Microsoft Says No TCP/IP Patches For XP

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

Yeah, right

[DoofusOfDeath]

"Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Re:Yeah, right

[Cryophallion]

I just had to post an invoice to the marine corp's web site. I luckily had one computer at work that was not upgraded to ie8. It would only respect ie6 or 7, and had some issues if I just changed the user agent on FF.

If people keep being forced to upgrade their browsers, no one will be able to use the government systems anymore.

I'm sure it will be an issue for the little companies billing, but you'll never hear about it.

Re:Yeah, right

Ah so when it comes to patching severe holes the codebase is way too old with its 12 - 15 years, but when it comes to revealing the source it is still very relative. Then how does patching very relative code become "not feasible"? "Can't" or "won't"? Which is it MS?

Re:Yeah, right

[commodore64_love]

Many people have compared defense work to "white collar welfare". I think the private companies are more frugal than that, since they are constantly cutting costs & laying-off workers, but having worked at the FAA it seems like a sound argument. I saw government workers sitting around doing nothing but surfing the net day-after-day. The FAA could lay-off 75% of the workforce and not notice any drop in output.

But of course if the FAA did that, then the politicians who represent those workers would scream bloody murder, and the layoffs would be canceled.

Re:Yeah, right

[erroneus]

Actually, this isn't funny and may well be the type of attention-getting answer we need to this problem. People should start sending off some emails to their representatives that points this problem out. Microsoft says they are supporting WindowsXP until 2014 for security matters and other serious problems. I'd say this qualifies. This "move" on Microsoft's part represents a squeeze play against all of its customers not the least of which is the U.S. Federal Government. And with all the attention on money problems, it can't be ignored or written off.

I foresee a congressional hearing on the matter should Microsoft continue down this road.

If the government plans to spend trillions on this surprise upgrade requirement, perhaps moving to another OS might be another consideration to weigh in. We KNOW Microsoft will leverage its position as "the" OS vendor to do nearly anything it wants. We can't force them to behave. Perhaps the best thing to do is push the misbehaving child to the curb and use someone else's product.

Re:Yeah, right

[Oswald]

Hey genius, you do realize that Windows XP is still being sold, right? That brand new computers are shipping by the thousand every single day with Windows XP as the OEM-installed operating system? Can you seriously claim that it's alright for them to just walk away from a product they are still shipping because they have better things to do with their time? Did you give your position even five seconds of thought?

Congratulations, fucktard. Worst post of the day.

Re:Yeah, right

[KnownIssues]

XP SP2 and later are fine by default. What does that mean? Does that mean it's the only possible configuration? Or is it reasonable that an XP SP2 computer could end up in a state where it does have a listening service configured in the client firewall? Doesn't Vista include "a stateful host firewall that provide protection for computers against incoming traffic from the Internet [...]"? I should think so, so wouldn't that invalidate their reasoning?

I wouldn't be surprised if Microsoft is perfectly correct in not patching XP. The problem is how they communicate it. If they're patching Vista (a client OS) and they're patching Server 2003 (similar codebase to XP), then this makes it seem like they don't want to bother fixing XP, even though it's broken. If Microsoft had said, "the XP codebase is in no way vulnerable", I'd be completely satisfied. But they didn't. They said, "XP is broken, but by default it's protected".

That's not good enough.

Unclear

[coastwalker]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Upgrade or Else

[Cryophallion]

So, basically, upgrade or you'll be hacked?

Two questions:
1. Does 7's XP mode potentially have this issue, or is there a compatibility layer so xp doesn't talk directly to the network?
2. They seemed to be able to make massive security updates for code that was that old, and still patch a number of other issues. What about this REALLY makes it so hard to code?

In the end, while I understand not wanting to waste resources on way older products, I think it is a marketing move.

That's why I like open source

[jgardia]

well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.

Question

[bjackson1]

Isn't the codebase for XP and Windows 2003 essentially the same? Why can't the 2003 patch be modified? I don't remember reading that the TCP/IP stack was that different in 2003.

XP Still uspported on netbooks.

[Chrisq]

Since XP is still being shipped and supported on netbooks this seems a little strange. What's the message - spend extra on memory and hard drive so that you can run XP instead of Linux but we won't give you security patches?

US Navy already ditching M$

[SgtChaireBourne]

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Since 2008, the US Navy will acquire only systems based on open technologies and standards. That excludes M$ products explicitly in every way but name. The TCP/IP being just one example of failure on M$ part to implement standards. US Navy is ditching M$.

They'll probably go with an American company like Red Hat or roll their own spin of Red Hat.

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not? If you've got Windows on your network, then you have a personnel problem, not just a network security problem.