Slashdot Mirror
Microsoft Says No TCP/IP Patches For XP
CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"
The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.
It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.
Facts are history now plebs have politics for religion on social media.
"not feasible"
yeah right, more like MS wants people to move onto Windows 7
I thought the Code for windows 2003 and windows xp was mostly identical. As a currently shipping product isn't that a violation of some states/countries warranty/merchantability laws.
That's unpossible!
This sig left unintentionally blank.
So, basically, upgrade or you'll be hacked?
Two questions:
1. Does 7's XP mode potentially have this issue, or is there a compatibility layer so xp doesn't talk directly to the network?
2. They seemed to be able to make massive security updates for code that was that old, and still patch a number of other issues. What about this REALLY makes it so hard to code?
In the end, while I understand not wanting to waste resources on way older products, I think it is a marketing move.
How very serendipitous for Microsoft, people now have a reason to upgrade from XP.
I ran W2K on my desktop until a couple of years ago, i.e. until the patches stopped coming W2K did everything I needed.
Guess I'll have to consider Win7 now...
So now they are going to force us to upgrade to Windows 7 sooner rather than later?
well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.
Isn't the codebase for XP and Windows 2003 essentially the same? Why can't the 2003 patch be modified? I don't remember reading that the TCP/IP stack was that different in 2003.
While the code may very well be 15 years old, that does not really matter to the user. What matters is how long ago Microsoft sold the product. If they sell software today that uses some code written 15 years ago you should be able to expect security updates for some period of time. Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.
MS hate aside, they're just doing what they've always done. We don't get our panties in a knot when they don't release a Win 98 patch, do we? With Win 7 on our doorstep, there is no reason for MS to be supporting three separate OS. Well, aside from customer service. I just sort of shrug my shoulders and deal with it. Anyone running XP knows they're doing it because Vista/7 don't appeal to them; deal with the consequences.
Looks like all of those netbooks microsoft allowed to be shipped with XP in the last two years will be tasty targets.
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."
Yes, it's easy to take the "We won't be backporting this fix" stance when the old OS isn't vulnerable in the first place.
For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.
And somehow, the TCP stack, perhaps the most modular and with the most well-defined interfaces, can't be replaced wholesale.
This makes no sense, unless they're trying to get people to spend $$$ on moving to "Windows 7",
or as the congnoscenti call it, "Vista SP2".
ooooohhh.....
Since XP is still being shipped and supported on netbooks this seems a little strange. What's the message - spend extra on memory and hard drive so that you can run XP instead of Linux but we won't give you security patches?
I've worked with older code than that... nothing unfeasable about it.
In other news... 10 year old Linux 2.4 kernel patched yesterday...
A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...
If X is less that the cost of a recall, we don't do one.
Loading...
Oh, Dusty. In-feasbile is when you're MORE than feasible. This TCP/IP fix, it's not just feasible, it's IN-feasible.
...we lost the source code, we kept it in Microsoft Source Safe and it ate it.
Do daemons dream of electric sleep()?
The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.
Since 2008, the US Navy will acquire only systems based on open technologies and standards. That excludes M$ products explicitly in every way but name. The TCP/IP being just one example of failure on M$ part to implement standards. US Navy is ditching M$.
They'll probably go with an American company like Red Hat or roll their own spin of Red Hat.
The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not? If you've got Windows on your network, then you have a personnel problem, not just a network security problem.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
The true cost of releasing a patch is not in compiling and distributing the fix. The money is spent on verification. By not releasing the patch to XP and w2k my estimates are that Microsoft is saving man-years in verification.
Break the sound barrier - bring the noise.
"retrofeasable," "antifeasable," "inflamafesable," and "!feasable."
There is really no reason for XP on a netbook any more. You aren't using it a high end gaming platform. You aren't running Adobe Creative stuff on it.
You are using it to run FireFox, edit documents, read, IM and send email.
Linux has all that covered and is even document-compatible with Windows.
I have a Eee 900A with a 32GB SSD in it running Xubuntu and I connect to a corporate Radius network, bluetooth tether to my phone, and even use the web version of outlook on it to get at calendars.
Flash even works.
The only thing I can't do that would be nice is play Netflix movies as the Moonlight package does not have DRM in it (and likely never will.)
Dog is my co-pilot.
The DOS/DDOS possible via the latest weakness in Windows 2000's IP stack @ least (uses RDR20.DLL as the LSP (layered service provider) vs. MSWSOCK.DLL (the LSP used in XP/Server 2003 onwards, by way of comparison, & this is where I think the problem lies largely, as it is the "most radically different part" of the IP stack in Windows 2000 vs. the more current builds of Windows that I could see @ least)?
WELL - That's taken care of by the SynAttackProtect setting here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
What does it do??
http://msdn.microsoft.com/en-us/library/aa302363.aspx
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.
TcpMaxPortsExhausted
TcpMaxHalfOpen
TcpMaxHalfOpenRetried
Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)
This SynAttackProtect registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).
2: Set SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting.
NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows
-----
IIRC? This is called the "Silly Window Syndrome", & this is a way, in theory, around it... & iirc, "Scalable Windows", via setsockopt API calls from an attacker are what the problem is here anyhow & this ought to 'stall it'... thoughts/feedback?
APK
P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above) SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...
