Microsoft Says No TCP/IP Patches For XP

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

Yeah, right

[DoofusOfDeath]

"Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Re:Yeah, right

[Shrike82]

From TFA they implied that a decent firewall would reduce the risk. Now whether you choose to believe that is entirely up to you...

Re:Yeah, right

[Cryophallion]

I just had to post an invoice to the marine corp's web site. I luckily had one computer at work that was not upgraded to ie8. It would only respect ie6 or 7, and had some issues if I just changed the user agent on FF.

If people keep being forced to upgrade their browsers, no one will be able to use the government systems anymore.

I'm sure it will be an issue for the little companies billing, but you'll never hear about it.

Re:Yeah, right

[commodore64_love]

The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result. It will employ some 10,000 workers at a cost of 1.4 trillion dollars. Then it will fail to come-in on time, so they'll spend an extra 6 months and 0.3 trillion on schedule overrun.

That's SOP for the government.

Re:Yeah, right

Ah so when it comes to patching severe holes the codebase is way too old with its 12 - 15 years, but when it comes to revealing the source it is still very relative. Then how does patching very relative code become "not feasible"? "Can't" or "won't"? Which is it MS?

Re:Yeah, right

[commodore64_love]

Whatever. I'll just keep using XP until it crashes-and-burns, and then I'll toss this PC into the trash and get a new $300 PC at walmart with Windows 8 already-installed. That's my upgrade path.

BTW anyone want to buy a Windows 95 laptop? It's harmless (mostly).

Re:Yeah, right

[oodaloop]

The vast majority of DoD's systems are Windows XP with no plans of moving to Vista. US Central Command (CENTCOM) is the only command of which I've heard that has said it is moving to Vista, and FSM only knows why.

Re:Yeah, right

Your car has a 15 year warrantee I take it. And at your request your car manufacturer gave you all of the blueprints and circuit board diagrams and codes and sensor readouts and dyno information and design documents that helped them design and build your car right?

It's infeasible to support code this old. They didn't say it was impossible. Infeasible means that yes, they could spend lots of their money fixing code that is 15 years old. They could also spend that money to try and make new software that performs better on the whole.

Why do so many people dig into microsoft for something that every company does. In fact, Microsoft is much better at supporting their older software than most companies. (Take a look at Apple for example).

Stop blaming Microsoft for not pandering to your individual needs. They are a company. They make a product. Heaven forbid they try to make money off of it instead of offering insane 15 year + support.

Re:Yeah, right

[commodore64_love]

Many people have compared defense work to "white collar welfare". I think the private companies are more frugal than that, since they are constantly cutting costs & laying-off workers, but having worked at the FAA it seems like a sound argument. I saw government workers sitting around doing nothing but surfing the net day-after-day. The FAA could lay-off 75% of the workforce and not notice any drop in output.

But of course if the FAA did that, then the politicians who represent those workers would scream bloody murder, and the layoffs would be canceled.

Re:Yeah, right

[MindKata]

"From TFA they implied that a decent firewall would reduce the risk. Now whether you choose to believe that is entirely up to you..."

So a bit like the old saying, "That's like buying a dog, and then having to spend your time barking to scare off any potential burglars."

Re:Yeah, right

[Moryath]

Translation: "Sales of Vista didn't go well due to Vista being crap, and Win7 isn't actually all that much better, so rather than offer a product people actually want we're going to exploit our monopoly and withhold necessary security fixes from others in order to force people to 'upgrade.'"

Re:Yeah, right

[HangingChad]

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP.

I questioned the Navy's IT management for years, failing to see the long term wisdom behind the program and thinking it was a pork spending program awarded to political insiders. But, I'm forced to admit NMCI has been tremendously successful at bringing productivity to a near stand still. Patching computers no one can use is hardly even necessary.

As a bonus the Navy has an inexhaustible supply of boat anchors!

Absolutely brilliant.

Re:Yeah, right

[mabhatter654]

Except I bought a brand NEW license of XP on my Acer netbook less than 1 year ago. That means Microsoft received NEW payment for that license in the last year (and a bunch of others) so obviously they're making money on it. Unlike patching cars you don't have to make additional parts, once you fix the problem in one copy of XP it is near-zero to fix the problem for ALL XPs as they're exactly the same.

My local stores still sell NEW netbooks with NEW licenses of XP on them... where's bug support for the new buyers?

Re:Yeah, right

[PBoyUK]

The point is, it's Microsoft's fault that the problem has been allowed to escalate. It's Microsoft that released a hideous "upgrade" to XP and allowed it continue well past the point where it should have been consigned to history. It's Microsoft that continues selling a defunct OS out of a scrambling fear to stop a competitor from making inroads into a netbook market that they had disregarded. How many millions of netbooks with XP on them have been sold over the past 2 years? MS apologists like yourselves harp on about how ridiculous it is to support a 15 year old codebase. But guess what, if you continued selling the product of that codebase until recently, then yes, the consumer has a right to expect it to be maintained.

Re:Yeah, right

[erroneus]

Actually, this isn't funny and may well be the type of attention-getting answer we need to this problem. People should start sending off some emails to their representatives that points this problem out. Microsoft says they are supporting WindowsXP until 2014 for security matters and other serious problems. I'd say this qualifies. This "move" on Microsoft's part represents a squeeze play against all of its customers not the least of which is the U.S. Federal Government. And with all the attention on money problems, it can't be ignored or written off.

I foresee a congressional hearing on the matter should Microsoft continue down this road.

If the government plans to spend trillions on this surprise upgrade requirement, perhaps moving to another OS might be another consideration to weigh in. We KNOW Microsoft will leverage its position as "the" OS vendor to do nearly anything it wants. We can't force them to behave. Perhaps the best thing to do is push the misbehaving child to the curb and use someone else's product.

