issues with xp sp2 and later. Why do we mod up so many people who didn't bother to read the article and don't know any of the facts. You guys assume the worst of MS and the best from Apple. Wake up already.

Re:In other words...

it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....

Except those hackers consider the endeavor a failure, more than a year ago.

From Here

It is with great sadness that I announce the closing of Falling Leaf Systems, LLC. We set out over a year ago to provide users of both "old and unsupported" as well as "alternative" Operating Systems the ability to run the latest games for the PC. Unfortunately, Falling Leaf Systems was unable to achieve that goal.

So, what, is it that we've redefined success to include failure, which means that the failed attempt to port DX10 to XP, now counts as a success and proves Microsoft wrong?

Re:In other words...

[ocularsinister]

Hmm... well, I haven't tried this, but

• WINE runs on Windows XP
• WINE supports DX10

Problem solved? I don't have a copy of Windows to try this, so maybe it is to slow/unstable.

Re:In other words...

DX10 was never ported to XP in any significant manner. It was from this project: which hasn't been updated since January, 2008 as it is now defunct. If you want to try to make something of the work that they started (meaning actually getting it to easily allow you to use DX10 in a meaningful manner on non-Vista/7 platforms) they did release their work under the LGPL. But honestly, this isn't going anywhere because Microsoft was just simply not talking out of it's ass when it said porting DX10 to XP is not so trivial as some make it seem.

Maybe you should look into things before you start throwing around statements you can't support.

The solution is rather obvious

[sheph]

Don't run an OS that you can't patch yourself. Seriously, if we put our trust in these guys after they've proven time and again that they really don't represent our best interests we are the only ones to blame. It's about time to let MS go gently into the night alone and without a sleeping bag into a rabid pack of wolves.

Re:The solution is rather obvious

If you can't figure out how to patch XP, you probably shouldn't be patching anything.

Re:The solution is rather obvious

[danomac]

If you can't figure out how to patch XP, you probably shouldn't be patching anything.

Uh, I think he was referring that the code is not available to the public, and people that know how to patch these vulnerabilities can't, even if they wanted to. One of the benefits of open source is that if the vendor doesn't want to fix something, you can fix it yourself (if you know how.)

Weighted Down?

I wonder if the enormous deployment of XP will be the concrete block that causes Microsoft to sink to the bottom of the river.

If Microsoft could not get XP users to adopt Vista and Win7 does not get them to upgrade either, then XP customers' inertia will pull Microsoft down.

Microsoft can never go forward with XP users rejecting any new OS it produces.

Re:Weighted Down?

[HikingStick]

And with Windows 7 returning us to the age of malformed-packet-inducable-BSOD, I'm doing everything I can to maintain XP as our platform over the next 2-3 years, including a final round of PC purchases with XP downgrade rights in place.

Re:Weighted Down?

...until you realize you're an idiot and see that Windows 7 RTM is not affected by the BSOD problem.

Re:Weighted Down?

[HikingStick]

If they fixed it, that's great, though I've seen nothing verifying that fact. The fact that they had reintroduced a problem that was eliminated years ago just shows (IMO) that they are being sloppy. The last thing I want to deploy here is an OS that is open to old vulnerabilities.

If you have a link pointing to anything that shows they fixed the issue in the RTM release, I'd be glad to review it.

Cha-Ching

Follow the cash. Windows 7 comes out in October and they want all those damn pesky XP users to upgrade to it since they refused to be Vista guinea pigs so they're cutting them off to upgrades to drive home the point of we want OUR cash. As others have noted, quite curious since you can buy some machines today with XP on them standard. Standard M$ crap.

Re:Okay, we get it. This is leverage for 7 migrati

[Attila+Dimedici]

What really needs to happen is that "the public" needs to be aware of what is happening and, in Fox News style, be instructed how to feel and respond to it.

I'm not sure why you think this is the sole province of Fox News, Perhaps because Fox News more closely reflects what the general American public thinks and feels? And thus appears to be more effective at shaping pubic opinion, when in fact they are more reflecting public opinion than shaping it. Here is a link that lists many attempts (some successful, some not) by other news sources to shape public opinion by selectively (and sometimes falsely) reporting the news: http://spectator.org/archives/2009/09/15/media-malpractice-tom-brokaws/

Re:I agre

[zippthorne]

Because Apple stopped selling versions older than 10.5 nearly two years ago and the upgrade to 10.6 is thirty dollars retail. Microsoft is still selling XP licenses.

Re:Legal?

[TaoPhoenix]

Legal Trouble? Hahaha!
MS: "Here's $10,000"
"Okay, no more trouble!"

XP is anything but off the market

[Owlyn]

I can't speak to the main issue of this story, but XP is anything but off the market. I bought a new copy of XP from New Egg last week for $90 and installed it on my daughter's computer. She has an older computer that cannot run Vista, and she lost her original XP CD. When her hard drive crashed, I replaced it and put the newly purchased copy of XP on it.

Re:XP is anything but off the market

And this is part of the problem!!!!! Microsoft just got paid TWICE for something they should have provided for free or a very reasonable media cost - maybe $5.

M$? Come on, that's so nineties

M$ isn't cute, funny, or meaningful.

The dollar sign is dumb.

Let's knock it off.

Re:M$? Come on, that's so nineties

[kurt555gs]

Actually "M$" is cute, funny and meaningful. I have noticed it also triggers an almost automated response by Microsoft shills (paid or not) to mod down the post, no matter what.

Interesting that a large corporation like Microsoft feels the need to work in such an evil and underhanded way.

Re:Okay, we get it. This is leverage for 7 migrati

[erroneus]

Okay, I have a weakness... sometimes I can't help responding to trolls and off-topic discussion.

Fox news does NOT more closely reflect what the general American public thinks. If that were the case, the initial positive approval ratings of Obama would have been reflected in Fox's news reportings. Most polls showed that Obama was welcomed with enormous public majority favoring his getting into office. (FWIW, I am no Obama follower) Further and more recently, countless polls early on in the healthcare reform initiative, most people favored healthcare reform quite strongly with an overwhelming majority in favor of regulating the healthcare industry. Polls still report that the numbers are in favor of healthcare reform and the Fox News view would seem to be quite different.

Not only this, but Fox News is more in the business of expression of opinion with the majority of its presentations and shows falling under the "editorial" category with its reporters performing all sorts of dramatics such as crying, screaming and in no uncertain terms calling Obama "racist."

I completely understand the psychology behind the need to "defend your favorites" because the things people favor are somehow a reflection of themselves and so they are actually defending themselves in a way. This is why Apple and Microsoft fans are so froth-mouthed. And while I am not going to claim that "all other news is neutral," Fox News is known world-wide as being owned and directed by a particular group of people with a particular agenda are various issues. And that group of people are FAR from a majority. And, of course, Fox News is so far to one side that they are actually attempting to move the center closer to themselves to make everyone else appear to be polarized in the opposite direction. In short, Fox News has the strongest reality distortion field of any "News" activity.

Re:Wouldn't SynAttackProtect work here? (on 2000 t

Computer maybe broke. Computer maybe be un-broke with little work. Can do on own given not stupid. Take with grain of salt, reading slashdot.

you are off

[poetmatt]

wrong analogy, you are focusing on the wrong issue. Real analogy: Do you still expect adobe to patch the latest versions of their software as long as they are in business? yes. What if they had a DLL that was affected in *all* versions. Do you expect them to patch it with the latest version? Hell yes you do. This is not a car warranty, so that argument is completely null. Things that are on XP cannot necessarily magically be "upgraded" like you think, additionally why should someone even feel remotely obligated to spend money on a new version of something that works just fine?

Car analogy: does the manufacturer shutdown their car after 10 years if you can keep it running?

Why should MS exclude one?

maybe you should think about the argument you are making, because it is off.

Re:you are off

[somersault]

Your argument doesn't work either though IMO. For one thing software changes a lot quicker than car technology so I was being pretty kind saying 10 years for the car stuff. You might expect a dealer to service a 30 year old car, but you're probably going to have to pay through the nose for it (and I've read of at least one case where a dealer didn't have the parts to service a car because it was so old).

XP is not the latest software, it is simply the most popular. Even if the majority of people in the world preferred the original VW Beetle from the 30s (or whenever it started production, I think it was in production for something crazy like 50 years), it doesn't mean that VW are still obliged to find and fix design flaws in it. You'd expect a product recall if a large problem was found in the latest incarnation of the Beetle sure - but we're not talking about the latest version, we're simply talking about the most popular version, and it's getting out of its support lifetime. I don't think any other version of Windows has lasted so long.

In this case the WINE team or some group like that could probably produce a replacement version of the TCP/IP stack to stick into Windows, it would be the equivalent of having to buy 3rd party copies of OEM parts for an ancient car. Yes you can "keep it running", but the original manufacturer has stopped supporting it. MS are not shutting down all old copies of XP, they're simply stopping support.

IMO it would be nice of them to keep supporting it, and some companies would do so, but they have no obligation to. And it's definitely not MS's style to be 'nice'.