Thus, effectively stalling the ability to use TcpWindowScaling is stopped by SynAttackProtect too, so an attacking system/app sending a setsockopt of 0 for this SHOULD also be nullified, on a server also...
(However/Again - Workstations are easily taken care of , vs. servers, just by what I wrote up above either by PORT FILTERING)
IP Security Policies, which can work on ranges of addresses to block, OR, single systems as well you either ALLOW or DENY to talk to your system, still can help also... vs. a DDOS though? SynAttackProtect is your best friend here... you'd use netstat -b -n tcp to see which are held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR WAY (or just by doing it in a router or routing table)... takers anyone, on these thoughts (especially for Windows 2000)?
Thanks for your time... apk
Procurement times are so long in the military that everything is old. I understand the Seawolf is powered by 68030 processors...
This is my sig.
This is just another reason to abandon Microsoft. I am so happy with my Mac
So... because you don't want to update Windows from XP to Windows 7, you will instead update your entire computer to a brand new Macintosh running a brand new operating system.
I mean, if you are shopping for a new computer, isn't Microsoft's abandonment of XP kind of irrelevant? If you are not shopping for a new computer, why would anyone care?
This is my sig.
Clearly, this is something Microsoft is leveraging to get people to move to Win7. (You know, in some fonts "Win7" looks rather similar to "Win?") But I have to wonder:
There will be large government installations that still need to use Windows XP. Will they get this impossible patch? Also, does Microsoft's support claims for Windows XP fit within this windows and if not, how can Microsoft pull a stunt like this? Doesn't this mean they are dropping support for Windows XP "early"?
What really needs to happen is that "the public" needs to be aware of what is happening and, in Fox News style, be instructed how to feel and respond to it.
I guess these guys did not read: http://support.microsoft.com/gp/lifepolicy XP extended support goes thru 2014 and supposedly covers security fixes. I would think this counts as a security fix.
Conservative, mod down for violating
This is just another reason to abandon Microsoft.
Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?
Karma: Terrifying (mostly affected by atrocities you've committed)
Microsoft didn't write all of Windows 7 from scratch. It's surely got plenty of "15 year old code", and probably older. So Microsoft's policy says that it cannot patch some Windows 7 bugs.
Maybe there indeed isn't any 15 year old code, as MS cycles its codebase slowly through "new" OS releases over the years. But there's doubtless 10 year old code, and certainly 5 year old code. So in 5-10 years, everyone buying Windows 7 today (and tomorrow) will be forced to buy the next "upgrade". And the one after.
Or run seriously insecure code that the bad guys have had 5, 10, 15 years to figure out how to exploit.
Microsoft: job security through product insecurity.
--
make install -not war
Why not? The Pentagon continued using Halliburton for years, on huge no-bid contracts, even when its divisions were installing showers in Iraq that electrocuted our servicemembers. And that's just the worst failure the public heard about, after most of a decade of abusive cronyism.
Microsoft is much richer than even Halliburton, and its failures much less publicly scandalous. Why would it face a tougher standard? I'm sure Dick Cheney owns a lot of Microsoft stock, too.
--
make install -not war
Today GM announced that the GMC trucks have some fundamental flaw and they are prone to explode randomly. GM said it wont fix the issue because the design is very old, and fixing it is unfeasible. When asked if they will when they stopped shipping trucks with the fatal flaw, GM spokesman said, "we have not stopped building or shipping them yet. We need to compete with the low cost competitors in the net-truck market and so we continue to make and ship the trucks, but we wont fix the safety issue. The drivers may wrap themselves in bags filled with thermocol peanuts to get some measure of protection.
If not, why do we let Microsoft get away with it?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Alex P. Keaton is an MCSE? Is there anything that guy can't do?
Microsoft Corporation has announced a limited one-off extension of availability of its Windows XP operating system to April 2101 after criticism from large customers and analysts. This is the fifty-sixth extension of XP's availability since 2008.
Through successive releases of Microsoft's flagship Windows operating system, demand for XP has remained an important factor for businesses relying on stable XP-specific software and installations, who have pushed back strongly against the software company's attempts to move them to later versions. Windows administration skills have become rare in recent years and consultants have demanded high fees. Reviving Windows administrators from cryogenic freezing has proven insufficient to fill the market gap, as almost all begged to work on COBOL instead.
"Windows XP is currently in the extremely very prolonged super-extended support phase and Microsoft encourages customers to migrate to Windows for Neurons 2097 as soon as feasible," said William Gates V, CEO and great-grandson of the company founder. "Spare change?"
Microsoft Corporation, along with Monsanto Corporation and the RIAA, exists as a protected species in the Seattle Memorial Glass Crater Bad Ideas And Warnings To The Future National Park in north-west Washington on the radioactive remains of what was once the planet Earth, under the protection of our Linux-based superintelligent robot artificial intelligence overlords. Company revenues for 2098 were over $15.
illustration: A background wallpaper for your insecurable XP desktop. (Anyone got a pointer to the 1024x768 version?)
http://rocknerd.co.uk
So the patch code for Vista et al won't fit on XP? Hardly suprising - I believe that was a different tcp/ip stack. What MS is actually saying is they won't spend the time/effort/money to develop a patch tailored for the XP stack. There's no such thing as infeasible in this business, only 'too expensive' or 'not in our political best interest'.
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
Best Buy's recent "training" slide #9, where they say that "Linux is safer than Windows" is a myth, the "Real Facts" states (referring to Linux) 'There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own.'