Re:Yeah, right

[tbannist]

Apparently they mispronounced "unprofitable". Because that's why they're not doing it, they don't want to spend the money and plus they want everyone to (pay for the) upgrade to Windows 7.

It's pretty much standard operating procedure for most corporations.

Re:Yeah, right

[AngryNick]

So I should install a firewall between my computer and the 29,000 other XP machines on my corporate network? Thanks MS!

Re:Yeah, right

[pleappleappleap]

Well, that, and I think you'd find that the ones getting laid off wouldn't be the cruft. They'd lay off the productive workers preferentially.

Re:Yeah, right

[Estragib]

Alternatively, sue Microsoft because they're breaking a sales promise. Windows XP is officially supported ("Extended Support" including security fixes) until mid 2010.

From Wikipedia:

Windows XP Service Pack 2 will be retired on July 13, 2010, almost six years after its general availability. In accordance with Microsoft's posted timetable, the company stopped general licensing of Windows XP to OEMs and terminated retail sales of the operating system on June 30, 2008, 17 months after the release of Windows Vista. However, an exception was announced on April 3, 2008, for OEMs installing to ultra low-cost PCs (ULCPCs) either until June 30, 2010, or one year after the availability of the next client version of Windows, Windows 7 -- whichever date comes later.

On April 14, 2009, Windows XP and its family of operating systems were moved from Mainstream Support to the Extended Support phase as it marks the progression of the legacy operating system through the Microsoft Support Lifecycle Policy. During the Extended Support Phase, Microsoft will continue to provide security updates every month for Windows XP, however free technical support, warranty claims and design changes are no longer being offered.

They still sold/licensed XP as late as June 2008, which means that in Europe they're even in the mandatory two-year warranty period, regardless of whether they claim your warranty expired in the "Extended Support" phase. I hope they get sued to hell and back. And then back again.

Re:Yeah, right

[Mhtsos]

Maybe they should stop offering XP licenses then. (So what if it makes some room in the market for ubuntu netbook remix)

Re:Yeah, right

[gad_zuki!]

Actually they wont have to do anything if they are running SP2 or higher. They wont be patching VANILLA XP BUT SP2 AND LATER ARE FINE. RTFA:

"In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Re:Yeah, right

[gad_zuki!]

How about you read the article before you start yelling at your congressman? RFTA:

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Re:Yeah, right

[Oswald]

Hey genius, you do realize that Windows XP is still being sold, right? That brand new computers are shipping by the thousand every single day with Windows XP as the OEM-installed operating system? Can you seriously claim that it's alright for them to just walk away from a product they are still shipping because they have better things to do with their time? Did you give your position even five seconds of thought?

Congratulations, fucktard. Worst post of the day.

Re:Yeah, right

[bpprice]

If MS had simply created a standards-compliant browser years ago, then this problem wouldn't exist. By buying into a Microsoft-dominated vision of the future of computing (which will never come to pass) the government agencies and other business simply hurt themselves. A REAL browser upgrade is simply to one that meets standards. IE doesn't count in that regard.

Re:Yeah, right

[Moryath]

Lets see... Kia, Hyundai, Mitsubishi and GM all offer 10-year powertrain warranties (that's "engine parts, transmission, drive system") on new cars. Chrysler's powertrain is covered for "lifetime" as long as you keep a record of proper maintenance.

Yeah, that's not "bumper-to-bumper" coverage, but TCP/IP is pretty damn close to an "essential" part of the car.

Re:Yeah, right

[Just+Some+Guy]

Heaven forbid they try to make money off of it instead of offering insane 15 year + support.

FreeBSD started as a branch of BSD, which began around 1977. Somehow a group of volunteers manages to support 32 year old code.

Re:Yeah, right

[KnownIssues]

XP SP2 and later are fine by default. What does that mean? Does that mean it's the only possible configuration? Or is it reasonable that an XP SP2 computer could end up in a state where it does have a listening service configured in the client firewall? Doesn't Vista include "a stateful host firewall that provide protection for computers against incoming traffic from the Internet [...]"? I should think so, so wouldn't that invalidate their reasoning?

I wouldn't be surprised if Microsoft is perfectly correct in not patching XP. The problem is how they communicate it. If they're patching Vista (a client OS) and they're patching Server 2003 (similar codebase to XP), then this makes it seem like they don't want to bother fixing XP, even though it's broken. If Microsoft had said, "the XP codebase is in no way vulnerable", I'd be completely satisfied. But they didn't. They said, "XP is broken, but by default it's protected".

That's not good enough.

Re:Yeah, right

[MobyDisk]

This is not Microsoft's fault. Talk to whoever created a web site that only works in specific versions of a specific browser.

Re:Yeah, right

[Philip+K+Dickhead]

How does this rate insightful, when the fellow knows nothing about his topic?

Weird assertion: "Sales of Win7 are down so low MS isn't even promoting it in most places"

Newsflash: There is no retail release of Win7 yet.

Good point? "underpromise and overdeliver. They have been doing the opposite and wonder why people hate them.

Excellent diagnosis. MS should also learn how to sell to the business, preferably the CFO - not keep hyping 'features' to IT - often the most dysfunctional outfit in any org.

Wild claim: "There are lots of groundbreaking problems that people will not touch with a 20 foot pole"

C'mon! Cite a bloody reference, or just yell "FIRE!" in a crowded theatre!

In reality you make claims about Windows 7 sales that cannot be backed up - and use unspecific criticism to support the claim, without evidence. Allow me to explain some basics.

The bulk of Corporation and Government purchases? They already owned Windows 7, before it was released, through the Software Assurance benefit in their contract through their reseller. Microsoft measures "deployment", not "sales" with these folks... You know Home Depot, Wal*Mart, Hewlett Packard, General Motors, even Google.

Despite not even being offered as a public, retail item, Windows 7 will do very well on the day it goes to market. Retail sales are a tricky number. Most are through OEM installation on new computers - not shiny disc SKUs. So, for 2 months, these have been ramped through the manufacturing channels.