Re:you are off

[Sancho]

You might expect a dealer to service a 30 year old car, but you're probably going to have to pay through the nose for it (and I've read of at least one case where a dealer didn't have the parts to service a car because it was so old).

Not necessarily. If it's a manufacturing defect which warrants a recall, it may not matter if it's out of warranty. My 5 year old truck (out of warranty for 3 years) was recalled to fix a problem where the tailgate could fall off causing injury to those nearby.

With software, it's a different sort of injury, of course, but it could still cause people lots of problems.

And besides, they still sell XP to OEMs. My 3 month old Netbook came with it. And they're saying that they won't fix this bug. That's absurd.

Re:you are off

[poetmatt]

software changes have 0 to do with the fact that they should still support it as it is still active. To say that a TCP/IP stack is not something in the latest software is beyond asinine.

The stopping of support, and why does it matter you ask? Maybe because netbooks come with XP?

Re:you are off

[JasterBobaMereel]

If the previous model of the car was still the most popular by far, I would expect the servicing to be cheap and the parts to be available, simply because it is the most popular .....

No matter how old it is if it is the most popular and used version I would still expect it to be supported completely simply because it was still popular, you have to remember this is more like an engine than a complete car, Microsoft make most of their money selling other software that runs on Windows rather than on windows itself ....

Stopping updates of any kind to XP is simply that they either cannot be bothered or do not want to because they want to force people to upgrade

Re:you are off

IMO your opinion is wrong, and IMO my opinion is right. See how easy that is?

Let's use your horribly fucked up car analogy as an example, seeing as how it's stupid and flawed it makes a good starting point for taking down your idiocy. Let's say you happen to own the most "popular" brand and model of car on the road for your area. Practically everybody has one. Now imagine that car had an airbag that would occasionally explode without warning in your face while you're driving, and the manufacturers of the car state that they're not going to fix the airbags because it's a low-risk scenario and hey, the cars are old anyway, right? Even though they're still being sold? Why bother fixing something that's years old just to avoid a few thousand accidental deaths anyway, hmm? It's their own fault for owning an old car, if they don't want to face the consequences they should go out and buy a brand new one. You don't think that they're "obligated" to help anyone but what happens when it's time that -you- need help? Something tells me you're ignorant attitude would change pretty damn quick.

Now please, think about what you're typing before you post it and spare us your moronic drivel.

Re:you are off

[relguj9]

Your argument doesn't work either though IMO. For one thing software changes a lot quicker than car technology so I was being pretty kind saying 10 years for the car stuff. You might expect a dealer to service a 30 year old car, but you're probably going to have to pay through the nose for it (and I've read of at least one case where a dealer didn't have the parts to service a car because it was so old).

Exactly, if people want support for XP at this point... they would have to be willing to PAY a for it. With cash. The initial cost of the OS doesn't wrap up into it the costs of support for 15 years, maybe 5 sure.

But that's the big sticking point, people don't want to pay for anything, they want it all for free. If that is the case, then use Linux. If you want premium software and are willing to pay, upgrade to Windows 7. I actually happen to think that re-designing the OS is a good thing, hell it creates jobs for engineers and IT across the board. Not to mention the fact that it's a better and more secure OS.

It's really that simple, Microsoft isn't the bad guy here (although they often are).

Re:you are off

[Khyber]

You totally fail to see and understand the problem.

First off, it's the TCP/IP stack - Technology that RUNS THE FUCKING INTERNET. For Microsoft to *NOT* fix the flaw in it means they're going to open up a massive fucking hole that anybody and their mother could probably exploit, and very likely this is going to cause problems. For example, most of our government systems still run XP - for Microsoft to refuse to patch this problem leaves us vulnerable, and they're doing it on purpose.

That's giving aid to the enemy, which is treason. Microsoft, as of right now, should be charged with Treason against the USA and shut the fuck down.

Re:you are off

it would be great if third parties could offer support for old software, but it's pretty much impossible.

sure GM, et. al. don't publish their designs for their cars, but for tangible objects it's pretty easy just to get out a tapemeasure and muck it up (or a 3d scanner!), where even if the part isn't exactly the same at least it fits into the hole and does the same job.

As a side note this is why i like the OSS model of clearly designed toolkits with clearly designed roles... it's easy to replace something if it quits.

This kind of "fits the hole and does the job" isn't even possible for microsoft products! everything is so well obfuscated and interdependent that it's impossible!

Re:you are off

[metallurge]

Yeah, except XP is still being sold on new systems. Microsoft can't have it both ways. Either they get to take money for it or get to stop supporting it.

And in any case, they are a monopoly, which means the rules as far as support should be a little different.

In this case the WINE team or some group like that could probably produce a replacement version of the TCP/IP stack to stick into Windows

I have been wishing for this for some time, actually. Then you could remove the arbitrary limits Microsoft has imposed on file sharing and use XP as a fileserver.

Re:you are off

[somersault]

How is shutting them down any better than them not producing patches? Your perspective on this situation seems more than a little warped..

Re:you are off

[somersault]

I had forgotten that XP was still technically being sold on netbooks (ie not as a downgrade), and I didn't know that they had pledged to patch critical security issues on XP until 2014.

And seriously: "you're ignorant attitude". Hilarious. Using your "think of the innocent people that could get hurt!" tugging at the emotions argument doesn't change the fact that once something is out of warranty then it is basically no longer the manufacturer's problem (plus a quick google tells me manufacturer's recommend replacing airbags every 10 years apparently - that is entirely the owner's responsibility though, not the manufacturer's). But in this case XP is technically in warranty so I have to agree.

Re:you are off

[Talar]

XP is not the latest software, it is simply the most popular. Even if the majority of people in the world preferred the original VW Beetle from the 30s (or whenever it started production, I think it was in production for something crazy like 50 years), it doesn't mean that VW are still obliged to find and fix design flaws in it.

Sure, they are not required to. But there are a lot of third party manufacturers that would produce replacement parts, sometimes even better parts than the originals if there was a demand for it. This is simply not an option for Win XP no matter how high the demand is.

This should not be news to anyone making themselves dependent on Microsoft products, but lots of companies are doing it anyway. Guess it would be a bit different if the market was not monopolized.

Re:you are off

[muddybulldog]

But the issue at hand isn't that the 2002 XP is the most popular model in use, it's that it is still available from dealers and is being sold with a warranty that's valid until 2014.

Re:you are off

[CompMD]

You reminded me of something very interesting that Mercedes does with their service. Mercedes "supports" every car they have ever built for consumers. I can walk into any dealer and they will either have or can quickly get parts for my 1973 450SL. For older or more obscure cars, there's always their Classic Center in Irvine, where they will work on anything old Mercedes built. Additionally, Mercedes honors recalls indefinitely. The 107 series cars had a problem with cracking subframes, and when I bought my 73 SL (in 2003) and registered it with MB, I got a letter in the mail in 1970s MB letterhead instructing me to take it to a dealer, and they would repair or replace the subframe free of charge.

TCP/IP, selling knowingly defective products

[harvey+the+nerd]

The fix is to NEVER buy Microsoft products, again. Microsoft is a defective corporation that has made a mint off of selling knowingly defective products and reselling the HOPE that these defects will be fixed in the next update but reneging again, and again, and again, and again. MSFT's example of no/low quality has become the new American metric of quality, its business plan, corroding our society's business and work ethic, a complete mockery of the consumer laws on mechantability, deservedly debasing our reputation for quality goods.

Since the government has been ineffective in enforcing these laws, falling for MS legal theories, only insistent market rejection will [partially] protect a consumer from the borg. No doubt we will be seeing more FUD IP attacks, like SCO, traceable to MSFT. Good luck to all. Fsck MSFT.

Re:TCP/IP, selling knowingly defective products

And use Linux instead? But what about all the apps for your digital camera, video camera, smartphone, GPS device that run only on Windows?

Microsoft says...

[AliasMarlowe]

Microsoft says "no"
Adding anything after the "no" is superfluous. We've learned that the hard way.

Car/engine = Netbook/XP

[nacturation]

Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.

Re:Car/engine = Netbook/XP

[somersault]

In that situation I think a better analogy would be that you buy a new car, but get the dealer to install an old engine that is out of production, and still expect it to be covered by your warranty. XP isn't sold as standard anymore AFAIK, it's usually termed as Vista with "downgrade rights" even if XP is preinstalled on the machine. You could probably downgrade to Win95 too, would you still expect MS to support 95?

Re:Car/engine = Netbook/XP

[Volante3192]

The problem with all these analogies is Microsoft DID put a long warranty on XP, and SP2 is still covered.

http://support.microsoft.com/lifecycle/?LN=en-us&x=8&y=10&C2=1173

So the analogy here is, you buy a car. The manufacturer offers a 15 year warranty. 10 years in they find a flaw, they don't fix it and instead tell you to take it to a third party mechanic for a workaround at which point you find some lawyers and sue their contract breaching butt into next year.