Here's proof that that statement is really talking about Windows...
I say give 'em a month, tops, and then there will be a patch (or news of a coming patch) for Windows XP.
Now would be a terrible time for Microsoft to alienate all those big corps that have XP and force them into another OS, if they want to keep their customers.
It'd be great for everyone else, as customers may start looking into things they would never have considered otherwise, such as various open source operating systems, and the necessary apps it would take to keep them going in their workflow, post-transition.
The way it looks is, some people (usually companies) will view this as a threat from Microsoft that reads: "Upgrade if you want protection."
Some of them in this group will obediently upgrade to Fista or 7.
Some of them will reluctantly upgrade to Vista or 7.
Some of them will stay with XP and find other ways to secure themselves.
Some of them will [cross their fingers and hope|pray] that Microsoft changes their mind and offers a patch.
Some of them will be offended and migrate to another OS outside of Big Red Robotland.
And of course, some of them will feel that litigation solves everything, and want to take MS to court for "refusing to patch an OS that is in such widespread use" (or) "intentionally posing a security risk".
Refusing a patch like this, in my humble opinion, isn't something you want to do until a few months after your new OS lands, at the bare minimum. That way, you've already got people migrating.
XP's patching lifecycle isn't up yet, from what I can see here, though: XP SP2 should be good until July of 2010, and SP3 should be good a bit longer than that, so I'm surprised no-one has really called 'em out on that.
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
1. Buy Netbook with Microsoft WIndows XP installed. ...
2. Run all updates.
3. Browse web, get hacked by this exploit. Lose money through "identity theft" / bank fraud.
4. Turn up in court with the receipt for the netbook & windows license stating when purchased, and the date and time Microsoft refused to patch the hole which caused your loss.
5. State that Microsoft is profiting from a product which is unsuitable for purpose, and it knows is unsuitable.
6.
7. Read Microsoft fine print and realise that you have to now give Microsoft your first born child for ever doubting that their asses are covered.
Yeah, consumer loses out on this one.
Finally had enough. Come see us over at https://soylentnews.org/
Dude, How often do you hear of Mac Viruses running rampant? The reason Microsoft has to constantly patch their crap is because it's terrible. Mac is much more solid and the whole issue goes away... You are showing your Microsoft-centric world view. In the Mac world, the need to constantly fix old mistakes just is not a problem. It's a non issue.
What an excellent advertisement for Apple (or even, gasp, Linux)! Just as soon as they decide you should be forced onto a new operating system, Microsoft decides to leave bugs in XP that could create a gap in security and lead to millions of machines getting infected.
Nice work. I know what my next operating system WON'T be.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Please..all underlying architecture has not changed from xp to vista, even though they want you to believe this...and for them to correct the wrapper on xp, would be trivial, however, they are testing the waters about phasing out xp, and want to see what the backlash will be like, seeing as no one wants vista garbage, and maybe even no windows7!
I prefer, being given the opportunity of just paying a yearly fee to keep getting updates on a system that runs properly compared to their new bloated versions of vista etc... too bad no one can pick it up like a linux distro and start their own version of windows...
in other words:
it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Don't run an OS that you can't patch yourself. Seriously, if we put our trust in these guys after they've proven time and again that they really don't represent our best interests we are the only ones to blame. It's about time to let MS go gently into the night alone and without a sleeping bag into a rabid pack of wolves.
I don't believe in karma, I just call it like I see it.
I wonder if the enormous deployment of XP will be the concrete block that causes Microsoft to sink to the bottom of the river.
If Microsoft could not get XP users to adopt Vista and Win7 does not get them to upgrade either, then XP customers' inertia will pull Microsoft down.
Microsoft can never go forward with XP users rejecting any new OS it produces.
What really needs to happen is that "the public" needs to be aware of what is happening and, in Fox News style, be instructed how to feel and respond to it.
I'm not sure why you think this is the sole province of Fox News, Perhaps because Fox News more closely reflects what the general American public thinks and feels? And thus appears to be more effective at shaping pubic opinion, when in fact they are more reflecting public opinion than shaping it. Here is a link that lists many attempts (some successful, some not) by other news sources to shape public opinion by selectively (and sometimes falsely) reporting the news: http://spectator.org/archives/2009/09/15/media-malpractice-tom-brokaws/
The truth is that all men having power ought to be mistrusted. James Madison
Because Apple stopped selling versions older than 10.5 nearly two years ago and the upgrade to 10.6 is thirty dollars retail. Microsoft is still selling XP licenses.
Can you be Even More Awesome?!
Legal Trouble? Hahaha!
MS: "Here's $10,000"
"Okay, no more trouble!"
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?
Apple hasn't sold a computer with Mac OS X 10.4 on it for 4.5 years. They released a security patch for it 5 days ago. How long ago did MS stop licensing WinXP for sale on computers? Oh yeah, you still buy computers with WinXP on them because MS is still selling licenses.
I can't speak to the main issue of this story, but XP is anything but off the market. I bought a new copy of XP from New Egg last week for $90 and installed it on my daughter's computer. She has an older computer that cannot run Vista, and she lost her original XP CD. When her hard drive crashed, I replaced it and put the newly purchased copy of XP on it.
Okay, I have a weakness... sometimes I can't help responding to trolls and off-topic discussion.
Fox news does NOT more closely reflect what the general American public thinks. If that were the case, the initial positive approval ratings of Obama would have been reflected in Fox's news reportings. Most polls showed that Obama was welcomed with enormous public majority favoring his getting into office. (FWIW, I am no Obama follower) Further and more recently, countless polls early on in the healthcare reform initiative, most people favored healthcare reform quite strongly with an overwhelming majority in favor of regulating the healthcare industry. Polls still report that the numbers are in favor of healthcare reform and the Fox News view would seem to be quite different.
Not only this, but Fox News is more in the business of expression of opinion with the majority of its presentations and shows falling under the "editorial" category with its reporters performing all sorts of dramatics such as crying, screaming and in no uncertain terms calling Obama "racist."
I completely understand the psychology behind the need to "defend your favorites" because the things people favor are somehow a reflection of themselves and so they are actually defending themselves in a way. This is why Apple and Microsoft fans are so froth-mouthed. And while I am not going to claim that "all other news is neutral," Fox News is known world-wide as being owned and directed by a particular group of people with a particular agenda are various issues. And that group of people are FAR from a majority. And, of course, Fox News is so far to one side that they are actually attempting to move the center closer to themselves to make everyone else appear to be polarized in the opposite direction. In short, Fox News has the strongest reality distortion field of any "News" activity.
wrong analogy, you are focusing on the wrong issue. Real analogy: Do you still expect adobe to patch the latest versions of their software as long as they are in business? yes. What if they had a DLL that was affected in *all* versions. Do you expect them to patch it with the latest version? Hell yes you do. This is not a car warranty, so that argument is completely null. Things that are on XP cannot necessarily magically be "upgraded" like you think, additionally why should someone even feel remotely obligated to spend money on a new version of something that works just fine?
Car analogy: does the manufacturer shutdown their car after 10 years if you can keep it running?
Why should MS exclude one?
maybe you should think about the argument you are making, because it is off.
Apple hasn't sold a computer with Mac OS X 10.4 on it for 4.5 years. They released a security patch for it 5 days ago. How long ago did MS stop licensing WinXP for sale on computers? Oh yeah, you still buy computers with WinXP on them because MS is still selling licenses.
You're missing the point. The original poster claims that MS no longer patching XP is a reason to abandon Microsoft; no, it's a reason to upgrade to an OS that was released in the last few years.
MS still sells XP licenses because there's a demand for them. There are some people who will continue to demand XP as long as MS keeps supporting it, so the only way to make them upgrade is to stop supporting it. I'm sure Apple would still be selling 10.0 if there was a demand for it, but fortunately for them, the incremental style of Apple's releases makes it easy to see that their older OSes are crappy compared to the new ones.
Karma: Terrifying (mostly affected by atrocities you've committed)
The fix is to NEVER buy Microsoft products, again. Microsoft is a defective corporation that has made a mint off of selling knowingly defective products and reselling the HOPE that these defects will be fixed in the next update but reneging again, and again, and again, and again. MSFT's example of no/low quality has become the new American metric of quality, its business plan, corroding our society's business and work ethic, a complete mockery of the consumer laws on mechantability, deservedly debasing our reputation for quality goods.
Since the government has been ineffective in enforcing these laws, falling for MS legal theories, only insistent market rejection will [partially] protect a consumer from the borg. No doubt we will be seeing more FUD IP attacks, like SCO, traceable to MSFT. Good luck to all. Fsck MSFT.
Microsoft says "no"
Adding anything after the "no" is superfluous. We've learned that the hard way.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
You are showing your Microsoft-centric world view.
That's hilarious. Before jumping to wild conclusions about who I am, you should know that I've got four computers current in the room with me, and the only MS operating system is running in a virtual machine on one of them.
All I'm doing is pointing out that the argument in your original post is faulty.
To be honest, this...
In the Mac world, the need to constantly fix old mistakes just is not a problem. It's a non issue.
is pretty bad, too. So what do you do about old mistakes in the Mac world? Sweep them under the rug and pretend they didn't happen? Or are you saying that Apple just doesn't ever make mistakes?
Karma: Terrifying (mostly affected by atrocities you've committed)
Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
That doesn't make sense. Server 2003 and XP are nearly the same, how could they patch one and not the other?
I would put [citation needed] but I'd rather just say you're wrong and point out the release dates: ...and I don't even own a Mac!
OSX 10.0 - released March 2001
OSX 10.1 - released September 2001
Windows XP - released December 2001
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
There are few things more feasible than devoting a few engineers to working on a product used by tens of millions. That's the core definition of mass production and mass sales.
Legion are the feasible products that had a minuscule fraction of that, at best.
No, this is a lie whose purpose is to help twist the wooden stake in the chest of XP and 2000, both of which are still well-distributed at home and in business. Hell, I only had my 2000 machine replaced with an XP machine at work 3 freakin' months ago. And I'm one who gets regular upgrades at the premium "engineering" level computer = about 90% of the bleeding edge hardware capability, as my company defines that lol.
Note Microsoft got another OS sale for this new XP machine. Gotta really twist hard now in preparation for Vista++, whatever the hell it's called.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
and nobody here on slashdot notices that they actually explained that xp past sp2 doesn't NEED the fix, as it's written and documented.
reason: it's a flaw that affects all systems that have a listening service of some form on the firewall. all server os have it, vista, win7 have it. but xp doesn't.
so it doesn't NEED THAT FIX.
stop slashdotting and bashing microsoft, all of you.