Let's talk in February - when the after-Christmas inventory purge is complete. Then we can compare notes.

Re:Yeah, right

[Midnight+Thunder]

BTW anyone want to buy a Windows 95 laptop? It's harmless (mostly).

Bah, I am holding out for a Windows 3.1 laptop.

Re:Yeah, right

[EastCoastSurfer]

I have a friend who just got hired into group A working for the DOD. His job is to track how the stimulus money gets spent in group B. Actually his entire groups job is to track that money. Guess what group B's job is? Track how the money gets spent in group A. It's so ludicrous that you can't make this stuff up.

It's white collar welfare and has been for years. It's the advanced version of dig a hole and fill it in.

Re:Yeah, right

[iamhassi]

"I don't particularly like Microsoft, in fact they are still my least favourite company in the world. But do you expect Adobe to keep bringing out patches for 8 year old versions of Photoshop?"

Apples and oranges. Took M$ 5 years to come out with a new OS and that OS was crap, MS even admits Vista is crap. So it comes out with a new OS 3 years later but it's not released yet, no support for it.

So MS is saying "We won't patch XP because it's old, the Vista OS we patched is crap so don't use it, and the new Win7 OS has not been officially released so no support. Good luck!"

Re:Yeah, right

[Anonymous+Brave+Guy]

Sales of Win7 are down so low MS isn't even promoting it in most places.

Maybe that's because it won't be released until 22 October?

Re:Yeah, right

[Binestar]

I know a lot of people who have pre-purchased windows 7 to have on release day. I didn't see that happening with Vista.

Re:Yeah, right

[TheRaven64]

That's not really a fair comparison. The branch that is currently developed of the Windows NT codebase is Windows 7. The branch that is currently developed of the FreeBSD codebase is 8-CURRENT. Fixes are backported to 7-STABLE and 6-STABLE from there. FreeBSD 4 was the stable release series back when Windows XP was released, and it no longer receives updates. The last release from the 4.x branch was in 2005 and, although the RELENG_4 branch is still open for commits, it is not officially supported by the FreeBSD team. Of course, upgrading to FreeBSD 6 was free and easy for FreeBSD 4 users...

Re:Yeah, right

[Inf0phreak]

Exactly. A million things could cause you to listen on a port. Bittorrent for a WoW update? Pretty much any multiplayer game? Did you enable remote desktop?

This argument is pure BS. It's contrived and mangled in such a way that MS can get away with classifying this as a "low risk threat" so they don't have to patch it. To hell with leaving thousand if not millions of paying costumers hanging. "UPGRADE TO WIN7 DANGIT! We need the money!"

In addition, it is my understanding that this is a remote code execution vulnerability. Only in MS-land is remote code execution classified as a low risk threat.

Re:Yeah, right

[Sancho]

Both Vista and Windows 7 were sold as pre-orders for a reduced cost. In fact, Windows 7 is doing better than Vista at pre-orders:
http://www.crunchgear.com/2009/07/15/in-8-hours-windows-7-pre-orders-overtake-vista-pre-orders/

Re:Yeah, right

[shaitand]

Apparently the marketing trick worked. People are talking about windows 7 as if it were something other than vista when in reality its vista with a service pack and a rename.

Re:Yeah, right

[cenc]

I say we send the Marines to storm the MS campus.

Re:Yeah, right

[knorthern+knight]

> They would also be perfectly within their rights to stop making
> Windows altogether and start manufacturing refrigerators...

Knowing Microsoft, it'll probably be their first product that never freezes.

Re:Yeah, right

[JasterBobaMereel]

Microsoft gave people the tools to make IE6 only websites and pushed hard to get people to use them

So IE6 Only Web applications are very common inside businesses (and the Navy)

Microsoft have not given an easy upgrade path for any of these applications, and IE7/8 break them, and so it is 100% Microsoft fault ....

Re:Yeah, right

[shutdown+-p+now]

In addition, it is my understanding that this is a remote code execution vulnerability.

It is in Vista and Win2008, where it is fixed. In XP, it's just a DoS attack.

Re:Yeah, right

[TClevenger]

Would you expect a car manufacturer to offer a 10 year warranty on all of their cars?

No, but I expect them to honor the warranty they already offered. Microsoft said that they would provide critical security updates to Windows XP until 2014. This is a pretty critical bug, but they decided to downgrade it so they don't have to fix it.

Re:Yeah, right

Yes, but from the transcript linked in the summary:

Q: Is Windows XP vulnerable to MS09-048 without the Windows XP firewall?

A: Yes but only for the two DoS vulnerabilities. The bulletin has been updated to indicate this and the severity for XP is low.

This means in some corporate environments where IT has disabled the Windows FW, SP2 and SP3 are still vulnerable to DoS. And that vulnerability still hasn't been patched.
So at its core the XP TCP/IP stack will still have this problem.

Re:Yeah, right

[Fulcrum+of+Evil]

Sure, it's immune as long as you don't run remote desktop on your XP box. I mean, who does that?

Re:Yeah, right

[harmonise]

It's the advanced version of dig a hole and fill it in.

Two blonde girls were working for the county public works department. One would dig a hole and the other would follow behind her and fill the hole in. They worked up one side of the street, then down the other, then moved on to the next street, working furiously all day without rest, one girl digging a hole, the other girl filling it in again.

An onlooker was amazed at their hard work, but couldn't understand what they were doing. So he asked the hole digger, "I'm impressed by the effort you two are putting in to your work, but I don't get it... why do you dig a hole, only to have your partner follow behind and fill it up again?"

The hole digger wiped her brow and sighed, "Well, I suppose it probably looks odd because we're normally a three-person team. But today the girl who plants the trees called in sick."

Re:Yeah, right

[JWSmythe]

Citations ... err ... clarification please.

