Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn't fix a bug in Windows NT 4.0. Skipping patches is very unusual for Microsoft. Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so." Windows Server 2000 SP4, for example, is to receive security updates until July 2010 Windows XP's support doesn't expire until April 2014. "Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.Īnother user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?" ![]() "We use a third-party vendor firewall product. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. The same two bugs were ranked "moderate" for Vista and Server 2008, while a third - which doesn't affect the older operating systems - was rated "critical."ĭuring the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical." Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases." "A system would become unresponsive due to memory consumption. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."Īlthough the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. ![]() ![]() "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional 圆4 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible." "An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast ( transcript here).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |