Four months after it modified Windows 7 to stop the Conficker worm from spreading through infected flash drives, Microsoft has ported the changes to older operating systems, including Windows XP and Vista, the company announced on Friday.
In April, Microsoft altered AutoRun and AutoPlay, a pair of technologies originally designed for CD-ROM content, to keep malware from silently installing on a victim's PC. The Conficker worm, which exploded onto the PC scene in January, snatching control of millions of machines, used several methods to jump from PC to PC, including USB flash drives.
Conficker copied a malicious "autorun.inf" file to any USB storage device that was connected to an already-infected machines, then spread to any other PC if the user connected the device to that second computer and picked the "Open folder to view files" option under "Install or run program" in the AutoPlay dialog.
Microsoft responded by changing Windows 7 so that the AutoPlay dialog no longer let users run programs, except when the device was a nonremovable optical drive, like a CD or DVD drive. After the change, a flash drive connected to a Windows 7 system only let users open a folder to browser a list of files.
Four months ago, Microsoft promised to make similar changes in other operating systems -- Windows XP, Vista, Server 2003 and Server 2008 -- but declined to set a timeline.
On Friday, Microsoft used its Security Research & Defense blog to announce the availability of the updates for XP, Vista and the two Server editions.
Microsoft issued the updates almost three weeks ago, on Aug. 25, but did not push them to users automatically via Windows Update, or the corporate patch service Windows Server Update Services (WSUS). Instead, users must steer to Microsoft's download site, then download and install the appropriate update manually. Links to the download are included in a document posted on the company's support site.
The Windows XP update weighs in at 3MB, while the one for Vista is about 7MB.
The AutoRun and AutoPlay changes debuted in the Windows 7 Release Candidate (RC), which was available for public downloading from May 4 to Aug. 20. Windows 7 is set to go on sale Oct. 22.
By Gregg Keizer
Computerworld
Tuesday, September 15, 2009
Company hosting Joe Wilson fundraising site recovers from DDoS attack
A company providing online payment-processing services for U.S. Rep. Joe Wilson (R-S.C.) is back online after being disrupted by a distributed denial-of-service attack over the weekend.
The attack on Piryx began Friday afternoon and lasted into the early hours of Saturday morning, temporarily disrupting a Wilson fundraising effort that was under way at that time, Piryx CEO Tom Serres said. It also knocked out services for about 150 other Piryx clients, he said.
Piryx is a nonpartisan Austin-based start-up that provides services to help political candidates and nonprofits manage online campaigns and fundraising.
Serres said the company was contacted by Wilson's office last week and asked to manage online donations from supporters rallying behind the congressman after he shouted "You lie!" during President Obama's address to Congress on health care reform Wednesday.
Hours after the company began hosting Wilson's home page on its servers, Piryx found itself the target of a distributed denial-of-service attack, Serres said. Such attacks are designed to render servers and networks inaccessible by flooding them with useless traffic.
The attacks appear to have been directed at the JoeWilsonforCongress.com site, Serres said. At the time the attacks started, the site was handling about 100 transactions per minute and had already collected more than $100,000 from people who wanted to contribute to Wilson's campaign, he said.
Initially, the traffic generated by the DDoS attack was manageable, but soon Piryx began noticing "massive bandwidth spikes" that knocked its servers offline, Serres said. The data center hosting Piryx's servers confirmed that it was the victim of a DDoS attack. At its peak, the DDoS flood generated about 1Gbit/sec. of traffic, which is about 1,000 times the normal traffic on Piryx, Serres said.
After several failed attempts at mitigating the attacks, filters were put in place to block the traffic early Saturday morning. Service has been normal since then, Serres said. It's not known from where the attacks originated, but he said it appears to have been initiated by those opposed to Wilson's comments. "It was clearly politically motivated to take down Wilson's ability to raise funds online," Serres noted.
The incident appears to be one of the rare instances of a politically motivated attack against a Web site in the U.S., said Kirsten Dennesen, an intelligence analyst with VeriSign's iDefense Labs. The attention attracted by Wilson's comments, especially through social media tools such as Facebook and Twitter, appears to have contributed to the attack, she said.