    Toyota Vista (Rebadged Toyota Camary)

    Indica Vista (Indian made/sold car)

    Dodge/Plymouth Colt Vista Wagon (Rebadged Mitsubishi Chariot)

    Eagle Vista (Rebadged Mitsubishi Space Wagon)

    Thomas Vista a mighty big station wagon. :)

    Oldsmobile Vista Cruiser The "That 70's Show" classic 1969 Vista Cruiser. :)

    The only Vista I'd want to own is This One (More Information), but fuel is kinda expensive.

Re:Yeah, right

[shaitand]

"The start orb now has a fade-in highlight effect when the user moves the mouse over it."

Truly I was mistaken. Clearly these are the sort of things that distinguish one operating system from another and are not merely a fluff list.

Its not the size of the feature list, but how you use it. Quite frankly, if fade-in highlight effects are even on the list then it is obviously a slow newsday.

Unclear

[coastwalker]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Re:Unclear

[Corporate+Troll]

It reminds me a bit of NT 4.0 back in the day. They stopped giving out patches for critical vulnerabilities 6 months before the EOL of NT 4.0. The reasons were similar: "It cannot be done". How far away is the official EOL of Windows XP? Somewhere in 2012, no?

Re:Unclear

[noundi]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Excellent point. I wonder if this could put MS into legal trouble. Does anybody know what software distribution laws say about distributing software with known security issues without the intention of filling them? Are they at least bound to notify the user? I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified. Surely this should be a more valid suit, as you don't even need to be a complete moron to get affected.

Re:Unclear

[Drakkenmensch]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.

Re:Unclear

[Corporate+Troll]

Here you go. Extended support is well into 2014. Mainstream support has already ended though.... Which is very strange considering XP is still sold with netbooks.

Re:Unclear

[blueg3]

There are essentially no software liability regulations.

Re:Unclear

[David+Gerard]

It does if you have 2 gig of memory. Bit cramped with 1 gig. Unusable with 512MB.

Windows 7 is more user-responsive than Vista, but its arse is just as fat.

Re:Unclear

[BlueStrat]

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.

Well, this is just MS's own business practices backfiring. MS with XP, Vista, and Win7 is now competing with itself, so MS's own aggressive monopoly defenses/dirty tricks dept. is seeking to derail it's own most successful OS! I wonder if they'll try to embrace, extend, and extinguish themselves next?

Yes kiddies, that was sarcasm.

Strat

In other words

[mc+moss]

"not feasible"

yeah right, more like MS wants people to move onto Windows 7

Infeasible?

[YuppieScum]

That's unpossible!

Re:Infeasible?

[commodore64_love]

There's nothing wrong with inventing words.

"Colonize" didn't exist until the printer Benjamin Franklin started using it (and the British printers criticized him for turning a noun into a verb). These are called inkhorn words, because it's as if they magically sprung from the ink well. Some succeed while others like Bush's "misunderestimate" or Jefferson's "undamage" did not.

Re:Infeasible?

[Chapter80]

Verbulating is commonstuff. What's surprisamazing is that the hypermajority of communicenglishers can simpquickly graspulate the vocabulextension.

Upgrade or Else

[Cryophallion]

So, basically, upgrade or you'll be hacked?

Two questions:
1. Does 7's XP mode potentially have this issue, or is there a compatibility layer so xp doesn't talk directly to the network?
2. They seemed to be able to make massive security updates for code that was that old, and still patch a number of other issues. What about this REALLY makes it so hard to code?

In the end, while I understand not wanting to waste resources on way older products, I think it is a marketing move.

Re:Upgrade or Else

[jonbryce]

The XP virtual machine is not accessible from outside as it talks via a NAT router. Any attack would need to come from the Windows 7 host machine, but if that was pwned, there are many other ways to attack the XP virtual machine.

Re:Upgrade or Else

[FaxeTheCat]

>So, basically, upgrade or you'll be hacked?

No. It is a DoS attack. It will not even crash your computer. For the average user, it is harmless.

Quote from MS:
The DoS attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity Low for Windows XP.

making Vista/Win7 look good

[Clover_Kicker]

How very serendipitous for Microsoft, people now have a reason to upgrade from XP.

I ran W2K on my desktop until a couple of years ago, i.e. until the patches stopped coming W2K did everything I needed.

Guess I'll have to consider Win7 now...

That's why I like open source

[jgardia]

well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.

Re:That's why I like open source

[timeOday]

The exploit is known... So somebody needs to turn the exploit into a patch. Shouldn't be that hard.

No, it's "infeasible," Microsoft said so! Are you calling them a liar !?

Question

[bjackson1]

Isn't the codebase for XP and Windows 2003 essentially the same? Why can't the 2003 patch be modified? I don't remember reading that the TCP/IP stack was that different in 2003.

Re:Question

You are forgetting that code ages overtime. I think it has something to do with the proteins and atoms. That is why they have to make new versions.

Re:Question

[Amnenth]

XP and 2003 are distinct at the 32-bit level.

However. XP x64 is actually just Server 2003 x64 rebadged.

15 years old

[vxvxvxvx]

While the code may very well be 15 years old, that does not really matter to the user. What matters is how long ago Microsoft sold the product. If they sell software today that uses some code written 15 years ago you should be able to expect security updates for some period of time. Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.

Re:15 years old

This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.

Re:15 years old

[ericlondaits]

From the article:

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,

Microsoft has been selling Windows XP SP2 and SP3 for some time now. I really wouldn't expect them patching plain old XP.

Re:15 years old

[mcgrew]

Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.

If a defect in a 1994 Taurus was found, Ford would recall the vehicles at great expense to them. Especially if it was a design defect in an engine that was basically used in an engine still produced for a 2003 Taurus.

There is NO excuse for any software company to NOT patch security holes in any product, no matter how old.

Re:15 years old

[kimvette]

And yet, it is still available through OEM channels. Maybe distributors are ordering it through a wormhole?

