Wednesday, September 9, 2009

MS09-048: Microsoft Gives the Finger to Companies Using XP

When September 2009 rolled around and Microsoft trotted out their monthly security bulletin, it didn't take long for security folks to notice something was amiss.

As outlined by Richard Bejtlich in his TaoSecurity blog, Microsoft reports that XP SP2 and SP3 are not affected by the flaw that MS09-048 fixes. And why is that, you ask?

By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. For the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. 

Now, in reading Microsoft's blurb, I'm led to believe that if I have an XP machine on my internal network, and that computer has listening services configured (hello? SMB & CIFS?), since MS09-048 won't be installed on XP boxes, I'm vulnerable.

Or am I?

It's pretty darned unclear. Richard presents best-case and worst-case scenarios either way, but Microsoft needs to clarify their advisory for those systems not using the Windows client firewall.

We're waiting, Redmond.

Updated 9/10/09 7:50 PM - Microsoft has issued a major revision to their security advisory to clarify that the operating system remains vulnerable despite the ability to add a mitigating control, in this case the built-in Windows firewall. The key point here is that the OS is vulnerable.

Microsoft also advises the XP is not impacted by CVE-2009-1925 (TCP/IP Timestamps Code Execution), but I'm still troubled by their lack of clarity around CVE-2008-4609 (TCP/IP Zero Window Size) and CVE-2009-1926 (TCP/IP Orphaned Connections).

More to come, I'm sure.

Image by Energetic Spirit via flickr


No comments:

Post a Comment

Please tell me what you think.