Re:Car/engine = Netbook/XP

[geekoid]

"In that situation I think a better analogy would be that you buy a new car, but get the dealer to install an old engine that is out of production, and still expect it to be covered by your warranty.

If the dealer installed it, why wouldn't you expect the warrenty to be valid.?

ANyways, there are a lot of products where XP is the default OS. so your analogy is just plain wrong.
look here:
http://www.dell.com/content/products/features.aspx/mini_laptop_deals?c=us&cs=19&l=en&s=dhs&ST=netbook%20(exact)&dgc=ST&cid=38726&lid=1204655&acd=52183,8,0,68295161,714235004,1253027665,,17387705,3392046651

Netbooks with XP as the default.

Re:Car/engine = Netbook/XP

[somersault]

Fair enough, if SP2 is still covered then they definitely should be providing support. But I expect some of these nutcases would still be bitching and moaning at MS in 5 or 10 years time if by some fluke XP was still more popular than whatever MS has out at the time, and MS was refusing to provide updates.

Re:Car/engine = Netbook/XP

[ppanon]

The problem with all these analogies is Microsoft DID put a long warranty on XP, and SP2 is still covered.

Not sure how you get that from that chart. Under XP SP2, the columns for mainstream/extended support retired say "Not Applicable". The way I read it, that July 2010 "Service Pack Retired" date is the date at which MS will stop being obliged to keep SP2 on their web site and MSDN. The real support dates that matter are the ones for the original XP release, 4/14/2009 for regular support and 4/8/2014 for extended (pay) support. This is supported by the note for XP SP3, you know...the latest Service Pack, which says "Support ends 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first." Now personally I would have expected 10 years of support that, with XP released on 12/31/2001, you would expect would be 12/31/2011, but apparently that's not the case.

Re:Car/engine = Netbook/XP

Meanwhile, the garage down the street offers FREE Linux engines without the flaw (although you have to install the engine yourself or pay someone to do it).

Re:Car/engine = Netbook/XP

[relguj9]

Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.

This analogy sucks, because you can replace the netbooks "engine" with a bootable USB drive and Linux for FREE OR a bootable CD and Windows 7 for under 100 bucks.

Re:Car/engine = Netbook/XP

[hrimhari]

Wow, you're clearly misinformed. Most netbooks come with Windows XP OEM preinstalled or Linux. There's no downgrade trick. Here...

Dell
Asus
Acer
Samsung
Toshiba
Sony

Re:Car/engine = Netbook/XP

[element-o.p.]

Exactly. I was about to post the exact same thing, but I saw you beat me to it.

Whether or not you agree that Vista or Windows 7 is better than XP is irrelevant. Microsoft has said they no longer will support versions of Windows before Vista. While it may not be wise for Microsoft to try to force the market to upgrade, it is still their right to discontinue support for older versions of their products, and honestly, I can't really blame them for deciding to drop XP support. C'mon -- the code is what, seven years old now?

Re:Car/engine = Netbook/XP

[element-o.p.]

If the dealer installed it, why wouldn't you expect the warrenty to be valid.?

1) Because the engine manufacturer explicitly said the old engine wouldn't be covered by the warranty because it had reached end-of-life.
2) Because the dealer (Dell, Compaq/HP, Acer, etc.) is not the "engine" manufacturer (Microsoft), and you are expecting the "engine" manufacturer to honor the dealer's warranty.

ANyways, there are a lot of products where XP is the default OS. so your analogy is just plain wrong...Netbooks with XP as the default.

See answer #2 above.

Re:Car/engine = Netbook/XP

[Lehk228]

No, you are wrong, MS does still sell XP on netbooks, which these days are considerably more powerful than a typical PC was when XP came out.

Re:Car/engine = Netbook/XP

[nacturation]

Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.

This analogy sucks, because you can replace the netbooks "engine" with a bootable USB drive and Linux for FREE OR a bootable CD and Windows 7 for under 100 bucks.

Sure, and if it came with a defective hard drive you could replace that too. Never mind that you paid good money for the defective components it came with that you now have to waste your time and money replacing, whether software or hardware.

Re:Car/engine = Netbook/XP

[relguj9]

Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.

This analogy sucks, because you can replace the netbooks "engine" with a bootable USB drive and Linux for FREE OR a bootable CD and Windows 7 for under 100 bucks.

Sure, and if it came with a defective hard drive you could replace that too. Never mind that you paid good money for the defective components it came with that you now have to waste your time and money replacing, whether software or hardware.

There is a significant difference between hardware and software and even significant differences in the economics and life cycles of hardware in a car and in a computer. If the hard drive failed in the first year or so then I would expect it to be replaced, if it failed after that then it's my problem. If the engine failed in a car in the first 100,000 miles, I'd expect it to be replaced. Software has no analogy to a car really, I'm stumped there.

Either way, from TFA, XP doesn't have any issues so a hotfix is not necessary. Even if it was necessary, I personally wouldn't deride Microsoft for not making the fix unless I was paying a service contract to them or bought the software license at the original price directly from them. If you're just buying a license from a third party that bought it from Microsoft several years ago or bought it from Microsoft with the addendum that it will not be supported then it's your problem if there's an issue.

Software costs money to support. Pay for the support, use open source software or buy new software.

Re:Car/engine = Netbook/XP

[nacturation]

If you're just buying a license from a third party that bought it from Microsoft several years ago or bought it from Microsoft with the addendum that it will not be supported then it's your problem if there's an issue.

The latter case I agree with. In the former, if you bought it new and weren't informed there's a defect that won't be fixed you ought to be entitled for a refund.

Software costs money to support. Pay for the support, use open source software or buy new software.

Agreed.

Re:Car/engine = Netbook/XP

[skiman1979]

Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.

Well that's not Microsoft's fault. Why should Microsoft be forced to patch a 10+ year old OS just because some OEMs are still selling new hardware with XP on it? Microsoft can still sell licenses for XP 'as is' as long as OEMs understand that the OS is 'broken'. It's up to the OEMs whether they want to use it, or 'upgrade'.

To my knowlege, Red Hat no longer supports old versions of it's OS (prior to version 7??). If you find a laptop with an unsupported version of Red Hat Linux on it, and find it's broken, would you demand Red Hat to provide a patch, or demand the laptop manufacturer provide a supported version of the OS?

Granted, the situation can get difficult with some Military systems that could be in production for 20+ years. What will happen in 18 years when there are still networked weapon systems out there running WindowsCE 4.2? Upgrade to Windows Mobile 25?

Re:Car/engine = Netbook/XP

[relguj9]

If you're just buying a license from a third party that bought it from Microsoft several years ago or bought it from Microsoft with the addendum that it will not be supported then it's your problem if there's an issue.

The latter case I agree with. In the former, if you bought it new and weren't informed there's a defect that won't be fixed you ought to be entitled for a refund.

Agreed, but I would add that in this case the onus would be on the netbook supplier and not Microsoft. Good point though.

No XP but Server 2003?

[Joe+U]

That doesn't make sense. Server 2003 and XP are nearly the same, how could they patch one and not the other?

Re:No XP but Server 2003?

[oDDmON+oUT]

"Server 2003 and XP are nearly the same, how could they patch one and not the other?"

Because that doesn't ensure the revenue stream flowing?

Re:No XP but Server 2003?

[Joe+U]

Well, Server 2003 was released a year later and is 5.2, vs XP 5.1 but seriously, I think the stack changes could be backported.

Eminent Domain

Copyright is a government grant of rights.

Just stop enforcing them. The government would be well within their rights.

Or take the source code.

Again, they would be within their rights.

Or rescind the corporate charter.

Again, they would be within their rights.

Re:Eminent Domain

>> Copyright is a government grant of rights.
copyright is the government recognition of the right of ownership of the IP and ability to legally reproduce it that comes from having created the work, or from having purchased the rights from the creator.

>> Just stop enforcing them
Microsoft's work is copyrighted not only in the US, but in many other countries as well, and as signatories to the Berne convention, even if we nullified their US copyright, which would be on dubious legal grounds, we would be legally required to recognize the copyrighted status in other countries

>> Take the source code
This is not within the governement's rights. For security purposes, since it is used by governement systems, they could demand to see the source code and audit it, but they can not seize it legally. Eminent domain does not exist for software.

>>rescind their corporate charter
We could most certainly do that, and I suspect that once it was done, and after laying out a very large sum of money to good moving companies, we would find that Microsoft had vacated Redmond within a week, and had set up show about 100 miles further north in a country where they act a little less like asshats in general.

Re:Wouldn't SynAttackProtect work here? (on 2000 t

"@" takes two character strokes (shift 2) to write
"at" takes two character strokes to write

Writing "at least" is universally understood and no more effort than writing "@ least".

"Infeasible"? This is a true, flat-out lie.

[Impy+the+Impiuos+Imp]

There are few things more feasible than devoting a few engineers to working on a product used by tens of millions. That's the core definition of mass production and mass sales.

Legion are the feasible products that had a minuscule fraction of that, at best.