Re:15 years old

[tepples]

This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.

The article mentioned an effective workaround: turn on Windows Firewall.

I agree

[ZekoMal]

When you release something and then release something else, you should stop supporting the previous thing so that everyone is forced to buy the new one, even if it isn't necessarily better. You know, kind of like if Sony told you to take your PS2 and stuff it if something went wrong with it because the PS3 is out now.

MS hate aside, they're just doing what they've always done. We don't get our panties in a knot when they don't release a Win 98 patch, do we? With Win 7 on our doorstep, there is no reason for MS to be supporting three separate OS. Well, aside from customer service. I just sort of shrug my shoulders and deal with it. Anyone running XP knows they're doing it because Vista/7 don't appeal to them; deal with the consequences.

Re:I agree

[CAIMLAS]

Except we're not talking about consumer toys and electronics (though some might argue that Windows XP is a 'toy OS'). We're talking about the OS with the largest corporate/business install base, ever. And there has been an official EOL date known for some time now - and this falls before that date.

In other News: XP not affected by Vista/W7 bugs!

[kevingolding2001]

From the FA. (Emphasis mine)

The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."

Yes, it's easy to take the "We won't be backporting this fix" stance when the old OS isn't vulnerable in the first place.

Remote code execution is LOW impact?

[Ancient_Hacker]

For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.

And somehow, the TCP stack, perhaps the most modular and with the most well-defined interfaces, can't be replaced wholesale.

This makes no sense, unless they're trying to get people to spend $$$ on moving to "Windows 7",
or as the congnoscenti call it, "Vista SP2".

ooooohhh.....

Re:Remote code execution is LOW impact?

[nielsm]

There's no remote code execution possible with this on XP, only DoS. You can make the system essentially freeze while the packeting is going on but that's it. Only Vista and Server 2008 have remote code execution exploits from this bug.

Also you can only exploit this if the machine has software accepting TCP connections. If you have an (application) firewall blocking all incoming connections with no exceptions (such as XP SP2+ has by default) there's no real problem.

Re:Remote code execution is LOW impact?

[Daltorak]

For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.

But that's not what they're doing! There is no remote code execution vulnerability on Windows 2000, XP, or Server 2003. Only Vista and Server 2008 are susceptible to remote code execution. This is a Denial of Service vulnerability on NT 5.x systems, and you have to have the firewall disabled (and, indeed, no stateful hardware firewall at all) in order to be vulnerable.

The details are here:

http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx

It's fine to criticise Microsoft for not releasing a patch for XP, but let's at least get the facts about the vulnerability straight, first, yeah?

XP Still uspported on netbooks.

[Chrisq]

Since XP is still being shipped and supported on netbooks this seems a little strange. What's the message - spend extra on memory and hard drive so that you can run XP instead of Linux but we won't give you security patches?

Re:XP Still uspported on netbooks.

[gad_zuki!]

If you read the article you'll see systems with SP2 or SP3 are unaffected:

"By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,

In other news...

[Temkin]

In other news... 10 year old Linux 2.4 kernel patched yesterday...

Re:In other news...

[UnderDark]

Link in case you think this is sarcasm: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=summary

My job is to apply "The Formula"

[Stenchwarrior]

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

Re:My job is to apply "The Formula"

[jollyreaper]

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

The first rule of screwing the public is we don't talk about screwing the public.

The second rule of screwing the public is WE DON'T TALK ABOUT SCREWING THE PUBLIC!

Re:My job is to apply "The Formula"

[R2.0]

"Ford tried that one, and when found out C became much larger. It is not a good business plan."

Kind of. The Pinto gas tank issue had far more to do with Lee Iacocca when he was at Ford. In order to compete with the imports, he gave the designers and engineers a simple directive: "2000#, $2000". Whenever an issue made it up to his office, that was the answer the engineers got - including the gas tank issue. That way, he could deny having "decided" anything. The cost/benefit analysis was more a matter of cover for decisions that had already been made.

"Class Action" may have borrowed elements from the Pinto, but it was fiction.

"Infeasible": Translation..

[multipartmixed]

...we lost the source code, we kept it in Microsoft Source Safe and it ate it.

US Navy already ditching M$

[SgtChaireBourne]

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Since 2008, the US Navy will acquire only systems based on open technologies and standards. That excludes M$ products explicitly in every way but name. The TCP/IP being just one example of failure on M$ part to implement standards. US Navy is ditching M$.

They'll probably go with an American company like Red Hat or roll their own spin of Red Hat.

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not? If you've got Windows on your network, then you have a personnel problem, not just a network security problem.

Re:US Navy already ditching M$

[oodaloop]

Interesting article. I work with the Navy, as well as other services, DoD, etc and have never heard this. I've also seen the DoN purchase proprietary systems this year alone, so at least some people haven't gotten that memo. Perhaps for areas where viable open source alternatives exist, I could see that, like for servers. But many of the workstation applications have no alternative. And with changes in command every few years, his successor is just as likely to continue with MS as not.

Re:US Navy already ditching M$

[icebraining]

Red-Hat is commercial product. They're moving to the best of the two worlds: a cheap commercial product which they *can* adapt to their needs.

Re:US Navy already ditching M$

[drinkypoo]

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not?

You are being ridiculous. Microsoft under Bill Gates got a free pass from Ashcroft. The Gates Foundation is part of a program to push western IP law throughout the world; if you don't provide patent and other protections for big pharma, you don't get any inoculations. At the same time, the Gates foundation is making for-profit investments in things like oil refineries which are causing lung bleeding in children they're providing inoculation to. Meanwhile, the stated goal of eliminating certain diseases is impossible because the restrictions the foundation is placing mean that not all nations will pick up the inoculations, and a partial cure is no cure.