"One question is whether there are going to be any response attacks," she added.
By Jaikumar Vijayan
Computerworld
The attack on Piryx began Friday afternoon and lasted into the early hours of Saturday morning, temporarily disrupting a Wilson fundraising effort that was under way at that time, Piryx CEO Tom Serres said. It also knocked out services for about 150 other Piryx clients, he said.
Piryx is a nonpartisan Austin-based start-up that provides services to help political candidates and nonprofits manage online campaigns and fundraising.
Serres said the company was contacted by Wilson's office last week and asked to manage online donations from supporters rallying behind the congressman after he shouted "You lie!" during President Obama's address to Congress on health care reform Wednesday.
Hours after the company began hosting Wilson's home page on its servers, Piryx found itself the target of a distributed denial-of-service attack, Serres said. Such attacks are designed to render servers and networks inaccessible by flooding them with useless traffic.
The attacks appear to have been directed at the JoeWilsonforCongress.com site, Serres said. At the time the attacks started, the site was handling about 100 transactions per minute and had already collected more than $100,000 from people who wanted to contribute to Wilson's campaign, he said.
Initially, the traffic generated by the DDoS attack was manageable, but soon Piryx began noticing "massive bandwidth spikes" that knocked its servers offline, Serres said. The data center hosting Piryx's servers confirmed that it was the victim of a DDoS attack. At its peak, the DDoS flood generated about 1Gbit/sec. of traffic, which is about 1,000 times the normal traffic on Piryx, Serres said.
After several failed attempts at mitigating the attacks, filters were put in place to block the traffic early Saturday morning. Service has been normal since then, Serres said. It's not known from where the attacks originated, but he said it appears to have been initiated by those opposed to Wilson's comments. "It was clearly politically motivated to take down Wilson's ability to raise funds online," Serres noted.
The incident appears to be one of the rare instances of a politically motivated attack against a Web site in the U.S., said Kirsten Dennesen, an intelligence analyst with VeriSign's iDefense Labs. The attention attracted by Wilson's comments, especially through social media tools such as Facebook and Twitter, appears to have contributed to the attack, she said.
"One question is whether there are going to be any response attacks," she added.
By Jaikumar Vijayan
Computerworld
Monday, September 14, 2009
Wi-Fi 802.11n sudah resmi loh sekarang!!
Setelah menunggu lama, akhirnya teknologi Wi-Fi jenis "n" sudah resmi diluncurkan dimana sebelumnya masih sebatas "draft".
Bagi anda yang ada rencana untuk membeli Router, notebook atau lainnya yang berhubungan dengan koneksi Wi-Fi kami sarankan untuk menunggu sebentar lagi untuk memiliki produk dengan sertifikasi 802.11n yang resmi.
Keuntungan dari 802.11n adalah kecepatan transfernya yang bisa mencapai 600 Mbps, bandingkan dengan 802.11g hanya 100 Mbps.
Walaupun sebenarnya sudah banyak alat yang mendukung 802.11n tetapi sebenarnya itu masih belum resmi dan boleh dibilang belum optimal dibandingkan dengan produk yang nantinya sudah bersertifikasi "n" secara resmi.
by Otakku
Tetapi jangan kuatir kok, tergantung produsen alat yang bersangkutan, kemungkinan besar kita bisa mengup-grade firmwarenya dari "Draft N" ke "N" yang resmi.
Dan bagaimana dengan rencana upgrade itu sendiri? Perlukah kita meng-upgrade dari versi b/g ke n? Sebenarnya tergantung kebutuhan, kalau selama ini anda sudah merasa cukup maka tidak perlu, sebaliknya kalau memang koneksi Wi-Fi biasa anda gunakan untuk nonton film, mungkin ini perlu dilakukan.
Yang harus diingat, upgrade router dari jenis b/g ke "n" tidak akan berguna bila notebook atau komputer anda tidak diup-grade ke "n" juga. :-)
Mungkin sebelum upgrade, anda bisa mencoba untuk mengoptimalkan Wi-Fi yang ada dengan membaca artikel kami tentang
Bagi anda yang ada rencana untuk membeli Router, notebook atau lainnya yang berhubungan dengan koneksi Wi-Fi kami sarankan untuk menunggu sebentar lagi untuk memiliki produk dengan sertifikasi 802.11n yang resmi.