(and i fully support that they don't care about pre sp2 windows xp anymore, as no one should)
it's not like anyone would ever write a virus capable of exploiting the hole that someone could accidentally install on their computer, behind the company firewall.
This hole isn't useful to build a botnet because the effect of an exploit is just RAM consumption, not arbitrary code execution. Virus authors have bigger fish to fry.
I haven't bothered to check... but didn't Microsoft just use BSD-licensed TCP/IP stack like everyone else? If they did that would make the code much older than 15 years. Which is fine. Old code doesn't imply bad.
Whoops, XP was released in October 2001, not December 2001. That's what I get for believing another poster... still later than OSX 10.1 though.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I would put [citation needed] but I'd rather just say you're wrong and point out the release dates:
Oops, sorry about that. Off the top of my head I thought 10.0 was early 2002, but I suppose not.
For what it's worth, you're wrong, too, because XP was released in October 2001.
You could just as easily put 10.2 in my original post, though, which didn't come out until August 2002, and Apple still doesn't port updates back to 10.2
Karma: Terrifying (mostly affected by atrocities you've committed)
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Interesting enough, if you are that concerned about security, then you probably already installed at least SP2. Which means that your XP box is NOT vulnerable to this type of attack. I guess computerworld needed a flashy headline to get some clicks and ad revenue.
Posting this way up here so people see it. Summary is mostly incorrect. From TFA: "In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
I wouldn't be surprised if there is a third party developer that creates a patch that fixes this. Wasn't there something like that a while back?
Procrastinating life a way at a rapid rate of speed.
The above is clearly not a troll. One quick glance through my posting history will confirm that I believe these things. Feel free to believe that I am a crackpot, but anyone who doesn't understand that well-moneyed interests are the only true voters in this nation has truly missed the boat. If you can't read between the lines, then you'll never really understand anything. It's like all the idiots in the last couple days "RIP NORMAN BORLAUG"... the so-called green revolution has done little to nothing to feed the starving, but has pushed the use of synthetic pesticides and fertilizers as well as machine harvesting techniques that when combined kill off the soil. The evil done far outweighs the good. The Gates Foundation is very much the same thing. Time will prove me right, I wish it were otherwise.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Certainly not. Macs are made by humans. However, you must have lived on Mars the past decade to not notice the constant stream of viruses and other trojans that are so successful finding new exploits in the MS ecosystem. Though indeed problems do occur in the mac, they are on a vastly smaller scale than on Windows. So, though I did make an exaggeration by making an absolute statement, it does jive with reality. Having been a software developer professionally for 13 years and privately for 20, I stand by my assessment that MS makes crap.
That will be interesting under German law.
IANAL but I'm familiar with a few of the relevant regulations. One of them is that the customer has a claim against the dealer he got the software from. Not against Microsoft directly.
So in theory a pissed off customer in Germany could sue the dealer but not Microsoft. Maybe the dealer could sue Microsoft in turn, but I'm not sure about that. AFAIK contracts between companies allow a lot more exclusions of liabilities than contract with consumers, so Microsoft may have guarded against that.
C - the footgun of programming languages
I would have pointed out that I was wrong about XP's release month sooner, but Slashdot's idiotic "you can't make another comment so soon!" (in addition to the "you can't edit posts") system prevented me... I didn't come back to it until a bit later.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Did you even check the link I posted? The link gave specific examples of the other news networks doing the same things you accuse Fox News of.
BTW, I have not watched more than 6 hours of Fox News programming since the network began. I believe that television is an inherently terrible place to get news from.
The truth is that all men having power ought to be mistrusted. James Madison
That says it all really. Win7 is a decent improvement, but I guess those people happy with their XP machines need some "motivation"...
"When information is power, privacy is freedom" - Jah-Wren Ryel
If it's less than one year old and the manufacturer refuses to fix critical problems with it, you should be able to hand your Windows license back and get a re-fund.
Installed the Bubblemon yet?
Micro$oft finally finds 15 year old bug in software but cannot fix it as no one writes assembler anymore!
The original poster claims that MS no longer patching XP is a reason to abandon Microsoft; no, it's a reason to upgrade to an OS that was released in the last few years.
So you propose looking up all the components of the products you buy and only buying products made with recent components? Computers with XP on them are selling today. It is a current product. Computers with OS X 10.4 haven't sold for 4.5 years and they're still getting support. That's why your comparison is garbage.
MS still sells XP licenses because there's a demand for them. There are some people who will continue to demand XP as long as MS keeps supporting it, so the only way to make them upgrade is to stop supporting it.
Sorry that doesn't wash. If MS is going to keep selling it they need to keep supporting it. If they determine they can't support it anymore, they need to stop selling it several years prior to that time. You know normal companies respond to customer demand, rather than dictate terms to customers. MS should have broken up years ago so the market could solve this problem.
I'm sure Apple would still be selling 10.0 if there was a demand for it, but fortunately for them, the incremental style of Apple's releases makes it easy to see that their older OSes are crappy compared to the new ones.
That's because Apple is about creating products to satisfy the demand of their customers, instead of creating products with new mechanisms for extracting money from their customers and then trying to force people to pay for the privilege.