Bill Gates is now part of the power structure controlling America and attempting to use it to control the world. Barring some one-step-away-from-a-persian-cat-and-a-monocle actions by BillyG, his future is secure.

the true cost

[mach1980]

The true cost of releasing a patch is not in compiling and distributing the fix. The money is spent on verification. By not releasing the patch to XP and w2k my estimates are that Microsoft is saving man-years in verification.

Xubuntu (or your favorite) for Netbooks

[Archeopteryx]

There is really no reason for XP on a netbook any more. You aren't using it a high end gaming platform. You aren't running Adobe Creative stuff on it.

You are using it to run FireFox, edit documents, read, IM and send email.

Linux has all that covered and is even document-compatible with Windows.

I have a Eee 900A with a 32GB SSD in it running Xubuntu and I connect to a corporate Radius network, bluetooth tether to my phone, and even use the web version of outlook on it to get at calendars.

Flash even works.

The only thing I can't do that would be nice is play Netflix movies as the Moonlight package does not have DRM in it (and likely never will.)

Wouldn't SynAttackProtect work here? (on 2000 too)

The DOS/DDOS possible via the latest weakness in Windows 2000's IP stack @ least (uses RDR20.DLL as the LSP (layered service provider) vs. MSWSOCK.DLL (the LSP used in XP/Server 2003 onwards, by way of comparison, & this is where I think the problem lies largely, as it is the "most radically different part" of the IP stack in Windows 2000 vs. the more current builds of Windows that I could see @ least)?

WELL - That's taken care of by the SynAttackProtect setting here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

What does it do??

http://msdn.microsoft.com/en-us/library/aa302363.aspx

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

TcpMaxPortsExhausted
TcpMaxHalfOpen
TcpMaxHalfOpenRetried

Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)

This SynAttackProtect registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).

2: Set SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in theory, around it... & iirc, "Scalable Windows", via setsockopt API calls from an attacker are what the problem is here anyhow & this ought to 'stall it'... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above) SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is stopped by SynAttackProtect too, so an attacking system/app sending a setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, OR, single systems as well you either ALLOW or DENY to talk to your system, still can help also... vs. a DDOS though? SynAttackProtect is your best friend here... you'd use netstat -b -n tcp to see which are held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR WAY (or just by doing it in a router or routing table)... takers anyone, on these thoughts (especially for Windows 2000)?

Thanks for your time... apk

2014 ????

[m0s3m8n]

I guess these guys did not read: http://support.microsoft.com/gp/lifepolicy XP extended support goes thru 2014 and supposedly covers security fixes. I would think this counts as a security fix.

Halliburton

[Doc+Ruby]

Why not? The Pentagon continued using Halliburton for years, on huge no-bid contracts, even when its divisions were installing showers in Iraq that electrocuted our servicemembers. And that's just the worst failure the public heard about, after most of a decade of abusive cronyism.

Microsoft is much richer than even Halliburton, and its failures much less publicly scandalous. Why would it face a tougher standard? I'm sure Dick Cheney owns a lot of Microsoft stock, too.

Bad Car Analogy. You know it is coming ;-)

[140Mandak262Jamuna]

Would we really accept the following situation?

Today GM announced that the GMC trucks have some fundamental flaw and they are prone to explode randomly. GM said it wont fix the issue because the design is very old, and fixing it is unfeasible. When asked if they will when they stopped shipping trucks with the fatal flaw, GM spokesman said, "we have not stopped building or shipping them yet. We need to compete with the low cost competitors in the net-truck market and so we continue to make and ship the trucks, but we wont fix the safety issue. The drivers may wrap themselves in bags filled with thermocol peanuts to get some measure of protection.

If not, why do we let Microsoft get away with it?

Re:Bad Car Analogy. You know it is coming ;-)

[99BottlesOfBeerInMyF]

Your analogy is flawed in three ways. First, MS doesn't make cars. Cars are useful. MS makes on OS which is a system component and pretty much useless by itself. Second MS is a monopoly, whereas GM is not. Third, the flaw in XP is unlikely to result in fatalities or even serious injury. Allow me to fix your analogy:

Today GM announced that the GMC trucks have some fundamental flaw in the lock mechanisms and they are prone to open and start the truck randomly. GM said it can't fix the issue because the component is supplied by EvilCorp and current law makes it illegal for them to change anything inside the locking mechanism device. Further GM can't buy locking mechanisms from anyone else because EvilCorp has a monopoly on selling them and has used criminal acts to drive all real competitors out of business. EvilCorp has already lost court cases to that effect, but after making campaign contributions to your elected officials decided not to punish them. EvilCorp says the design is very old, and fixing it is unfeasible. When asked if they will stop shipping trucks with the flaw, GM spokesman said, "we have not stopped building or shipping them yet. We don't have any real options here. We did try partnering with a company that repackages locking systems made for free by a nonprofit organization, but they aren't compatible with existing trailer hitches, AC systems, or tires and switching all of those is hard to do since all the component suppliers out there build them to work with EvilCorp products. Also EvilCorp gives away free gas tanks with every lock mechanism, but because they are really weird, gas has had to be reformulated so it has problems working in gas tanks from any normal company and nobody really sells standards compliant gas anymore. Car buyers are encouraged to remove the batteries from their trucks whenever they stop and park them in locked garages if they contain anything valuable."

Re:Wouldn't SynAttackProtect work here? (on 2000 t

[The+Yuckinator]

Alex P. Keaton is an MCSE? Is there anything that guy can't do?

Microsoft extends XP downgrade option to 2101

[David+Gerard]

Microsoft Corporation has announced a limited one-off extension of availability of its Windows XP operating system to April 2101 after criticism from large customers and analysts. This is the fifty-sixth extension of XP's availability since 2008.

Through successive releases of Microsoft's flagship Windows operating system, demand for XP has remained an important factor for businesses relying on stable XP-specific software and installations, who have pushed back strongly against the software company's attempts to move them to later versions. Windows administration skills have become rare in recent years and consultants have demanded high fees. Reviving Windows administrators from cryogenic freezing has proven insufficient to fill the market gap, as almost all begged to work on COBOL instead.