Keuntungan dari 802.11n adalah kecepatan transfernya yang bisa mencapai 600 Mbps, bandingkan dengan 802.11g hanya 100 Mbps.
Walaupun sebenarnya sudah banyak alat yang mendukung 802.11n tetapi sebenarnya itu masih belum resmi dan boleh dibilang belum optimal dibandingkan dengan produk yang nantinya sudah bersertifikasi "n" secara resmi.
by Otakku
Tetapi jangan kuatir kok, tergantung produsen alat yang bersangkutan, kemungkinan besar kita bisa mengup-grade firmwarenya dari "Draft N" ke "N" yang resmi.
Dan bagaimana dengan rencana upgrade itu sendiri? Perlukah kita meng-upgrade dari versi b/g ke n? Sebenarnya tergantung kebutuhan, kalau selama ini anda sudah merasa cukup maka tidak perlu, sebaliknya kalau memang koneksi Wi-Fi biasa anda gunakan untuk nonton film, mungkin ini perlu dilakukan.
Yang harus diingat, upgrade router dari jenis b/g ke "n" tidak akan berguna bila notebook atau komputer anda tidak diup-grade ke "n" juga. :-)
Mungkin sebelum upgrade, anda bisa mencoba untuk mengoptimalkan Wi-Fi yang ada dengan membaca artikel kami tentang
NYTimes.com Warns of Malware on Site
Online scammers have apparently found a new way to reach their marks: They've started running ads on the Web site of The New York Times.
The newspaper warned readers Sunday that so-called rogue antivirus sellers had been spotted on its Web site, NYTimes.com. Their products, often promoted by Eastern European criminal organizations, are either ineffective or actually end up infecting the computers of people who purchase them.
"Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software," the Times said in a "Note to Readers," posted to its Web site Sunday. "We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring." The newspaper did not respond to a request for more information on the issue.
Because online advertisements are usually sold through networks, sites like NYTimes.com often have to rely on other companies to make sure that the ads they carry are appropriate.
Blogger Troy Davis was hit with the ad Saturday night. After taking a closer look, he discovered that JavaScript code in a New York Times ad redirected him to a Web site that popped up a browser Window designed to look like it is conducting a scan of the system. The window warns, "Your computer is infected."
"It's a fake page for a nonexistent antivirus app, which is actually malware," Davis wrote in his analysis of the issue.
The rogue antivirus problem got a lot of attention one year ago, when Microsoft and the Washington State Attorney General's office sued a pair of Texas companies for allegedly pushing the software.
Since then, things have only gotten worse.
In the past three months, rogue antivirus software has emerged as a major online problem, according to Paul Ferguson, a researcher with antivirus vendor Trend Micro. "Its pervasive," he said in an instant message interview. "Right now, they are going full-tilt."
Criminals use a variety of tricks to get people to shell out for the bogus products: They use search engine optimization techniques to get search engines like Google to list Web sites that display the pop-up ads, or they'll flog them through social media sites like Twitter or Facebook. They even use malicious Trojan horse programs to pop up error messages in hopes that people will buy.
Robert McMillan, IDG News Service
The newspaper warned readers Sunday that so-called rogue antivirus sellers had been spotted on its Web site, NYTimes.com. Their products, often promoted by Eastern European criminal organizations, are either ineffective or actually end up infecting the computers of people who purchase them.
"Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software," the Times said in a "Note to Readers," posted to its Web site Sunday. "We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring." The newspaper did not respond to a request for more information on the issue.
Because online advertisements are usually sold through networks, sites like NYTimes.com often have to rely on other companies to make sure that the ads they carry are appropriate.
Blogger Troy Davis was hit with the ad Saturday night. After taking a closer look, he discovered that JavaScript code in a New York Times ad redirected him to a Web site that popped up a browser Window designed to look like it is conducting a scan of the system. The window warns, "Your computer is infected."
"It's a fake page for a nonexistent antivirus app, which is actually malware," Davis wrote in his analysis of the issue.
