Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says No TCP/IP Patches For XP

timothy posted more than 5 years ago | from the to-improve-your-customer-experience dept.

Bug 759

CWmike writes "Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. 'An update for Windows XP will not be made available,' Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here). Last Tuesday, Microsoft said that it wouldn't be patching Windows 2000 because creating a fix was 'infeasible.'"

Sorry! There are no comments related to the filter you selected.

XP is teh dead (0, Troll)

Adolf Hitroll (562418) | more than 5 years ago | (#29424585)

and you'll have to suffer under w7 as soon as next month.
you could also follow the big fat greek hairy bitch and choose haiku...

always wanted to say this... (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29424589)

first post, last patch.

Yeah, right (5, Interesting)

DoofusOfDeath (636671) | more than 5 years ago | (#29424595)

"Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista

The U.S. Navy's and Marine Corp's NMCI [wikipedia.org] computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Re:Yeah, right (2, Informative)

Shrike82 (1471633) | more than 5 years ago | (#29424659)

From TFA they implied that a decent firewall would reduce the risk. Now whether you choose to believe that is entirely up to you...

Re:Yeah, right (5, Funny)

commodore64_love (1445365) | more than 5 years ago | (#29424721)

Whatever. I'll just keep using XP until it crashes-and-burns, and then I'll toss this PC into the trash and get a new $300 PC at walmart with Windows 8 already-installed. That's my upgrade path.

BTW anyone want to buy a Windows 95 laptop? It's harmless (mostly).

Re:Yeah, right (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29424901)

No, no, .... recycle it. Please!

Re:Yeah, right (3, Funny)

MindKata (957167) | more than 5 years ago | (#29424917)

"From TFA they implied that a decent firewall would reduce the risk. Now whether you choose to believe that is entirely up to you..."

So a bit like the old saying, "That's like buying a dog, and then having to spend your time barking to scare off any potential burglars."

Re:Yeah, right (4, Insightful)

Moryath (553296) | more than 5 years ago | (#29424973)

Translation: "Sales of Vista didn't go well due to Vista being crap, and Win7 isn't actually all that much better, so rather than offer a product people actually want we're going to exploit our monopoly and withhold necessary security fixes from others in order to force people to 'upgrade.'"

Re:Yeah, right (5, Interesting)

Cryophallion (1129715) | more than 5 years ago | (#29424681)

I just had to post an invoice to the marine corp's web site. I luckily had one computer at work that was not upgraded to ie8. It would only respect ie6 or 7, and had some issues if I just changed the user agent on FF.

If people keep being forced to upgrade their browsers, no one will be able to use the government systems anymore.

I'm sure it will be an issue for the little companies billing, but you'll never hear about it.

Re:Yeah, right (5, Insightful)

commodore64_love (1445365) | more than 5 years ago | (#29424709)

The Navy will simply subcontract-out to Lockheed Martin, General Dynamics, and other defense companies to upgrade all their systems from XP to Windows 7 and fix any programs that "break" as a result. It will employ some 10,000 workers at a cost of 1.4 trillion dollars. Then it will fail to come-in on time, so they'll spend an extra 6 months and 0.3 trillion on schedule overrun.

That's SOP for the government.

Re:Yeah, right (1)

EastCoastSurfer (310758) | more than 5 years ago | (#29424739)

Sounds like a stimulus to me...

Re:Yeah, right (4, Interesting)

commodore64_love (1445365) | more than 5 years ago | (#29424833)

Many people have compared defense work to "white collar welfare". I think the private companies are more frugal than that, since they are constantly cutting costs & laying-off workers, but having worked at the FAA it seems like a sound argument. I saw government workers sitting around doing nothing but surfing the net day-after-day. The FAA could lay-off 75% of the workforce and not notice any drop in output.

But of course if the FAA did that, then the politicians who represent those workers would scream bloody murder, and the layoffs would be canceled.

Re:Yeah, right (0)

Anonymous Coward | more than 5 years ago | (#29425001)

If they switched to Linux, it would come in on time and under budget. But when has the customer (DoD) been smart about that?