The root problem is MS doesn't care about their customers because they don't have to to make money because they criminally leverage their monopoly as a revenue source.
It's actually Alexander Peter Kowalski, and he's a freakin nutjob.
His posts are ALWAYS like this... a bizarre mashup of english, symbols and general incomprehensibility.
He likes to piss and moan about the HOSTS file not allowing 0 as a shorthand for 127.0.0.1
-Yuri Klastalov-
... *Windows Genuine Abandonment.
If a car is discovered with a flaw in it's design, then yes, they WILL cover a fix. Warranty or not.
Yes, the software the released was broken, so yes, they should be held responsible to fix it.
BTW, this is the ONLY way companies will start releasing better software, and the only way a company that makes an OS will put Design ahead of replacing it every 3 years.
"Microsoft are perfectly within their rights to "force" obsolescence onto users by concentrating on more recent versions of their software."
No.
The are within their right to not add new features, cosmetic changes, and a lot of other things, but they aren't within there right to sell a flawed product and then tell their customers to screw off.
The Kruger Dunning explains most post on
Correct me if I'm wrong. Microsoft is saying that because, by default, Windows firewall does not allow any listening services, the client is safe?
So anyone running Windows XP should not have any listening services. I just realized that, by default in our enterprise environment, the Windows firewall on our desktops are shut off (not my decision). This probably isn't a good thing.
Welcome to the Launch Nuclear Weapons Wizard
Please read the licensing agreement.
[Don't use against own country...Microsoft holds no responsibility...Mutants created by fallout may be used in Halo 4 marketing campaigns without prior consultation of blah blah blah...]
Are you launching towards a position more than 3000 miles from your current location?
Are you launching across the Pacific Ocean?
Are you launching across the Atlantic Ocean?
Ah...going over the North Pole to shorten flight time?
Errr...South Pole?
You aren't, by chance, located on the east coast?
Which would put you more than 3000 miles away from Redmond, Washington?
Bummer.
The Georginator himselficant couldn't pronunciaticate in a morely Bushified methodification if he triedicated.
Table-ized A.I.
First and foremost: remember, we're talking about Windows 2000 and Windows XP below.
CVE-2008-4609 documents a problem with TCP stacks where established connections (meaning the initial SYN, SYN+ACK, ACK have already been experienced) can renegotiate their TCP receive window size to a small value (no idea what "small" means) or zero, the result being the number of available sockets on the machine becomes exhausted over time. Since TCP window sizes are negotiated, but not necessarily respected, there's really nothing one can do about this other than fix the stack, or allow added tuning for this. You can force window sizes (like you mention in your post), but that does not guarantee the remote end will honour them. This is Normal(tm).
CVE-2009-1925 documents a much more serious problem with the Windows TCP stack: "a remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information." There's nothing one can do about this one other than fix the TCP stack. End of discussion.
CVE-2009-1926 documents a problem with the Windows TCP stack where an already established TCP connection, with an agreed upon small (again, no idea what "small" is) or zero-sized TCP receive window, is closed with data still pending on the socket (likely shown as SendQ). When this scenario occurs, the Windows TCP stack never removes this entry from the state table. There's no indication or documentation from Microsoft as to whether or not this applies to sockets which have a) already gone through the FIN, ACK, FIN+ACK, FIN+ACK handshake, or b) is stuck in a "half-open" state where either the teardown handshake is severed/botched in mid-stream, c) is stuck in a "half-open" state elsewhere before socket teardown, or d) is stuck in a "half-open" state during RST.
I think you're focusing on CVE-2009-1926, since you have excessive focus on "half-open" connections, but then simultaneously you switch to focusing on SYN.
> TcpMaxHalfOpen
> TcpMaxHalfOpenRetried
>
> Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)
"Half-open" can refer to one of two things, depending on who you talk to: where from a source, SYN has been sent but has not received a SYN+ACK back (Windows calls this state SYN_RECEIVE, *IX calls this SYN_RECV) -- or -- a socket that has already been established but during tear-down never completes the full 4-way handshake (see above).
> P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above)
> SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...
Please do not follow this advice. It has been stated by Microsoft in numerous KB articles that people should not use GlobalTcpWindowSize. The registry entry in question has been deprecated with the introduction of Windows 2000 and beyond; you should be using this.
Secondly, increasing/forcing/making static the TCP window size permitted does not "harden" the stack at all, or provide any direct effect on security. Instead, stop that and enable RFC1323 instead. There are numerous sites that describe this process. On servers in this day and age, RFC1323 is more or less mandatory, ideally if you're serving large content (greater than 64KB). Here's some links that describe RFC1323 in Windows:
http://searchnetworking.techtarget.com.au/tips/27055-How-to-use-TCP-RFC-1323-to-improve-Windows-XP-s-network-performance
h
This looks like a class action lawsuit waiting to happen.
XP is still the main OS for netbooks, and if MS is going to sell (or allow others to resell), then they need to support it until there is alternative for that class of hardware on the market. An I am guessing that Win 7 isn't going to run like everyone thinks it will on old/underpowered hardware like the beta's seemed to indicate.
As far as the argument that the XP firewall will prevent this, we all know that isn't true, not to mention, there are often times when running the XP firewall is undesirable, like on enterprise deployments that sit behind an edge firewall.
I doubt anything will actually happen, but it would be interesting if it did.