The rogue antivirus problem got a lot of attention one year ago, when Microsoft and the Washington State Attorney General's office sued a pair of Texas companies for allegedly pushing the software.
Since then, things have only gotten worse.
In the past three months, rogue antivirus software has emerged as a major online problem, according to Paul Ferguson, a researcher with antivirus vendor Trend Micro. "Its pervasive," he said in an instant message interview. "Right now, they are going full-tilt."
Criminals use a variety of tricks to get people to shell out for the bogus products: They use search engine optimization techniques to get search engines like Google to list Web sites that display the pop-up ads, or they'll flog them through social media sites like Twitter or Facebook. They even use malicious Trojan horse programs to pop up error messages in hopes that people will buy.
Robert McMillan, IDG News Service
Why Macs Can't Beat PCs with Windows 7
I regularly use both Windows and Mac PCs, so any comments that I've never used a Mac are bunk. I've been using Windows 7 since before its public beta release at the first of this year. I use my Mac for video editing, iPhone development, etc. I love all of my computers equally -- my Windows PC, my Mac and my Linux servers. They all do what I ask them to do very well, and I have things about each that I like and things I don't.
But frankly, the differences in the Windows 7 and Mac OS X platforms from a usability standpoint are pretty much nil. Windows 7 has simplified much of the complexity introduced in Vista and made Windows a very clean and easy-to-use OS. I would even go so far as to predict that the days of Apple trampling all over Windows in the "I'm a Mac" commercials are pretty much over. Not to say Apple won't go after Windows 7 as soon as Windows 7 has some vulnerability or issue Apple can exploit in a TV commercial. I'll grant, too, that Apple still has its "cool" factor and Windows isn't like to encroach on that. But Windows 7 is not only a "good enough" operating system, it is so much better an OS and user experience that Apple will have to think hard before using the same advertising tactics that worked so well on Vista.
Here are the five reasons Apple fears Windows 7:
Clean and Simple User Experience. There is now very little difference between the easy user experience on Windows 7 and Mac OS X. Gone from Windows 7 are Vista's loads of unnecessary bloatware applications, confusing and poorly designed configuration dialog boxes, and moronic UAC popups that impeded a user's productivity at every turn. The new task bar is more simple and straightforward than Mac OS X's crowded icon bar. Windows also has very good screen configuration settings that make switching between monitor configurations extremely easy. And the Control Panel has been redesigned to the basics of what end users need to manage Windows 7. Like it or not, we're now down to personal preference when it comes to usability and ease of use.
Mac Crashes More. Fact is, my Windows 7 systems don't crash... ever. Those days of frequent Windows Explorer crashes went away when I installed the Windows 7 RC. My Mac now crashes more often (about once a month or so) than Windows 7, and my Mac isn't over laden with junk on it.
Flexibility and Lower Cost. Microsoft has updated its "PC hunter" commercials but they still show how easy it is to find a better value when buying a Windows PC over a Mac. You have to use some pretty convoluted math to come to the conclusion Macs don't cost more than PCs for the equivalent devices. If you buy a Mac it's going to be because you consciously have decided you want a Mac instead of a PC, you hate Microsoft, you prefer the Mac user interface, etc.
Performance. We may not have side-by-side Windows 7 and Mac OS X performance comparisons yet (I'm sure we will soon) but Windows 7 isn't the performance hog Vista was. The experience is great. Windows 7 tools are fast, applications don't freeze up waiting for resources, disk I/O performance is great, memory utilization is much more efficient. Startup, shutdown and sleep are fast. Outlook still has its issues with not responding but overall we're talking a speedy experience on Windows 7. Now add that to the fact that Windows has access to the latest hardware advances -- you can crack the core on the latest Intel i7 or other hardware advances.
Mac Security Is NOT Better Than Windows 7. Many still live with the myth that Mac OS X doesn't have any security issues while Windows does. That myth ignores the facts. For example, Apple just released 18 security patches (the smallest collection of patches this year) for Mac OS X on August 5th. Many try to argue that not all the fixes are for Mac OS X, but rather for other software that might be included with it. To compare apples-to-apples (pun intended) you have to stack up the software each vendor ships with their products, not selective parts of it. While it is true that Windows is still a much larger security target because of it's market share, it isn't true that the Mac doesn't have plenty of security issues of its own.
* Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
* Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
* Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
* Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
* Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?
For more information about enterprise networking, go to NetworkWorld. Story copyright 2008 Network World Inc. All rights reserved.
But frankly, the differences in the Windows 7 and Mac OS X platforms from a usability standpoint are pretty much nil. Windows 7 has simplified much of the complexity introduced in Vista and made Windows a very clean and easy-to-use OS. I would even go so far as to predict that the days of Apple trampling all over Windows in the "I'm a Mac" commercials are pretty much over. Not to say Apple won't go after Windows 7 as soon as Windows 7 has some vulnerability or issue Apple can exploit in a TV commercial. I'll grant, too, that Apple still has its "cool" factor and Windows isn't like to encroach on that. But Windows 7 is not only a "good enough" operating system, it is so much better an OS and user experience that Apple will have to think hard before using the same advertising tactics that worked so well on Vista.
Here are the five reasons Apple fears Windows 7:
Clean and Simple User Experience. There is now very little difference between the easy user experience on Windows 7 and Mac OS X. Gone from Windows 7 are Vista's loads of unnecessary bloatware applications, confusing and poorly designed configuration dialog boxes, and moronic UAC popups that impeded a user's productivity at every turn. The new task bar is more simple and straightforward than Mac OS X's crowded icon bar. Windows also has very good screen configuration settings that make switching between monitor configurations extremely easy. And the Control Panel has been redesigned to the basics of what end users need to manage Windows 7. Like it or not, we're now down to personal preference when it comes to usability and ease of use.
Mac Crashes More. Fact is, my Windows 7 systems don't crash... ever. Those days of frequent Windows Explorer crashes went away when I installed the Windows 7 RC. My Mac now crashes more often (about once a month or so) than Windows 7, and my Mac isn't over laden with junk on it.
Flexibility and Lower Cost. Microsoft has updated its "PC hunter" commercials but they still show how easy it is to find a better value when buying a Windows PC over a Mac. You have to use some pretty convoluted math to come to the conclusion Macs don't cost more than PCs for the equivalent devices. If you buy a Mac it's going to be because you consciously have decided you want a Mac instead of a PC, you hate Microsoft, you prefer the Mac user interface, etc.
Performance. We may not have side-by-side Windows 7 and Mac OS X performance comparisons yet (I'm sure we will soon) but Windows 7 isn't the performance hog Vista was. The experience is great. Windows 7 tools are fast, applications don't freeze up waiting for resources, disk I/O performance is great, memory utilization is much more efficient. Startup, shutdown and sleep are fast. Outlook still has its issues with not responding but overall we're talking a speedy experience on Windows 7. Now add that to the fact that Windows has access to the latest hardware advances -- you can crack the core on the latest Intel i7 or other hardware advances.
Mac Security Is NOT Better Than Windows 7. Many still live with the myth that Mac OS X doesn't have any security issues while Windows does. That myth ignores the facts. For example, Apple just released 18 security patches (the smallest collection of patches this year) for Mac OS X on August 5th. Many try to argue that not all the fixes are for Mac OS X, but rather for other software that might be included with it. To compare apples-to-apples (pun intended) you have to stack up the software each vendor ships with their products, not selective parts of it. While it is true that Windows is still a much larger security target because of it's market share, it isn't true that the Mac doesn't have plenty of security issues of its own.
* Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
* Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
* Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
* Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
* Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?
For more information about enterprise networking, go to NetworkWorld. Story copyright 2008 Network World Inc. All rights reserved.
Mitchell Ashley, Network World
Aug 26, 2009 10:00 am
Microsoft: No TCP/IP patches for you, XP
- Microsoft late last week said it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008.
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.
"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.
"An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here).
Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible."
The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."
Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical."
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.
Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."
Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.
"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.
(Computerworld ; By Gregg Keizer)
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.
"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.
"An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here).
Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible."
The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."
Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."
Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical."
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.
Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."
Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.
"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.
(Computerworld ; By Gregg Keizer)
Subscribe to:
Posts (Atom)