No, this is a lie whose purpose is to help twist the wooden stake in the chest of XP and 2000, both of which are still well-distributed at home and in business. Hell, I only had my 2000 machine replaced with an XP machine at work 3 freakin' months ago. And I'm one who gets regular upgrades at the premium "engineering" level computer = about 90% of the bleeding edge hardware capability, as my company defines that lol.

Note Microsoft got another OS sale for this new XP machine. Gotta really twist hard now in preparation for Vista++, whatever the hell it's called.

Buster Gonad

[ciderVisor]

and his "not feasibly" large testicles.

stop this slashdot bashing and RTFA

and nobody here on slashdot notices that they actually explained that xp past sp2 doesn't NEED the fix, as it's written and documented.

reason: it's a flaw that affects all systems that have a listening service of some form on the firewall. all server os have it, vista, win7 have it. but xp doesn't.

so it doesn't NEED THAT FIX.

stop slashdotting and bashing microsoft, all of you.

(and i fully support that they don't care about pre sp2 windows xp anymore, as no one should)

The Microsoft honeymoon is over!

We're in the worst economic downturn since the great depression and NT4 and Windows 2000 are still in widespread use. Custom software is a huge outlay for SME's and they're not typically looking to replace perfectly servicable code every decade. I have one client who depends on an app written in an obscure 4GL, they don't have the source code to the runtime and it will not run under Server 2008. We're not just talking office software; Industrial control apps where the initial cost of developing the plant is amortized over a period of 15-20 years usage.

I'm sure many of us warned our employers at the time about switching to NT, just as we warn them about cloud computing now. Microsoft's message as they pass around the hat to collect their monopoly rent, "Depending on our software was the wrong choice suckers". Let's get the facts: what's Microsoft's TCO now?

Virus authors have bigger fish to fry

[tepples]

it's not like anyone would ever write a virus capable of exploiting the hole that someone could accidentally install on their computer, behind the company firewall.

This hole isn't useful to build a botnet because the effect of an exploit is just RAM consumption, not arbitrary code execution. Virus authors have bigger fish to fry.

Re:Virus authors have bigger fish to fry

[PlusFiveTroll]

Not very useful for botnets, yes... very useful if the virus author had a vested interest in selling new copies of Windows.

Re:Virus authors have bigger fish to fry

[tepples]

Not very useful for botnets, yes... very useful if the virus author had a vested interest in selling new copies of Windows.

What virus author would "have a vested interest in selling new copies of Windows"? Microsoft? A major PC maker? If such a company were to get caught authorizing the development and deployment of a virus, governments would immediately publish plans to migrate from the company's products.

Re:Virus authors have bigger fish to fry

It's tiring to see this flimsy assertion repeated throughout this topic. Another poster has already shown (note 2nd citation) why DOS vulnerabilities such as these should not be treated lightly.

Before you (or anyone) responds that MS could patch it after it becomes a more serious vulnerability, there are two problems: MS has asserted that a patch is not feasible - they'd have to do a lot of work (implying a significant delay) to mitigate it; MS has announced that a published vulnerability will not be patched on a widely deployed platform, effectively inviting malware authors to attempt to turn a non-critical DOS vulnerability into a remotely exploitable vulnerability, preferably (from the malware author's POV) a zero-day exploit - and the opportunity is especially attractive because MS asserts that a patch is not feasible.

- T

older than that

[hey]

I haven't bothered to check... but didn't Microsoft just use BSD-licensed TCP/IP stack like everyone else? If they did that would make the code much older than 15 years. Which is fine. Old code doesn't imply bad.

Re:older than that

[Ash-Fox]

but didn't Microsoft just use BSD-licensed TCP/IP stack like everyone else?

Nope. They used some proprietary thing that was loosely based on the BSD-licensed TCP/IP stack.

RTFA? Oh wait... it's slashdot.

[enriquein]

Has anyone even cared to read the article, or at least the statements before nerdraging over this? The version of XP that won't get a patch is vanilla XP. Even as a developer I'd say it's ridicolous to expect a software vendor to patch something that has been fixed by a security patch that has been out for years now. That being said, I still use XP at home and I was outraged when I read the headline, but heading over to the article I stumbled upon this quote (which btw has been quoted a couple of times already, I'm only re-quoting in hopes that it will get read):

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Interesting enough, if you are that concerned about security, then you probably already installed at least SP2. Which means that your XP box is NOT vulnerable to this type of attack. I guess computerworld needed a flashy headline to get some clicks and ad revenue.

Re:XP is teh dead

[Lulfas]

Posting this way up here so people see it. Summary is mostly incorrect. From TFA: "In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Third party patch

[tecker]

I wouldn't be surprised if there is a third party developer that creates a patch that fixes this. Wasn't there something like that a while back?

Re:Third party patch

[CAIMLAS]

If my experience with fixing XP bugs or misfeatures is any indication, it should be relatively easy to strip the 2k3 binaries of identifier strings and simply use that. Many 2k3 binaries are 'portable' to XP, if not for their versioning information.

can't bury the truth, modshills

[drinkypoo]

The above is clearly not a troll. One quick glance through my posting history will confirm that I believe these things. Feel free to believe that I am a crackpot, but anyone who doesn't understand that well-moneyed interests are the only true voters in this nation has truly missed the boat. If you can't read between the lines, then you'll never really understand anything. It's like all the idiots in the last couple days "RIP NORMAN BORLAUG"... the so-called green revolution has done little to nothing to feed the starving, but has pushed the use of synthetic pesticides and fertilizers as well as machine harvesting techniques that when combined kill off the soil. The evil done far outweighs the good. The Gates Foundation is very much the same thing. Time will prove me right, I wish it were otherwise.

Re:can't bury the truth, modshills

[Duhavid]

It doesn't have to be a troll for a Microphile to mod it as such.

May hurt dealers in Germany

[Lonewolf666]

That will be interesting under German law.

IANAL but I'm familiar with a few of the relevant regulations. One of them is that the customer has a claim against the dealer he got the software from. Not against Microsoft directly.

So in theory a pissed off customer in Germany could sue the dealer but not Microsoft. Maybe the dealer could sue Microsoft in turn, but I'm not sure about that. AFAIK contracts between companies allow a lot more exclusions of liabilities than contract with consumers, so Microsoft may have guarded against that.

Re:May hurt dealers in Germany

[TheLinuxSRC]

One of them is that the customer has a claim against the dealer he got the software from. Not against Microsoft directly.

This may actually work out better if there are large corporate customers that deal directly with MS rather than through a reseller.

Re:Okay, we get it. This is leverage for 7 migrati

[Attila+Dimedici]

Did you even check the link I posted? The link gave specific examples of the other news networks doing the same things you accuse Fox News of.
BTW, I have not watched more than 6 hours of Fox News programming since the network began. I believe that television is an inherently terrible place to get news from.

I tagged this story "plannedobsolescence"

[GameboyRMH]

That says it all really. Win7 is a decent improvement, but I guess those people happy with their XP machines need some "motivation"...

Use your warranty and get a refund

[Walles]

If it's less than one year old and the manufacturer refuses to fix critical problems with it, you should be able to hand your Windows license back and get a re-fund.

News Just In...

[alien-alien]

Micro$oft finally finds 15 year old bug in software but cannot fix it as no one writes assembler anymore!

Re:Wouldn't SynAttackProtect work here? (on 2000 t

It's actually Alexander Peter Kowalski, and he's a freakin nutjob.
His posts are ALWAYS like this... a bizarre mashup of english, symbols and general incomprehensibility.

He likes to piss and moan about the HOSTS file not allowing 0 as a shorthand for 127.0.0.1

-Yuri Klastalov-

It's just WGA* in practice ...

[Rambo+Tribble]

... *Windows Genuine Abandonment.

Re:It's just WGA* in practice ...

[Rambo+Tribble]

By the way, the 12 to 15 year old code thing must not be true, because I specifically remember Bill telling us XP was a "complete rewrite". Oh, my! You don't think Bill lied, do you? Oh, yeah, come to think of it his lips were moving.

inconceivable!

That's unpossible!

You keep using that word. I do not think it means what you think it means.

Newsflash

[geekoid]

If a car is discovered with a flaw in it's design, then yes, they WILL cover a fix. Warranty or not.

Yes, the software the released was broken, so yes, they should be held responsible to fix it.

BTW, this is the ONLY way companies will start releasing better software, and the only way a company that makes an OS will put Design ahead of replacing it every 3 years.

"Microsoft are perfectly within their rights to "force" obsolescence onto users by concentrating on more recent versions of their software."
No.
The are within their right to not add new features, cosmetic changes, and a lot of other things, but they aren't within there right to sell a flawed product and then tell their customers to screw off.

Re:Newsflash

[CapnStank]

"If a car is discovered with a flaw in it's design, then yes, they WILL cover a fix. Warranty or not."

Wrong. They WILL cover it if they deem the cost of recall to be less than that of payout for individual lawsuits.

Re:XP is teh dead

[JacobSteelsmith]

Correct me if I'm wrong. Microsoft is saying that because, by default, Windows firewall does not allow any listening services, the client is safe?