Clearly, you didn't read the article as it is not an issue for XP SP2 and SP3. Maybe remember this the next time you decide to use the word "clearly" and postulate on crap you don't know the details about. Fox News style indeed.
Support a great indie game: http://www.abaddon360.com
The cisco TCP bug notice
B-b-but we're not ON your lawn, sir!
Free Martian Whores!
The real issue is that I can walk into Walmart right now and buy a computer that comes with XP on it. Adobe may not support a 8 year version of Photoshop, but neither do they continue to sell that 8 version today.
Do what thou wilt shall be the whole of the Law
We're talking about code that is 12 to 15 years old in its origin
Maybe you shouldn't have admitted that. And why praytell, is the code this old?
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
As opposed to the... decremental? style of windows releases? Spotty? Roller coaster? Wait. Isn't "upgrade" a synonym to increment? Oh.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
The problem is that anything can install such a listening service on XP making it instantly vulnerable. That XP SP2/3 isn't vulnerable by default is a 'mitigating factor' in MS Security bulletin lingo, not a reason not to patch.
I don't understand why they're dragging their feet, as sooner or later something installs a listening service (or the user already has such a service) and it's over.
Never underestimate the relief of true separation of Religion and State.
'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,'
Eh? You mean to say that Windows 2000 and Windows XP weren't "complete rewrites" like they claimed (at the time), and that that code goes back to NT4?
What about 2003 Server? Correct me if I'm wrong, but that's the same exact network codebase as XP. If you're going to patch 2k3, the amount of effort would be trivial to patch XP. (Often, the DLLs are even interchangeable, so it might be possible for a 'community' patch to be made.)
From where I'm sitting, this sounds like MS is putting a "real" EOL date (ie "today") on XP instead of "promised" EOL. That's a really crappy thing to do to your customers, as you can still get new Windows XP based devices (and they were commonplace as of a couple months ago). I'd suspect they're trying to push business clients to upgrade their networks due to the difficulty of "forcing" a customer to move from a 7-year-tested application framework to a new, yet-untested OS. I suspect it's been many years since small-medium businesses have given much money to Microsoft for OS licensing.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
They've pretty much stopped doing that, though there are still some out there with XP. I suspect any we see coming out after the Win7 release date will have Win7 Starter on them.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I believe that television is an inherently terrible place to get news from.
Yes it is truly terrible to trust the television because it is completely under the control of a government agency which does not have to abide by the constitution. And here in Canada it's a little worse, but less abused. From the page linked in previous post:
You said that it was critical for people to "vet information⦠because there is so much disinformation out there that it's frightening, frankly, in a free society that depends on information to make informed decisions." Mr. Friedman then chimed in that the Internet is "an open sewer of untreated, unfiltered information."
And soon the internet too will be brought under the umbrella of censorship, and then we'll be back to the dim ages.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
A good example of the "honest" reporting from non-Fox news organizations can be seen while examining this past weekend's 912 Project/Tea Party protest in DC. ABC News, specifically, was reporting 70k-80k people in attendance for a diverse base of reasons/no unified front. The reality, however, is that there was one primary (and very evident) unified front of "too much government/government spending", and that there were well over 1 million people present. While it might be difficult to prove there was over 1 million people in attendance, a review of the many stop-motion videos will show you that there was easily well over 100k people in attendance: people covering the 100' wide roadway all the way from the White House to the Capitol Building.
Sadly, this is just one of a handful of fraudulent reporting from CNN and ABC. They appear to be the worst offenders of late. Fox News isn't perfect, but anyone who's paying attention should be able to notice a bit of an echo chamber amongst the non-Fox news sources - and when Fox differs, an analysis of the information presented and facts available (photographic, independent 3rd party, etc.) tends to prove Fox in the right.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
By *default* XP doesn't have RDP running.
But how many run XP in it's "defualt" configuration.
Run RDP and you're screwed, at least as far as anyone can tell.
It appears that with ANY listening service, which probably includes RDP, your XP station is vulnerable.
And forbid that you might be running some other agent/VNC/or other listening service.
To be clear... It appears that any non-firewalled listening service opens up this vulnerability. (ie. You run RDP and actually allow that port through even a running firewall. [You know, like it's not a lot of good running RDP if you can't get to it since it's firewalled.])
Go read the transcript. MS uses all sorts of weasel language to avoid the questions asked.
At best that means that someone could DoS all your XP stations (perhaps they'll have to be inside your network, but the next spyware/trojan infection could take down the whole network.) [This is true ONLY if the weasel explanation MS gave is actually what it appears - and given the true weasel nature, I'd guess it isn't.]
At worst, that next spyware/trojan could do remote code execution on the whole network running XP and turn everything into a zombie bot-net.
Oh, where do I sign up for that. That sounds like real fun!
-Greg
Of course the TCP/IP stack is older than XP. Perhaps they built one from scratch or maybe they bought someone's and extended it.
Now, I understand over time code can get really wonky and have lots of odd bits of cruft that are under documented and all of that.
