Wednesday, September 09, 2009

MS09-048 on Windows XP: Too Hard to Fix

This is a follow-up to MS09-048 is Microsoft's Revenge Against XP in the Enterprise. Everyone is talking about how Windows 2000 will not receive a patch for MS09-048:

If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?

The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system.


Let's think about that for a minute. Vista's TCP/IP stack is the Next Generation TCP/IP Stack. This means XP shares at least some of the TCP/IP stack of Windows 2000. Microsoft (as noted in my last post) didn't patch XP because it said the client firewall mitigated the problem, as long as you don't expose any ports -- not because XP is invulnerable. From what we can gather, XP is at least vulnerable to the two DoS flaws (TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926).

In other words, patching Windows XP is also architecturally "infeasible."

This appears to be more than a theory. Just about the only straight answer I could get from a Microsoft rep this evening was the answer that MS09-048 is too hard to fix on XP, just like it was too hard to fix on 2000.

I think it's time to tell Microsoft this situation is not acceptable.

7 comments:

VivekRajan said...

Just guessing. Easy to fix on NDIS 6.x (Vista), hard to fix on NDIS 5.0 (2000).

Steve Riley said...

> XP shares at least some of the
> TCP/IP stack of Windows 2000

While Windows XP's stack has received some tweaks over the years, the underlying code is in fact the same as in Windows 2000. So yeah, there's really no patch here if you want your computer to do anything useful.

Anonymous said...

Would PF Scrub or other PF magic mitigate this attack ingress/egress? Have not seen exploit code yet so hard to know what to look for.. will "query NSM session data" later on ;) Thank you for putting out word on this. Keep up the good work!

Andrew W said...

So howcome this *was* able to be fixed in Windows Server 2003 then?

Richard Bejtlich said...

Andrew W, I am still working with Microsoft to see what is going on here. When I get an answer I will post. Thank you.

Andrew W said...

Hi again,

Thanks so much for your efforts to find out more about this.

This looks to be major. I'm surprised I can't find all that much in the way of media attention over this issue!

Anyone know if I am right in assuming that the TCP/IP stacks in Windows XP and Server 2003 are similar?

benjamin said...

Hi there sir, I'm normally one of the anonymous lurkers that follows your blog. I just spoke with a "supposed" MS engineer, and here's what he had to say about this. (note that I had linked him to your post)


"You are speaking to a MS Engineer, your link is useless as I work for the company that produces the products you are trying to hate on. I only wish to drop this entire topic, since I work for the company I am privy to information that is otherwise held back from the public.

I do not want to cause any "trouble" just know that MS will support all critical holes within a product that is still in life-cycle, the link you posted is listed as a "low" in the Microsoft rating system and is not a critical risk."