So anyone running Windows XP should not have any listening services. I just realized that, by default in our enterprise environment, the Windows firewall on our desktops are shut off (not my decision). This probably isn't a good thing.

Microsoft is smart

It makes sense to NOT invest money/resources in something that will only encourage users to stay with XP.

Wizard

[lymond01]

Welcome to the Launch Nuclear Weapons Wizard

Please read the licensing agreement.
[Don't use against own country...Microsoft holds no responsibility...Mutants created by fallout may be used in Halo 4 marketing campaigns without prior consultation of blah blah blah...]

Are you launching towards a position more than 3000 miles from your current location?

Are you launching across the Pacific Ocean?

Are you launching across the Atlantic Ocean?

Ah...going over the North Pole to shorten flight time?

Errr...South Pole?

You aren't, by chance, located on the east coast?

Which would put you more than 3000 miles away from Redmond, Washington?

Bummer.

Re:Wizard

[oatworm]

You're overthinking this:

An unidentified country wants access to your nuclear secrets
Don't allow the country access unless they are an ally or they have offered campaign contributions.

peoples-republic-of-china.prc
People's Republic of China

Cancel
We either need to look tough on national security or the unions just paid us off to start a tariff war.

Allow
We have received enough in campaign contributions to buy off some positive press when this story breaks.

Terrificatious Bushification

[Tablizer]

The Georginator himselficant couldn't pronunciaticate in a morely Bushified methodification if he triedicated.

Re:Wouldn't SynAttackProtect work here? (on 2000 t

First and foremost: remember, we're talking about Windows 2000 and Windows XP below.

CVE-2008-4609 documents a problem with TCP stacks where established connections (meaning the initial SYN, SYN+ACK, ACK have already been experienced) can renegotiate their TCP receive window size to a small value (no idea what "small" means) or zero, the result being the number of available sockets on the machine becomes exhausted over time. Since TCP window sizes are negotiated, but not necessarily respected, there's really nothing one can do about this other than fix the stack, or allow added tuning for this. You can force window sizes (like you mention in your post), but that does not guarantee the remote end will honour them. This is Normal(tm).

CVE-2009-1925 documents a much more serious problem with the Windows TCP stack: "a remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information." There's nothing one can do about this one other than fix the TCP stack. End of discussion.

CVE-2009-1926 documents a problem with the Windows TCP stack where an already established TCP connection, with an agreed upon small (again, no idea what "small" is) or zero-sized TCP receive window, is closed with data still pending on the socket (likely shown as SendQ). When this scenario occurs, the Windows TCP stack never removes this entry from the state table. There's no indication or documentation from Microsoft as to whether or not this applies to sockets which have a) already gone through the FIN, ACK, FIN+ACK, FIN+ACK handshake, or b) is stuck in a "half-open" state where either the teardown handshake is severed/botched in mid-stream, c) is stuck in a "half-open" state elsewhere before socket teardown, or d) is stuck in a "half-open" state during RST.

I think you're focusing on CVE-2009-1926, since you have excessive focus on "half-open" connections, but then simultaneously you switch to focusing on SYN.

> TcpMaxHalfOpen
> TcpMaxHalfOpenRetried
>
> Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)

"Half-open" can refer to one of two things, depending on who you talk to: where from a source, SYN has been sent but has not received a SYN+ACK back (Windows calls this state SYN_RECEIVE, *IX calls this SYN_RECV) -- or -- a socket that has already been established but during tear-down never completes the full 4-way handshake (see above).

> P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above)
> SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...

Please do not follow this advice. It has been stated by Microsoft in numerous KB articles that people should not use GlobalTcpWindowSize. The registry entry in question has been deprecated with the introduction of Windows 2000 and beyond; you should be using this.

Secondly, increasing/forcing/making static the TCP window size permitted does not "harden" the stack at all, or provide any direct effect on security. Instead, stop that and enable RFC1323 instead. There are numerous sites that describe this process. On servers in this day and age, RFC1323 is more or less mandatory, ideally if you're serving large content (greater than 64KB). Here's some links that describe RFC1323 in Windows:

http://searchnetworking.techtarget.com.au/tips/27055-How-to-use-TCP-RFC-1323-to-improve-Windows-XP-s-network-performance
h

class action lawsuit waiting to happen

[Xanthvar]

This looks like a class action lawsuit waiting to happen.
XP is still the main OS for netbooks, and if MS is going to sell (or allow others to resell), then they need to support it until there is alternative for that class of hardware on the market. An I am guessing that Win 7 isn't going to run like everyone thinks it will on old/underpowered hardware like the beta's seemed to indicate.

As far as the argument that the XP firewall will prevent this, we all know that isn't true, not to mention, there are often times when running the XP firewall is undesirable, like on enterprise deployments that sit behind an edge firewall.

I doubt anything will actually happen, but it would be interesting if it did.

Re:Okay, we get it. This is leverage for 7 migrati

[brkello]

Clearly, you didn't read the article as it is not an issue for XP SP2 and SP3. Maybe remember this the next time you decide to use the word "clearly" and postulate on crap you don't know the details about. Fox News style indeed.

Netbooks

Isn't M$ going to sell XP on netbooks ? Wouldn't this mean that any M$ netbook would inherently be insecure ?

Re:Netbooks

[CAIMLAS]

They've pretty much stopped doing that, though there are still some out there with XP. I suspect any we see coming out after the Win7 release date will have Win7 Starter on them.

Cisco is doing the same thing

[Andrew+Lindh]

Cisco is also doing the same thing. They are fixing only the "current" IOS versions for "current" routers. This means MANY routers currently installed and running the Internet can not be patched because cisco JUST ended support before the patch (eg 7500 backbone routers and MANY others) or the routes do not have enough memory to run the current 12.4 software (eg 1700/2600/3600). This is cisco's (and Microsoft's) way of saying "you should pay more to 'upgrade' to new software/hardware (even if your current stuff works)". I can understand cisco not supporting the old 2500/1600 routers.... they should be replaced even if they work correctly!

The cisco TCP bug notice

Re: 'We're talking about code that is 12 to 15 yea

[mcgrew]

B-b-but we're not ON your lawn, sir!

The real problem is...

[mister_playboy]

The real issue is that I can walk into Walmart right now and buy a computer that comes with XP on it. Adobe may not support a 8 year version of Photoshop, but neither do they continue to sell that 8 version today.

Next Week: Adrian Stone Fired

[Gallomimia]

We're talking about code that is 12 to 15 years old in its origin

Maybe you shouldn't have admitted that. And why praytell, is the code this old?

But anything can install such a service

[Otis_INF]

The problem is that anything can install such a listening service on XP making it instantly vulnerable. That XP SP2/3 isn't vulnerable by default is a 'mitigating factor' in MS Security bulletin lingo, not a reason not to patch.

I don't understand why they're dragging their feet, as sooner or later something installs a listening service (or the user already has such a service) and it's over.

Re:But anything can install such a service

[racermd]

Here's more ammo - Microsoft offers a fix for Windows Server 2003 which is based on many of the same core components as Windows XP. You very well might be able to use the Windows Server 2003 hotfix on Windows XP without any modification. If I were in charge of patching desktops in a large corporate environment (and I was at one point), that's exactly what I would do (after testing that it works) while screaming bloody murder to my Microsoft rep. Then, I'd let the network guys know about it so they can lock things down at the gateway, as well, if it wasn't already.

Translation: "By NOT fixing Windows XP like we should, we are artificially creating a reason for you home users to 'upgrade' to Windows Vista or Windows 7 and seriously pissing off our corporate customers."

12-15 years?

[CAIMLAS]

'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,'

Eh? You mean to say that Windows 2000 and Windows XP weren't "complete rewrites" like they claimed (at the time), and that that code goes back to NT4?

What about 2003 Server? Correct me if I'm wrong, but that's the same exact network codebase as XP. If you're going to patch 2k3, the amount of effort would be trivial to patch XP. (Often, the DLLs are even interchangeable, so it might be possible for a 'community' patch to be made.)

From where I'm sitting, this sounds like MS is putting a "real" EOL date (ie "today") on XP instead of "promised" EOL. That's a really crappy thing to do to your customers, as you can still get new Windows XP based devices (and they were commonplace as of a couple months ago). I'd suspect they're trying to push business clients to upgrade their networks due to the difficulty of "forcing" a customer to move from a 7-year-tested application framework to a new, yet-untested OS. I suspect it's been many years since small-medium businesses have given much money to Microsoft for OS licensing.

Re:Okay, we get it. This is leverage for 7 migrati

[Gallomimia]

Fox News? What's the matter? Haven't you heard of CNN? That network uses even their car commercials to pound the point home.

I believe that television is an inherently terrible place to get news from.

Yes it is truly terrible to trust the television because it is completely under the control of a government agency which does not have to abide by the constitution. And here in Canada it's a little worse, but less abused. From the page linked in previous post:

You said that it was critical for people to "vet information⦠because there is so much disinformation out there that it's frightening, frankly, in a free society that depends on information to make informed decisions." Mr. Friedman then chimed in that the Internet is "an open sewer of untreated, unfiltered information."