Re:Yeah, right (4, Interesting)

Anonymous Coward | more than 5 years ago | (#29424715)

Ah so when it comes to patching severe holes the codebase is way too old with its 12 - 15 years, but when it comes to revealing the source it is still very relative. Then how does patching very relative code become "not feasible"? "Can't" or "won't"? Which is it MS?

Re:Yeah, right (2, Insightful)

Anonymous Coward | more than 5 years ago | (#29424797)

Your car has a 15 year warrantee I take it. And at your request your car manufacturer gave you all of the blueprints and circuit board diagrams and codes and sensor readouts and dyno information and design documents that helped them design and build your car right?

It's infeasible to support code this old. They didn't say it was impossible. Infeasible means that yes, they could spend lots of their money fixing code that is 15 years old. They could also spend that money to try and make new software that performs better on the whole.

Why do so many people dig into microsoft for something that every company does. In fact, Microsoft is much better at supporting their older software than most companies. (Take a look at Apple for example).

Stop blaming Microsoft for not pandering to your individual needs. They are a company. They make a product. Heaven forbid they try to make money off of it instead of offering insane 15 year + support.

Re:Yeah, right (4, Informative)

oodaloop (1229816) | more than 5 years ago | (#29424725)

The vast majority of DoD's systems are Windows XP with no plans of moving to Vista. US Central Command (CENTCOM) is the only command of which I've heard that has said it is moving to Vista, and FSM only knows why.

US Navy already ditching M$ (4, Interesting)

SgtChaireBourne (457691) | more than 5 years ago | (#29424731)

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Since 2008, the US Navy will acquire only systems based on open technologies and standards. That excludes M$ products explicitly in every way but name. The TCP/IP being just one example of failure on M$ part to implement standards. US Navy is ditching M$ [fcw.com] .

They'll probably go with an American company like Red Hat or roll their own spin of Red Hat.

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not? If you've got Windows on your network, then you have a personnel problem, not just a network security problem.

Re:US Navy already ditching M$ (1)

commodore64_love (1445365) | more than 5 years ago | (#29424919)

>>>like Red Hat or roll their own spin of Red Hat.

So in other words the Navy has come full-circle to where they were in 1997. Prior to that the Navy (and military in general) did all hardware and software development internally. They switched to Commercial products on the theory that it would be cheaper to just buy the stuff off the shelf. Now after having experienced the Microsoft world, I guess they decided to go back to self-developed software.

Wouldn't SynAttackProtect work here? (on 2000 too) (3, Interesting)

Anonymous Coward | more than 5 years ago | (#29424787)

The DOS/DDOS possible via the latest weakness in Windows 2000's IP stack @ least (uses RDR20.DLL as the LSP (layered service provider) vs. MSWSOCK.DLL (the LSP used in XP/Server 2003 onwards, by way of comparison, & this is where I think the problem lies largely, as it is the "most radically different part" of the IP stack in Windows 2000 vs. the more current builds of Windows that I could see @ least)?

WELL - That's taken care of by the SynAttackProtect setting here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

What does it do??

http://msdn.microsoft.com/en-us/library/aa302363.aspx [microsoft.com]

Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.

TcpMaxPortsExhausted
TcpMaxHalfOpen
TcpMaxHalfOpenRetried

Also have to be considered as well (these determine how long before SynAttackProtect "kicks in", vs. the DOS/DDOS attack that could occur)

This SynAttackProtect registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).

2: Set SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting.

NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2: Scalable windows

-----

IIRC? This is called the "Silly Window Syndrome", & this is a way, in theory, around it... & iirc, "Scalable Windows", via setsockopt API calls from an attacker are what the problem is here anyhow & this ought to 'stall it'... thoughts/feedback?

APK

P.S.=> Also, "hardcoding" the TcpWindowSize & GlobalTcpWindowSize settings in the registry in TCP/IP Parameters (see registry path above) SHOULD also help here also, for servers that can accept MANY connections from MANY clients, worldwide, as your specific constraints specify...