"Windows XP is currently in the extremely very prolonged super-extended support phase and Microsoft encourages customers to migrate to Windows for Neurons 2097 as soon as feasible," said William Gates V, CEO and great-grandson of the company founder. "Spare change?"

Microsoft Corporation, along with Monsanto Corporation and the RIAA, exists as a protected species in the Seattle Memorial Glass Crater Bad Ideas And Warnings To The Future National Park in north-west Washington on the radioactive remains of what was once the planet Earth, under the protection of our Linux-based superintelligent robot artificial intelligence overlords. Company revenues for 2098 were over $15.

illustration: A background wallpaper for your insecurable XP desktop. (Anyone got a pointer to the 1024x768 version?)

Best Buy's Training FUD

Best Buy's recent "training" slide #9, where they say that "Linux is safer than Windows" is a myth, the "Real Facts" states (referring to Linux) 'There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own.'
Here's proof that that statement is really talking about Windows...

31 days.

[Orbijx]

I say give 'em a month, tops, and then there will be a patch (or news of a coming patch) for Windows XP.

Now would be a terrible time for Microsoft to alienate all those big corps that have XP and force them into another OS, if they want to keep their customers.
It'd be great for everyone else, as customers may start looking into things they would never have considered otherwise, such as various open source operating systems, and the necessary apps it would take to keep them going in their workflow, post-transition.

The way it looks is, some people (usually companies) will view this as a threat from Microsoft that reads: "Upgrade if you want protection."
Some of them in this group will obediently upgrade to Fista or 7.
Some of them will reluctantly upgrade to Vista or 7.
Some of them will stay with XP and find other ways to secure themselves.
Some of them will [cross their fingers and hope|pray] that Microsoft changes their mind and offers a patch.
Some of them will be offended and migrate to another OS outside of Big Red Robotland.
And of course, some of them will feel that litigation solves everything, and want to take MS to court for "refusing to patch an OS that is in such widespread use" (or) "intentionally posing a security risk".

Refusing a patch like this, in my humble opinion, isn't something you want to do until a few months after your new OS lands, at the bare minimum. That way, you've already got people migrating.

XP's patching lifecycle isn't up yet, from what I can see here, though: XP SP2 should be good until July of 2010, and SP3 should be good a bit longer than that, so I'm surprised no-one has really called 'em out on that.

Coming to a law court near you

[L4t3r4lu5]

1. Buy Netbook with Microsoft WIndows XP installed.
2. Run all updates.
3. Browse web, get hacked by this exploit. Lose money through "identity theft" / bank fraud.
4. Turn up in court with the receipt for the netbook & windows license stating when purchased, and the date and time Microsoft refused to patch the hole which caused your loss.
5. State that Microsoft is profiting from a product which is unsuitable for purpose, and it knows is unsuitable.
6. ...
7. Read Microsoft fine print and realise that you have to now give Microsoft your first born child for ever doubting that their asses are covered.

Yeah, consumer loses out on this one.

Re:Good Bye Microsoft

[curmudgeon99]

Dude, How often do you hear of Mac Viruses running rampant? The reason Microsoft has to constantly patch their crap is because it's terrible. Mac is much more solid and the whole issue goes away... You are showing your Microsoft-centric world view. In the Mac world, the need to constantly fix old mistakes just is not a problem. It's a non issue.

They could, they just dont want to...

[hesaigo999ca]

Please..all underlying architecture has not changed from xp to vista, even though they want you to believe this...and for them to correct the wrapper on xp, would be trivial, however, they are testing the waters about phasing out xp, and want to see what the backlash will be like, seeing as no one wants vista garbage, and maybe even no windows7!

I prefer, being given the opportunity of just paying a yearly fee to keep getting updates on a system that runs properly compared to their new bloated versions of vista etc... too bad no one can pick it up like a linux distro and start their own version of windows...

In other words...

[AlgorithMan]

backporting that level of code is essentially not feasible

in other words:

buy windows 7, damn it!

it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....

Re:In other words...

[DrXym]

it's the same feigned argument as when they refused to port DX10 to XP to boost Vista sales - uh - I mean it was because it's technically impossible... it's just that hackers ported it to XP later....

It isn't a feigned argument. Having development resources, development environments, build engineers, QA testers, release engineers + assorted managers to fix vanilla XP when it's already fixed by a service pack is a monumental waste of time. Just keeping a shoestring operation running would probably cost MS tens of millions of dollars in resources.

Of course they're not going to want to do it. I'm sure if you paid them enough money they might of course, but who could blame them?

The solution is rather obvious

[sheph]

Don't run an OS that you can't patch yourself. Seriously, if we put our trust in these guys after they've proven time and again that they really don't represent our best interests we are the only ones to blame. It's about time to let MS go gently into the night alone and without a sleeping bag into a rabid pack of wolves.

Re:Weighted Down?

[HikingStick]

And with Windows 7 returning us to the age of malformed-packet-inducable-BSOD, I'm doing everything I can to maintain XP as our platform over the next 2-3 years, including a final round of PC purchases with XP downgrade rights in place.

Re:I agre

[zippthorne]

Because Apple stopped selling versions older than 10.5 nearly two years ago and the upgrade to 10.6 is thirty dollars retail. Microsoft is still selling XP licenses.

you are off

[poetmatt]

wrong analogy, you are focusing on the wrong issue. Real analogy: Do you still expect adobe to patch the latest versions of their software as long as they are in business? yes. What if they had a DLL that was affected in *all* versions. Do you expect them to patch it with the latest version? Hell yes you do. This is not a car warranty, so that argument is completely null. Things that are on XP cannot necessarily magically be "upgraded" like you think, additionally why should someone even feel remotely obligated to spend money on a new version of something that works just fine?

Car analogy: does the manufacturer shutdown their car after 10 years if you can keep it running?

