Microsoft Says No TCP/IP Patches For XP

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

Yeah, right

[DoofusOfDeath]

"Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Re:Yeah, right

[Cryophallion]

I just had to post an invoice to the marine corp's web site. I luckily had one computer at work that was not upgraded to ie8. It would only respect ie6 or 7, and had some issues if I just changed the user agent on FF.

If people keep being forced to upgrade their browsers, no one will be able to use the government systems anymore.

I'm sure it will be an issue for the little companies billing, but you'll never hear about it.

Re:Yeah, right

[commodore64_love]

The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result. It will employ some 10,000 workers at a cost of 1.4 trillion dollars. Then it will fail to come-in on time, so they'll spend an extra 6 months and 0.3 trillion on schedule overrun.

That's SOP for the government.

Re:Yeah, right

[commodore64_love]

Whatever. I'll just keep using XP until it crashes-and-burns, and then I'll toss this PC into the trash and get a new $300 PC at walmart with Windows 8 already-installed. That's my upgrade path.

BTW anyone want to buy a Windows 95 laptop? It's harmless (mostly).

Re:Yeah, right

[HangingChad]

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP.

I questioned the Navy's IT management for years, failing to see the long term wisdom behind the program and thinking it was a pork spending program awarded to political insiders. But, I'm forced to admit NMCI has been tremendously successful at bringing productivity to a near stand still. Patching computers no one can use is hardly even necessary.

As a bonus the Navy has an inexhaustible supply of boat anchors!

Absolutely brilliant.

Re:Yeah, right

[KnownIssues]

XP SP2 and later are fine by default. What does that mean? Does that mean it's the only possible configuration? Or is it reasonable that an XP SP2 computer could end up in a state where it does have a listening service configured in the client firewall? Doesn't Vista include "a stateful host firewall that provide protection for computers against incoming traffic from the Internet [...]"? I should think so, so wouldn't that invalidate their reasoning?

I wouldn't be surprised if Microsoft is perfectly correct in not patching XP. The problem is how they communicate it. If they're patching Vista (a client OS) and they're patching Server 2003 (similar codebase to XP), then this makes it seem like they don't want to bother fixing XP, even though it's broken. If Microsoft had said, "the XP codebase is in no way vulnerable", I'd be completely satisfied. But they didn't. They said, "XP is broken, but by default it's protected".

That's not good enough.

Re:Yeah, right

[EastCoastSurfer]

I have a friend who just got hired into group A working for the DOD. His job is to track how the stimulus money gets spent in group B. Actually his entire groups job is to track that money. Guess what group B's job is? Track how the money gets spent in group A. It's so ludicrous that you can't make this stuff up.

It's white collar welfare and has been for years. It's the advanced version of dig a hole and fill it in.

Infeasible?

[YuppieScum]

That's unpossible!

Re:Infeasible?

[Chapter80]

Verbulating is commonstuff. What's surprisamazing is that the hypermajority of communicenglishers can simpquickly graspulate the vocabulextension.

That's why I like open source

[jgardia]

well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.

Question

[bjackson1]

Isn't the codebase for XP and Windows 2003 essentially the same? Why can't the 2003 patch be modified? I don't remember reading that the TCP/IP stack was that different in 2003.

Re:Question

You are forgetting that code ages overtime. I think it has something to do with the proteins and atoms. That is why they have to make new versions.

15 years old

[vxvxvxvx]

While the code may very well be 15 years old, that does not really matter to the user. What matters is how long ago Microsoft sold the product. If they sell software today that uses some code written 15 years ago you should be able to expect security updates for some period of time. Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.

Re:15 years old

This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.

XP Still uspported on netbooks.

[Chrisq]

Since XP is still being shipped and supported on netbooks this seems a little strange. What's the message - spend extra on memory and hard drive so that you can run XP instead of Linux but we won't give you security patches?

In other news...

[Temkin]

In other news... 10 year old Linux 2.4 kernel patched yesterday...

Re:In other news...

[UnderDark]

Link in case you think this is sarcasm: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=summary

My job is to apply "The Formula"

[Stenchwarrior]

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

"Infeasible": Translation..

[multipartmixed]

...we lost the source code, we kept it in Microsoft Source Safe and it ate it.

Best Buy's Training FUD

Best Buy's recent "training" slide #9, where they say that "Linux is safer than Windows" is a myth, the "Real Facts" states (referring to Linux) 'There's no guarantee that when security vulnerabilities are discovered, an update will be created. Users are on their own.'
Here's proof that that statement is really talking about Windows...