Thus, effectively stalling the ability to use TcpWindowScaling is stopped by SynAttackProtect too, so an attacking system/app sending a setsockopt of 0 for this SHOULD also be nullified, on a server also...

(However/Again - Workstations are easily taken care of , vs. servers, just by what I wrote up above either by PORT FILTERING)

IP Security Policies, which can work on ranges of addresses to block, OR, single systems as well you either ALLOW or DENY to talk to your system, still can help also... vs. a DDOS though? SynAttackProtect is your best friend here... you'd use netstat -b -n tcp to see which are held in a 1/2 open SYN-RECEIVE state, & BLOCK THOSE FROM SENDING YOUR WAY (or just by doing it in a router or routing table)... takers anyone, on these thoughts (especially for Windows 2000)?

Thanks for your time... apk

All the military stuff is old. (1)

tjstork (137384) | more than 5 years ago | (#29424799)

Procurement times are so long in the military that everything is old. I understand the Seawolf is powered by 68030 processors...

Re:All the military stuff is old. (1)

Truekaiser (724672) | more than 5 years ago | (#29424995)

So you want unproven, unstable tech running engines of mas destruction? Especially when they carry nuclear weapons?

Re:Yeah, right (1)

blueg3 (192743) | more than 5 years ago | (#29424887)

I think you confuse the words "withhold" and "not provide". You cannot withhold something you do not have in the first place.

Halliburton (2, Interesting)

Doc Ruby (173196) | more than 5 years ago | (#29424959)

Why not? The Pentagon continued using Halliburton for years, on huge no-bid contracts, even when its divisions were installing showers in Iraq that electrocuted our servicemembers. And that's just the worst failure the public heard about, after most of a decade of abusive cronyism.

Microsoft is much richer than even Halliburton, and its failures much less publicly scandalous. Why would it face a tougher standard? I'm sure Dick Cheney owns a lot of Microsoft stock, too.

Re:Yeah, right (5, Funny)

HangingChad (677530) | more than 5 years ago | (#29424975)

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP.

I questioned the Navy's IT management for years, failing to see the long term wisdom behind the program and thinking it was a pork spending program awarded to political insiders. But, I'm forced to admit NMCI has been tremendously successful at bringing productivity to a near stand still. Patching computers no one can use is hardly even necessary.

As a bonus the Navy has an inexhaustible supply of boat anchors!

Absolutely brilliant.

Re:Yeah, right (1)

CaptBubba (696284) | more than 5 years ago | (#29424993)

I have to wonder how much of the stickiness of Windows XP is from businesses and government which are tied to IE6 for intranet or custom apps.

Upgrade costs (both in hardware and time lost) for just the operating system would be large, but add in redesigning, debugging, and certifying new versions of the tools used day-to-day in a company/division and it just would be insurmountable.

They a dicks. How is this a surprise? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#29424597)

You give a dick money, and he becomes a big dick. Not a headline.

Unclear (4, Interesting)

coastwalker (307620) | more than 5 years ago | (#29424599)

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Re:Unclear (1)

MyDixieWrecked (548719) | more than 5 years ago | (#29424645)

My first reaction to this news is that MS is using this as a tactic to get people to upgrade to Win7. From what I understand, Win7 runs pretty well on netbooks; or maybe that's just what MS wants us to think. heh.

I'm incredibly curious, but I don't think I'm about to replace my S10's (Lenovo Netbook) Ubuntu OS with Win7.

Re:Unclear (3, Informative)

David Gerard (12369) | more than 5 years ago | (#29424969)

It does if you have 2 gig of memory. Bit cramped with 1 gig. Unusable with 512MB.

Windows 7 is more user-responsive than Vista, but its arse is just as fat.

Re:Unclear (1)

FlyingBishop (1293238) | more than 5 years ago | (#29424663)

They might be hoping to position Windows CE for that space. It is, after all, what it's designed for.