Why should MS exclude one?

maybe you should think about the argument you are making, because it is off.

Re:you are off

[somersault]

Your argument doesn't work either though IMO. For one thing software changes a lot quicker than car technology so I was being pretty kind saying 10 years for the car stuff. You might expect a dealer to service a 30 year old car, but you're probably going to have to pay through the nose for it (and I've read of at least one case where a dealer didn't have the parts to service a car because it was so old).

XP is not the latest software, it is simply the most popular. Even if the majority of people in the world preferred the original VW Beetle from the 30s (or whenever it started production, I think it was in production for something crazy like 50 years), it doesn't mean that VW are still obliged to find and fix design flaws in it. You'd expect a product recall if a large problem was found in the latest incarnation of the Beetle sure - but we're not talking about the latest version, we're simply talking about the most popular version, and it's getting out of its support lifetime. I don't think any other version of Windows has lasted so long.

In this case the WINE team or some group like that could probably produce a replacement version of the TCP/IP stack to stick into Windows, it would be the equivalent of having to buy 3rd party copies of OEM parts for an ancient car. Yes you can "keep it running", but the original manufacturer has stopped supporting it. MS are not shutting down all old copies of XP, they're simply stopping support.

IMO it would be nice of them to keep supporting it, and some companies would do so, but they have no obligation to. And it's definitely not MS's style to be 'nice'.

Re:Typical Microsoft

[RMH101]

Apple's not a terribly good example here. You buy software AND hardware from Apple. That nice G5 you bought 5 years ago? No parts available from Apple anymore, sorry. Oh, and Snow Leopard's dropped PPC support so won't run on it. One thing Apple's never been is scared of breaking backwards compatibility.

TCP/IP, selling knowingly defective products

[harvey+the+nerd]

The fix is to NEVER buy Microsoft products, again. Microsoft is a defective corporation that has made a mint off of selling knowingly defective products and reselling the HOPE that these defects will be fixed in the next update but reneging again, and again, and again, and again. MSFT's example of no/low quality has become the new American metric of quality, its business plan, corroding our society's business and work ethic, a complete mockery of the consumer laws on mechantability, deservedly debasing our reputation for quality goods.

Since the government has been ineffective in enforcing these laws, falling for MS legal theories, only insistent market rejection will [partially] protect a consumer from the borg. No doubt we will be seeing more FUD IP attacks, like SCO, traceable to MSFT. Good luck to all. Fsck MSFT.

Car/engine = Netbook/XP

[nacturation]

Ah, a car analogy. It's more like this: You go to the Honda dealership and take a look at their 2010 models and purchase a vehicle. You discover that the engine has a serious flaw in it and ask Honda for a fix. Honda refuses because that engine is based on an 8 year old engine design. Except in this case, instead of a Honda you bought a brand new netbook and instead of an engine it came with a new copy of Windows XP.

Re:Car/engine = Netbook/XP

[Volante3192]

The problem with all these analogies is Microsoft DID put a long warranty on XP, and SP2 is still covered.

http://support.microsoft.com/lifecycle/?LN=en-us&x=8&y=10&C2=1173

So the analogy here is, you buy a car. The manufacturer offers a 15 year warranty. 10 years in they find a flaw, they don't fix it and instead tell you to take it to a third party mechanic for a workaround at which point you find some lawyers and sue their contract breaching butt into next year.

RTFA? Oh wait... it's slashdot.

[enriquein]

Has anyone even cared to read the article, or at least the statements before nerdraging over this? The version of XP that won't get a patch is vanilla XP. Even as a developer I'd say it's ridicolous to expect a software vendor to patch something that has been fixed by a security patch that has been out for years now. That being said, I still use XP at home and I was outraged when I read the headline, but heading over to the article I stumbled upon this quote (which btw has been quoted a couple of times already, I'm only re-quoting in hopes that it will get read):

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Interesting enough, if you are that concerned about security, then you probably already installed at least SP2. Which means that your XP box is NOT vulnerable to this type of attack. I guess computerworld needed a flashy headline to get some clicks and ad revenue.

Re:XP is teh dead

[Lulfas]

Posting this way up here so people see it. Summary is mostly incorrect. From TFA: "In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Re:Good Bye Microsoft

[curmudgeon99]

Certainly not. Macs are made by humans. However, you must have lived on Mars the past decade to not notice the constant stream of viruses and other trojans that are so successful finding new exploits in the MS ecosystem. Though indeed problems do occur in the mac, they are on a vastly smaller scale than on Windows. So, though I did make an exaggeration by making an absolute statement, it does jive with reality. Having been a software developer professionally for 13 years and privately for 20, I stand by my assessment that MS makes crap.

But anything can install such a service

[Otis_INF]

The problem is that anything can install such a listening service on XP making it instantly vulnerable. That XP SP2/3 isn't vulnerable by default is a 'mitigating factor' in MS Security bulletin lingo, not a reason not to patch.

I don't understand why they're dragging their feet, as sooner or later something installs a listening service (or the user already has such a service) and it's over.

Re:But anything can install such a service

[racermd]

Here's more ammo - Microsoft offers a fix for Windows Server 2003 which is based on many of the same core components as Windows XP. You very well might be able to use the Windows Server 2003 hotfix on Windows XP without any modification. If I were in charge of patching desktops in a large corporate environment (and I was at one point), that's exactly what I would do (after testing that it works) while screaming bloody murder to my Microsoft rep. Then, I'd let the network guys know about it so they can lock things down at the gateway, as well, if it wasn't already.

Translation: "By NOT fixing Windows XP like we should, we are artificially creating a reason for you home users to 'upgrade' to Windows Vista or Windows 7 and seriously pissing off our corporate customers."

Re:XP is teh dead

[Khyber]

The XP firewall is practically fucking useless to begin with. That still doesn't give them the right to jump out of a contractual support obligation 5 years in advance.