Given the importance of I/O, Com and Net Access you woud think that MS's TCP/IP stack would have been coded by the brightest of the bright and following all best practices, etc. they would have well crafted, well documented and even beautiful code, if you will.
http://www.hawknest.com/
Xtrace identifies the Vista TCP/IP stack as identical to the Windows NT stack. Obviously the code is similar at least. However, I would bet that its just a cut and paste job.
oh, that's right, you don't "do" open source and you want your customers to stop using that product even if it works well for them on the computers they're already running. I see now, never mind.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
There was an article on slashdot a couple weeks ago about training that Microsoft released ( http://linux.slashdot.org/story/09/09/05/195219/Microsoft-Attacks-Linux-With-Retail-Training-Talking-Points?from=rss ). If you look at the actual training, there's a slide that says "There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own." Looks to me like Windows users are on their own.
Don't underestimate the power of incompetence.
`echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
I'm assuming that your network is behind a NAT and a corporate firewall anyway.
Don't take life so seriously. No one makes it out alive.
It's amazing how many slashdotters totally ignore the fact that SP2 and SP3 DO NOT HAVE THIS BUG.
No new computers are being shipped without SP3 at this point, and if you haven't upgraded WinXP from the original retail version, that's your own problem.
"At worst, that next spyware/trojan could do remote code execution on the whole network running XP and turn everything into a zombie bot-net."
If you'd have read the bulletin, you'd have seen that remote code execution was not one of the possibilities for the bug in XP or Win 2k.
Don't take life so seriously. No one makes it out alive.
Yes. But that doesn't stop internal attacks.
MPunzalan@finkelsteinthompson.com
send an email to this guy - this is the firm that helped me on the EA Spore SecuROM case. I'll bet ten to one their systems run XP and they're unaware of Microsoft trying to worm their way out of a contractual obligation to provide support until 2014.
I just sent my email - I'd suggest more of you do the same so he takes notice and has more incentive to take the case.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Maybe they should make a campaign distributing pirates eye patches! Arrrrgh.!
The XP firewall is practically fucking useless to begin with. That still doesn't give them the right to jump out of a contractual support obligation 5 years in advance.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Maybe they lost the source code.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
But you forget, you pay for the OS so get the real support from a real company that cares about its customers and not a collection of hairy hippies who tell you to RTFM when you try to install Linux on a crappy old dell with a busted harddrive.
Amazing, really, tomorrow there will be a story about linux and someone will post a story that paying MS means you got proffesional support. Denial, it must be a wonderful place to live.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
and maybe you ought to look a bit further down at the table of effects where it says the maximum effect on xp is denial of service.
Oh, wait...
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
> I don't understand why they're dragging their feet, as sooner or later something
> installs a listening service (or the user already has such a service) and it's over.
The reason why MS is dragging its feet is that by not patching MS Windows XP/v5 there will be less of a reason for users to not move onto MS Windows v7.
Where are they getting this 15+ year number from? XP was released almost exactly 8 years ago to the month.
MS08-048 fixes three vulnerabilities. The vulnerability that can result in a system compromise is CVE-2009-1925 and ONLY AFFECTS VISTA. The other two, CVE-2008-4609 and CVE-2009-1926 are denial of service attacks against listening services with no possibility for remote code execution.
Microsoft is basically saying that since 2000 and XP are only subject to a possible DOS of listening services, and are not intended as servers that the issue is not worth fixing. This would not be the first DOS only type of vulnerability that Microsoft has downplayed. They did however develop a patch to address their products that are intended as servers. Note that according to the MS KB article the patch does not eliminate the DOS vulnerabilities, but alleviates it by tweaking the algorithm used to drop open connections.
It's also not clear to me, but it may be possible to address this issue by setting some of the settings in the registry that control the max number of half-open connections (turned off by default in the usual MS way).
Here's more ammo - Microsoft offers a fix for Windows Server 2003 which is based on many of the same core components as Windows XP.
I noticed this as well, specifically on x64. From everything I've read, XP x64 is essentially 2003 x64 with some branding and defaults changed - even closer than the x86 variants of XP and 2003.
The 2003 x64 download is actually named WindowsServer2003.WindowsXP-KB967723-x64-ENU.exe, and appears to have installed just fine. I haven't rebooted yet, but I don't expect any issues based on what I've seen so far.
open source it so that people can fix bugs themselves.
The largest prime factor of my UID is 263267.
There are issues with security and governmental banking regulations that will not allow windows 7.
Care to elaborate? I work in IT at a bank and we're currently in the process of testing out Win7. I don't work directly in the Compliance department obviously, but I've not heard anything even remotely like this mentioned.
I'm now running version 5.2.3790.4573 of tcpip.sys, and TCP/IP appears to be working for me... You may be able to simply copy the DLLs over in x86 as well (possibly in Safe Mode or with a BartPE CD) if the actual installer won't do it.
It is worse than just not supporting the computers they are currently selling. Quitting support for XP is going to mean hardware upgrades for all the users that have only the hardware resources to run XP. As if we the people need this expense right now with the economy the way it is. My last round of PC computers were underpowered as part of the Vista Capable debacle. These machines aren't going to upgrade to Windows 7 because they are light on hardware. So what am I expected to do now, turn the other cheek again. Well Surprise, I don't have to. I am a confirmed switcher, and although I am still stinging from the Vista Capable lies, I love my Macs, and there will be no more money from me for Microsoft or the hardware OEM buddies. This should be a wakeup call to those on the fence.
I can't cite direct examples because I don't even know which bank you work for, but if you understand how banking TLS requirements go, it's kind of like that.
This stinks. A critical part of windows becoming unsupported.
What goes around comes around, I will remember that.
"Life is short and in most cases it ends with death." Sir Sinclair