As outlined by Richard Bejtlich in his TaoSecurity blog, Microsoft reports that XP SP2 and SP3 are not affected by the flaw that MS09-048 fixes. And why is that, you ask?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. For the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network.
Now, in reading Microsoft's blurb, I'm led to believe that if I have an XP machine on my internal network, and that computer has listening services configured (hello? SMB & CIFS?), since MS09-048 won't be installed on XP boxes, I'm vulnerable.
Or am I?
It's pretty darned unclear. Richard presents best-case and worst-case scenarios either way, but Microsoft needs to clarify their advisory for those systems not using the Windows client firewall.
We're waiting, Redmond.
Updated 9/10/09 7:50 PM - Microsoft has issued a major revision to their security advisory to clarify that the operating system remains vulnerable despite the ability to add a mitigating control, in this case the built-in Windows firewall. The key point here is that the OS is vulnerable.
Microsoft also advises the XP is not impacted by CVE-2009-1925 (TCP/IP Timestamps Code Execution), but I'm still troubled by their lack of clarity around CVE-2008-4609 (TCP/IP Zero Window Size) and CVE-2009-1926 (TCP/IP Orphaned Connections).
More to come, I'm sure.
Image by Energetic Spirit via flickr
No comments:
Post a Comment
Please tell me what you think.