And soon the internet too will be brought under the umbrella of censorship, and then we'll be back to the dim ages.

Re:Okay, we get it. This is leverage for 7 migrati

[CAIMLAS]

A good example of the "honest" reporting from non-Fox news organizations can be seen while examining this past weekend's 912 Project/Tea Party protest in DC. ABC News, specifically, was reporting 70k-80k people in attendance for a diverse base of reasons/no unified front. The reality, however, is that there was one primary (and very evident) unified front of "too much government/government spending", and that there were well over 1 million people present. While it might be difficult to prove there was over 1 million people in attendance, a review of the many stop-motion videos will show you that there was easily well over 100k people in attendance: people covering the 100' wide roadway all the way from the White House to the Capitol Building.

Sadly, this is just one of a handful of fraudulent reporting from CNN and ABC. They appear to be the worst offenders of late. Fox News isn't perfect, but anyone who's paying attention should be able to notice a bit of an echo chamber amongst the non-Fox news sources - and when Fox differs, an analysis of the information presented and facts available (photographic, independent 3rd party, etc.) tends to prove Fox in the right.

Re:XP is teh dead

[GSloop]

By *default* XP doesn't have RDP running.
But how many run XP in it's "defualt" configuration.

Run RDP and you're screwed, at least as far as anyone can tell.
It appears that with ANY listening service, which probably includes RDP, your XP station is vulnerable.
And forbid that you might be running some other agent/VNC/or other listening service.

To be clear... It appears that any non-firewalled listening service opens up this vulnerability. (ie. You run RDP and actually allow that port through even a running firewall. [You know, like it's not a lot of good running RDP if you can't get to it since it's firewalled.])

Go read the transcript. MS uses all sorts of weasel language to avoid the questions asked.

At best that means that someone could DoS all your XP stations (perhaps they'll have to be inside your network, but the next spyware/trojan infection could take down the whole network.) [This is true ONLY if the weasel explanation MS gave is actually what it appears - and given the true weasel nature, I'd guess it isn't.]

At worst, that next spyware/trojan could do remote code execution on the whole network running XP and turn everything into a zombie bot-net.

  Oh, where do I sign up for that. That sounds like real fun!

-Greg

Like TCP is YOUNG?

[hhawk]

Of course the TCP/IP stack is older than XP. Perhaps they built one from scratch or maybe they bought someone's and extended it.

Now, I understand over time code can get really wonky and have lots of odd bits of cruft that are under documented and all of that.

Given the importance of I/O, Com and Net Access you woud think that MS's TCP/IP stack would have been coded by the brightest of the bright and following all best practices, etc. they would have well crafted, well documented and even beautiful code, if you will.

TCPIP stack on Windows hasn't changed since NT

[hilather]

Xtrace identifies the Vista TCP/IP stack as identical to the Windows NT stack. Obviously the code is similar at least. However, I would bet that its just a cut and paste job.

open source it so your customers can patch it

[Locutus]

oh, that's right, you don't "do" open source and you want your customers to stop using that product even if it works well for them on the computers they're already running. I see now, never mind.

LoB

Microsoft said that Linux users are on their own

[port23user]

There was an article on slashdot a couple weeks ago about training that Microsoft released ( http://linux.slashdot.org/story/09/09/05/195219/Microsoft-Attacks-Linux-With-Retail-Training-Talking-Points?from=rss ). If you look at the actual training, there's a slide that says "There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own." Looks to me like Windows users are on their own.

Re: 'We're talking about code that is 12 to 15 yea

[dmbasso]

Don't underestimate the power of incompetence.

Re:XP is teh dead

[jim_v2000]

I'm assuming that your network is behind a NAT and a corporate firewall anyway.

Re:XP is teh dead

So, they're telling us Vista and Windows7 -lack- such a stateful firewall?

Willful ignorance.

[Beelzebud]

It's amazing how many slashdotters totally ignore the fact that SP2 and SP3 DO NOT HAVE THIS BUG.

No new computers are being shipped without SP3 at this point, and if you haven't upgraded WinXP from the original retail version, that's your own problem.

Re:Willful ignorance.

[dlapine]

From the article:

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."

Looks like SP2 & SP3 do have this flaw- they just don't expose it normally, and even if they did, Microsoft claims that the consequences are less than dire. Not an unreasonable line to take. Probably not worth the hassle of patching, since the work-around is so simple- don't enable that.

Now claiming that it's not technologically feasible to fix it is a laugh; what they really meant to say was that it's not economically feasible to do so.

With actual Vista usage estimated at 30%, Microsoft has to do something to encourage the other 60% of the market not using Vista to upgrade. Getting some cheap and easy FUD against Windows XP is one way to push a large chunk of users towards Windows 7. Other efforts are underway as well. Nothing wrong with marketing your product, really, but doing so by promoting claims that your older products are unsafe has always struck me as unwise. It's one thing to say that "Our new Frobish 2000 is safer than ever" but claiming that "We no longer feel it's worth the effort to support the Frobish 1993, which so many of our customers use" is quite another. Some people might even form the impression that the company is interested only in new sales.

Boat anchors?

Not very good boat anchors - they'd sink intermittently.

Re:XP is teh dead

[jim_v2000]

"At worst, that next spyware/trojan could do remote code execution on the whole network running XP and turn everything into a zombie bot-net."

If you'd have read the bulletin, you'd have seen that remote code execution was not one of the possibilities for the bug in XP or Win 2k.

Re:XP is teh dead

[JacobSteelsmith]

Yes. But that doesn't stop internal attacks.

Let's form a class-action against Microsoft:

[Khyber]

MPunzalan@finkelsteinthompson.com

send an email to this guy - this is the firm that helped me on the EA Spore SecuROM case. I'll bet ten to one their systems run XP and they're unaware of Microsoft trying to worm their way out of a contractual obligation to provide support until 2014.

I just sent my email - I'd suggest more of you do the same so he takes notice and has more incentive to take the case.

Pirates Eye Patches!

[c0d3r]

Maybe they should make a campaign distributing pirates eye patches! Arrrrgh.!

Re:XP is teh dead

[Khyber]

The XP firewall is practically fucking useless to begin with. That still doesn't give them the right to jump out of a contractual support obligation 5 years in advance.

AKA "The Pinto Formula"

Its all been done before!

(Oblig Wikipedia reference)

Not feasible?

[Bob-taro]

Maybe they lost the source code.

But don't forget, you get support from a real comp

[SmallFurryCreature]

But you forget, you pay for the OS so get the real support from a real company that cares about its customers and not a collection of hairy hippies who tell you to RTFM when you try to install Linux on a crappy old dell with a busted harddrive.

Amazing, really, tomorrow there will be a story about linux and someone will post a story that paying MS means you got proffesional support. Denial, it must be a wonderful place to live.

Publicity Stunt

I think this is a "reverse psychology" publicity stunt. XP is bad..... Let's use Linux..... Microsoft comes to the rescue..... XP is now all good!

Re:XP is teh dead

And what if i shut down that damn stupid firewall they ship with windows XP SPX ???

. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

That REALLY sucks , like saying i won't heal my 3 inches blood/covered hole in my chest because it's under my lovely free t-shirt

read further

[fireylord]

and maybe you ought to look a bit further down at the table of effects where it says the maximum effect on xp is denial of service.

Xp is Xp is Xp

Since it is no longer feasible for Microsoft flagship products to be supported, we will no longer support Microsoft. Xp is XP is XP. Poor unsuspecting pre-sp3 users, W7 has allegedly been not exactly robust either.

yURINAL Klassless speaks out

yURINAL, go be Klass-less elsewhere.

No read the article

The flaw is with a service that has been turned off since XP2. There are no known ways to exploit this flaw with the service turned off.

Code that is 12-15 years old????

But I thought at the time XP was released, they said it was built from the ground up! You mean to tell me they reused code from Win 2000 and NT?

Oh wait, I'll bet Windows 7 will be completely rewritten so none of this legacy crap carries forward! Or maybe I'll need to wait a few more versions till they get to Windows 95 - oh crap!!!!

Tcp Windows Scaling & tcp window size vs. SWS

See subject-line above, & "SWS" was short for "silly window syndrome" ->

TCP "Silly Window Syndrome" and Changes To the Sliding Window System For Avoiding Small-Window Problems:

http://www.tcpipguide.com/free/t_TCPSillyWindowSyndromeandChangesTotheSlidingWindow-4.htm

PERTINENT CONCEPT QUOTE -> "Key Concept: Modern TCP implementations incorporate a set of SWS avoidance algorithms. When receiving, devices are programmed not to advertise very small windows, waiting instead until there is enough room in the buffer for one of a reasonable size. Transmitters use Nagles algorithm to ensure that small segments are not generated when there are unacknowledged bytes outstanding."

Which, per the setsockopt 0 call & parameter? Does sound a LOT like this problem is, via setsockopt 0 calls issued by an attacking malware to exploit this for DDOS/DOS attacks!

