Thursday, September 10, 2009

Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs

Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected Software.

This is an important development. It is significant to acknowledge that an operating system is vulnerable despite the potential to add a countermeasure. In other words, countermeasures do not remove vulnerabilities.

The company also updated the FAQ:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?

By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. The denial of service attacks require a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Additionally, Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network.

Windows XP is not affected by CVE-2009-1925.


As you can see, Microsoft is sticking with the "firewall" defense (and they forgot to remove the "not affected by this vulnerability" language from version 1.0 of the bulletin. This is still not acceptable.

Microsoft did clarify that CVE-2009-1925, TCP/IP Timestamps Code Execution Vulnerability, does not apply to Windows XP. That is good news.

So, what can you do? I would like to hear from anyone who is testing XP SP2 or SP3 for TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926. How does XP respond? Thus far @jkrage mentioned blue screens for the two DoS conditions. Can anyone else reproduce this? If yes, how?

Thank you.

3 comments:

Anonymous said...

Take a look at this advisory from CERT-FI:

https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html

There have been a lot going on around this vulnerability that haven't been made public until recently.

Richard Bejtlich said...

Anonymous,

I know, I've been watching since last October:

http://taosecurity.blogspot.com/2008/10/dos-me-like-its-1996.html

VivekRajan said...

Looks like Steve Gibson is going talk about it next

http://www.grc.com/sn/sn-213.htm