Again - please, read on & offer your thoughts after reading the above article especially & its KEY POINT/CONCEPT, quoted above... & about how setsockopt 0 is used in attacks of this nature, on this vulnerability in Windows 2000.

I am only looking for possible defenses for Windows 2000 users (MS stating PORT FILTERING will do it? Fine for workstations, but for servers that solicit connections?? Not so fine imo, as they have to offer connections, & THAT means they are "DOS'able"!)

Please, read on, offer your thoughts futhers on these points:

----

"Since TCP window sizes are negotiated, but not necessarily respected, there's really nothing one can do about this other than fix the stack, or allow added tuning for this. You can force window sizes (like you mention in your post), but that does not guarantee the remote end will honour them." - by Anonymous Coward on Tuesday September 15, @11:31AM (#29426941)

By "negotiated", don't/or do you rather, mean "Tcp Window Scaling", per the above about "Silly Window Syndrome"? I do know that SynAttackProtect, set to a value of "2", STOPS TcpWindowScaling... per this quote from MS:

SOURCE -> http://msdn.microsoft.com/en-us/library/aa302363.aspx

PERTINENT QUOTE -> "NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows"

----

Also: GlobalTcpWindow MAY NOT BE USEFUL HERE, since it is "deprecated", but?

The other parameter I noted apparently is, of TcpWindowSize, per your source no less here -> http://support.microsoft.com/kb/q263088/

----

"Please do not follow this advice. It has been stated by Microsoft in numerous KB articles that people should not use GlobalTcpWindowSize. The registry entry in question has been deprecated with the introduction of Windows 2000 and beyond; you should be using http://support.microsoft.com/kb/q263088/ -

PERTINENT QUOTE: "To resolve this issue, set the TCPWindowSize value globally or use a value smaller than 64240 (this value is a multiple of the Ethernet Maximum Segment Size)." - by Anonymous Coward on Tuesday September 15, @11:31AM (#29426941)

I never SAID it "hardened" the IP stack...

I figured it MIGHT help "mitigate" the setsockopt 0 that a 'badware' for DOS/DDOS would use to set a WindowsSize of 0, which IS the problem here, per the setsockopt 0 call, & what SynAttackProtect stops (sliding window sizes), & the fact that you can set that WindowsSize for Tcp via the TcpWindowSize parameter in the registry for TCP/IP's parameterizations...

Again - Thoughts/Feedback on these replies/points? Thanks for your time...

APK

P.S.=> BOTTOM-LIN

Fork it!

[Chris+Snook]

Oh, wait...

The reason for not patching MS Windows XP is:

[Helldesk+Hound]

> I don't understand why they're dragging their feet, as sooner or later something
> installs a listening service (or the user already has such a service) and it's over.

The reason why MS is dragging its feet is that by not patching MS Windows XP/v5 there will be less of a reason for users to not move onto MS Windows v7.

Re:XP is teh dead

If you'd have read the bulletin, you'd have seen that remote code execution was not one of the possibilities for the bug in XP or Win 2k.

It's tiring to see this flimsy assertion repeated throughout this topic. Another poster has already shown (note 2nd citation) why DOS vulnerabilities such as these should not be treated lightly.

Before you (or anyone) responds that MS could patch it after it becomes a more serious vulnerability, there are two problems: MS has asserted that a patch is not feasible - they'd have to do a lot of work (implying a significant delay) to mitigate it; MS has announced that a published vulnerability will not be patched on a widely deployed platform, effectively inviting malware authors to attempt to turn a non-critical DOS vulnerability into a remotely exploitable vulnerability, preferably (from the malware author's POV) a zero-day exploit - and the opportunity is especially attractive because MS asserts that a patch is not feasible.

- T

15 Years old?

[DJRumpy]

Where are they getting this 15+ year number from? XP was released almost exactly 8 years ago to the month.

Additionally, Tcp1323Opts = 0 may help RFC 1323

RFC1323 - TCP Extensions for High Performance: -> http://www.faqs.org/rfcs/rfc1323.html

Specifically, as regards "Window Scaling", & these pertinent quotes (& how Tcp123Opts = 0 shuts off ALL of these hi-performance TCP/IP options (slower, but sounds like a safety measure vs. this setsockopt 0 "silly windows syndrome" attack))

Please, read on:

"The window scale extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit Window field of the TCP header (SEG.WND in RFC-793). The scale factor is carried in a new TCP option, Window Scale. This option is sent only in a SYN segment (a segment with the SYN bit on), hence the window scale is fixed in each direction when a connection is opened

(Note that LAST bolded statement? THAT only "holds true", IF these RFC1323 options are 'turned on', first of all, & what turns them COMPLETELY off (@ the price of performance, perhaps, but not of safety vs. this "sliding windows scale/sliding windows/silly window syndrome" attack? Tcp1323Opts does))

http://www.speedguide.net/read_articles.php?id=157

Tcp1323Opts is a necessary setting in order to enable Large TCP Window support as described in RFC 1323. Without this parameter, the TCP Window is limited to 64K.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Tcp1323Opts="1" (DWORD, recommended setting is 1. The possible settings are 0 - Disable RFC 1323 options, 1 - Window scaling but no Timestamp options, 3 - Window scaling and Time stamp options.)

Like SynAttackProtect = 2?

Tcp1323Opts = 0 "turns off" the ability to use "scalable windows" that RFC1323 allows, & which it appears that this setsockopt 0 command exploits, via the "Silly Window Syndrome"...

So, by setting them properly against this attack, by altering them, here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters accordingly.

http://msdn.microsoft.com/en-us/library/aa302363.aspx

PERTINENT QUOTE -> "NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows"

You can nullify this attack it seems, because SynAttackProtect = 2 AND Tcp1323Opts = 0 (& using a set TcpWindowSize also) can stall out "sliding/scaling TCP Window Sizes", which this attack seems to exploit a vulnerability of via setsockopt 0 calls...!

APK

P.S.=> See my point now? Using Tcp1323Opts = 0, SynAttackProtect =2, & setting a TcpWindowSize to 64k (or whatever)? This setsockopt 0 type DOS/DDOS attack may be nullified it appears, because "sliding windows/tcp scaling" doesn't even take effect anymore, & this "setsockopt 0" seems to exploit it, via the "silly window syndrome" here -> http://www.tcpipguide.com/free/t_TCPSillyWindowSyndromeandChangesTotheSlidingWindow-4.htm

PERTINENT CONCEPT QUOTE -> "Key Concept: Modern TCP implementations incorporate a set of SWS avoidance algorithms. When receiving, devices are programmed not to advertise very small windows, waiting instead until there is enough room in the buffer for one of a reasonable size. Transmitters use Nagles algorithm to ensure that small segments are not generated when there are unacknowledged bytes outstanding."

Which, per the setsockopt 0 call & parameter?

Does sound a LOT like this problem is, via setsockopt 0 calls issued by an attacking malware to exploit this for DDOS/DOS attacks!

Hope you see my point... &, again, I'd like your "Feedback/Thoughts" on this as well - Thanks for your time, because I am trying to figure out a way, hopefully, to stall this attack on Windows 2000 rigs (I h

This is only a DOS attack on Windows XP

[fluffy99]

MS08-048 fixes three vulnerabilities. The vulnerability that can result in a system compromise is CVE-2009-1925 and ONLY AFFECTS VISTA. The other two, CVE-2008-4609 and CVE-2009-1926 are denial of service attacks against listening services with no possibility for remote code execution.

Microsoft is basically saying that since 2000 and XP are only subject to a possible DOS of listening services, and are not intended as servers that the issue is not worth fixing. This would not be the first DOS only type of vulnerability that Microsoft has downplayed. They did however develop a patch to address their products that are intended as servers. Note that according to the MS KB article the patch does not eliminate the DOS vulnerabilities, but alleviates it by tweaking the algorithm used to drop open connections.

It's also not clear to me, but it may be possible to address this issue by setting some of the settings in the registry that control the max number of half-open connections (turned off by default in the usual MS way).

Why they won't fix it...

Ah, you see - the programmer who originally wrote the code in question - and who is the only person who can grok it's convoluted mess, has been fired.
Or perhaps, they lost the backups with the original source code, and so would have to rewrite it from scratch - which they also don't want to admit to....

So many possibilities - mostly all embarrassing to MS because they underline the nature of MS's corporate culture of protecting the incompetent.

Re: 2003 patch works on XP for x64

[InvisiBill]

Here's more ammo - Microsoft offers a fix for Windows Server 2003 which is based on many of the same core components as Windows XP.

I noticed this as well, specifically on x64. From everything I've read, XP x64 is essentially 2003 x64 with some branding and defaults changed - even closer than the x86 variants of XP and 2003.

The 2003 x64 download is actually named WindowsServer2003.WindowsXP-KB967723-x64-ENU.exe, and appears to have installed just fine. I haven't rebooted yet, but I don't expect any issues based on what I've seen so far.

If YOU can't maintain it, atleast let people do it

[BhaKi]

open source it so that people can fix bugs themselves.

Re: I think you're bluffing

[InvisiBill]

There are issues with security and governmental banking regulations that will not allow windows 7.

Care to elaborate? I work in IT at a bank and we're currently in the process of testing out Win7. I don't work directly in the Compliance department obviously, but I've not heard anything even remotely like this mentioned.

Re: 2003 patch works on XP for x64

[InvisiBill]

I'm now running version 5.2.3790.4573 of tcpip.sys, and TCP/IP appears to be working for me... You may be able to simply copy the DLLs over in x86 as well (possibly in Safe Mode or with a BartPE CD) if the actual installer won't do it.

RFC1323 + Tcp1323Opts=0, & SynAttackProtect=2

Wouldn't using Tcp1323Opts = 0 & SynAttackProtect = 2 work to stop "silly window syndrome" & 'scaling/sliding windows' in TCP/IP per RFC1323 "High-Performance TCP/IP features" it implements?

Think about this, & comment please:

1.) This DOS/DDOS attack utilizes an API call with a 0 window size parameter -> setsockopt 0

----

2.) TCP "Silly Window Syndrome" and Changes To the Sliding Window System For Avoiding Small-Window Problems - which is what this attack sounds as if it is exploiting:

KEYWORD = SLIDING WINDOW SYSTEM (for TCP/IP) -> Tcp Scaling

http://www.tcpipguide.com/free/t_TCPSillyWindowSyndromeandChangesTotheSlidingWindow-4.htm

PERTINENT CONCEPT QUOTE -> "Key Concept: Modern TCP implementations incorporate a set of SWS avoidance algorithms. When receiving, devices are programmed not to advertise very small windows, waiting instead until there is enough room in the buffer for one of a reasonable size. Transmitters use Nagles algorithm to ensure that small segments are not generated when there are unacknowledged bytes outstanding."

Which, per the setsockopt 0 call & parameter?

Does sound a LOT like this problem is, via setsockopt 0 calls issued by an attacking malware to exploit this for DDOS/DOS attacks!

----

3.) SynAttackProtect, here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters STOPS TCP WINDOWS SCALING, per this MS article on it:

http://msdn.microsoft.com/en-us/library/aa302363.aspx

PERTINENT QUOTE -> "NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows"

-----

4.) Tcp1323Opts, here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters STOPS TCP WINDOWS SCALING - This also turns off the RFC 1323 "Hi-Performance TCP/IP" options like "Scalable Windows" (sliding Windows noted in "silly window syndrome") also, & though you may go slower, you would be safer on a Windows 2000 machine because of it no longer allowing the TcpWindowSize to be reset by this attack (that uses that to its advantage via setsockopt 0).

http://www.speedguide.net/read_articles.php?id=157

Tcp1323Opts is a necessary setting in order to enable Large TCP Window support as described in RFC 1323. Without this parameter, the TCP Window is limited to 64K.

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Tcp1323Opts="1" (DWORD, recommended setting is 1. The possible settings are 0 - Disable RFC 1323 options, 1 - Window scaling but no Timestamp options, 3 - Window scaling and Time stamp options.)

Like SynAttackProtect = 2? Tcp1323Opts = 0 "turns off" the ability to use "scalable windows" that RFC1323 allows, & which it appears that this setsockopt 0 command exploits, via the "Silly Window Syndrome"...

----

Thus, if you have a 'hardcoded' TcpWindowSize in the registry, & one set to a PRE-DEFINED value/size, & "sliding window sizes" for TCP are 'turned off' by SynAttackProtect = 2 and Tcp1323Opts = 0? The ability to use setsockopt 0 (which seems to exploit "scaling windows"/"sliding windows" per "Silly Window Syndrome", which this seems to exploit) should, in theory, be utterly nullified.

APK

P.S.=> I can't think of anything better than this but the evidence above tends to show that IF you use SynAttackProtect = 2 (which works vs. types of DOS/DDOS attacks, as is) and Tcp1323Opts = 0 which STALLS "SLIDING WINDOW SIZES" (Tcp Scaling in other words), then, this attack (which seems like it is using the "Silly Window Syndrome" per the above) cannot work...

(As "setsockopt 0" cannot reset/renegotiate the TcpWindowSize & the sy

Re:XP is teh dead

But if you run any listen program like bittorrent, filesharing, remote access, itunes's fucking searching thing or whatever. you will have listening ports open. So microsoft is just fucking with you. They should release a patch, and not say see it works just don't you know use a basic OS feature like listening for incoming TCP connections. What's next no patch because most computers are behind a NAT router. Memory leak not fixed because no body runs a computer for more then a month.

Re: I think you're bluffing

[poetmatt]

I can't cite direct examples because I don't even know which bank you work for, but if you understand how banking TLS requirements go, it's kind of like that.

Booooo!!!!!!

[Crass+Spektakel]

This stinks. A critical part of windows becoming unsupported.

What goes around comes around, I will remember that.

Urinal Klastalov of the Russian Business Network

Hahaha Urinal. Nice to see that apk's security guides like this one have put a dent into your malware and botnet business with the infamous RBN, Ukie boy:

http://www.tcmagazine.com/forums/index.php?s=59a1733cda9711d7bb0c2f0b1da8e2ab&showtopic=2662

You're only showing your hand on this one. I use his guides and hosts files and I never get taken advantage of by the likes of your kind anymore because of him. It is very obvious you have taken a beating from apk before either in technical debate or because of your botnets being disabled and crippled one by one as more people do as I have done and applied apk's security guide points and hosts file versus scum like you. Trash like you deserve every second of it and the same thing is being done by online scum like you have done here to apk http://twitter.com/klastalov/status/200124793 where you said quite classlessly he could suck your sweaty cock. Small cock should have been added. Improve your English you foreign reject and improve your way of making money because you ukes have done the same to Dancho Danchev of ZDNET with his Ukranian fanclub he notes here http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html and that is about all scum like you have is your online putdowns after people like Mr. Danchev and apk get through with you by blowing away your botnets and informing others online about them and how to stop them. Too bad you are too stupid and illiterate to make a living honestly and instead have to prey on grandma types online as online trash like you do. The part that makes you completely stupid is that you are obviously modding yourself up also which fools no one, you foreign moron. Go home to the Ukraine scumbag. You're not wanted here.

Sick of Microsoft?

If you're sick of Microsoft, and Windows, then take a look at http://broken-windows.org/ and join our movement to help people get rid of Windows for good.

There isnt even a formal "joining" process. Just get to it!

ac apk talked about Win2K non patch issue not XP

I think you need to familiarise yourself with TCP stacks a bit more, and stop banging on keys and smashing registry settings in hopes of solving something that isn't an issue anyway (see other Slashdot posts with regards to the vulnerable service in question being disabled by default starting with XP SP2). I'm glad to see your brain is working/churning about this, but more experience is needed

Get your brain churning on reading comprehension because the other ac apk spoke of the Win2K issue of non patching from Microsoft, not XP.

So you're the guy who wants to be "strange" w/ me?

See my subject-line above, "Yuri Klastalov" (which I severely doubt that that is your true/real name anyhow): I read this -> http://www.google.com/search?hl=en&q=%22Alexander+Peter+Kowalski%22+and+%22Yuri+Klastalov%22&btnG=Search and saw via cached copies of it as to where you want me to "suck your sweaty cock" online, from twitter, & was wondering to myself just exactly who you are, &/or how I know you (if I do at all) online etc. et al.

Sorry to disappoint you: I am NOT a homosexual, so the cock sucking stuff you wrote on twitter?? It's NOT going to happen. Find yourself another dish Yuri - I'm NOT on the menu, so-to-speak.

My personal guess is, is that I do not know you @ all personally (and you post as AC or under assumed guises constantly online), thus, I do not know your name.

Fact is?

(Nobody does, & this is why nobody EVER WILL - you're a "NOTHING", a "NOBODY", & your very actions guarantee this for you. I suppose you see some benefit by being a jerk to others online, but you don't apparently realize that all that gets you is wasted time on your part, with no real benefit to you, or yours).

Hope you're happy with the result.

APK

P.S.=> On the statements here about Dancho Danchev & his "UKRANIAN FANCLUB"? Yes, that might be a possibility, because I put up the "command & control servers" domain nanmes/hostnames of them all for "normal folks" online after I got wind of them, via Mr. Danchev's fine research, & I spread it to others... perhaps this "Yuri Klastalov" is one of their crew, or perhaps not, but it is not out of the realm of possibility he is one of them. Either way, I know I did the right thing & tough for he & his if they do not like it. Period.

If however, that IS the case in fact & Mr. Urinal with no Klass (a pisspot in other words, lol) is a member of the RBN?

Well, judging by his reactions here and on twitter more importanty? MY actions have apparently helped "floor" the RBN (Russian Business Network), which is a GOOD THING! I don't take kindly to slime that takes advantage of those weaker or less informed than they are, so it was "time to inform the masses" & it seems to have worked (argue with the results, in other words - the RBN? HISTORY - "gone with the dawn", baby)... apk