Which would actually be pretty nice. ARM would no longer be completely a second class citizen, which can only ease porting in general for those of us using Linux.

Re:Unclear (2, Informative)

Corporate Troll (537873) | more than 5 years ago | (#29424763)

It reminds me a bit of NT 4.0 back in the day. They stopped giving out patches for critical vulnerabilities 6 months before the EOL of NT 4.0. The reasons were similar: "It cannot be done". How far away is the official EOL of Windows XP? Somewhere in 2012, no?

Re:Unclear (1)

Markus_UW (892365) | more than 5 years ago | (#29424801)

January 31st, 2009, looks like. That'd be what, 8 months back? http://www.microsoft.com/windows/lifecycle/default.mspx [microsoft.com]

Re:Unclear (1)

Corporate Troll (537873) | more than 5 years ago | (#29424829)

No, that's the availability of licenses, not the end-of-life for support.

Re:Unclear (4, Informative)

Corporate Troll (537873) | more than 5 years ago | (#29424877)

Here you go [microsoft.com] . Extended support is well into 2014. Mainstream support has already ended though.... Which is very strange considering XP is still sold with netbooks.

Re:Unclear (0)

Anonymous Coward | more than 5 years ago | (#29424823)

>Somewhere in 2012, no?

April 2014 (!)

Re:Unclear (2, Interesting)

noundi (1044080) | more than 5 years ago | (#29424777)

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

Excellent point. I wonder if this could put MS into legal trouble. Does anybody know what software distribution laws say about distributing software with known security issues without the intention of filling them? Are they at least bound to notify the user? I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified. Surely this should be a more valid suit, as you don't even need to be a complete moron to get affected.

Re:Unclear (1)

TheP4st (1164315) | more than 5 years ago | (#29424925)

I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified.

Coffee very rarely comes with a EULA explicitly removing responsibility from the vendor in case the coffee is too hot, or at least it used to. Most software come with EULA's covering exactly the points you've brought forward.

Re:Unclear (1)

noundi (1044080) | more than 5 years ago | (#29424997)

I mean people have burnt themselves on hot coffee and won lawsuits because they weren't notified.

Coffee very rarely comes with a EULA explicitly removing responsibility from the vendor in case the coffee is too hot, or at least it used to. Most software come with EULA's covering exactly the points you've brought forward.

Well that's given, my concern is if the law mentions anything, in which case a EULA, in that sense, wouldn't be effective. You can't put whatever you want within the EULA.

Re:Unclear (2, Insightful)

blueg3 (192743) | more than 5 years ago | (#29424961)

There are essentially no software liability regulations.

Re:Unclear (2, Insightful)

Drakkenmensch (1255800) | more than 5 years ago | (#29424869)

It is unclear how large a threat this is to the end user. However the fact that XP is being loaded on netbooks suggests that Microsoft has a revenue stream that it should protect by writing a patch if it is serious.

The Coca-Cola Corporation also had a steady worldwide revenue stream with its nearly 80 years old original Coke formula, and everything went smoothly when it upgraded it to the improved and more delicious New Coke- Oh wait.

In other words (3, Insightful)

mc moss (1163007) | more than 5 years ago | (#29424601)

"not feasible"

yeah right, more like MS wants people to move onto Windows 7

XP/2003 (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29424603)

I thought the Code for windows 2003 and windows xp was mostly identical. As a currently shipping product isn't that a violation of some states/countries warranty/merchantability laws.

Re:XP/2003 (2, Funny)

bsharp8256 (1372285) | more than 5 years ago | (#29424859)

Well, they are mostly identical. XP was released in 2001, in the dark age of computing. 2003, released in (you guessed it!) 2003 is two years newer, so it's still patchable. Duh.

Infeasible? (5, Funny)

YuppieScum (1096) | more than 5 years ago | (#29424609)

That's unpossible!

Re:Infeasible? (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#29424981)

You're speaking nosense!

Upgrade or Else (4, Interesting)

Cryophallion (1129715) | more than 5 years ago | (#29424615)

So, basically, upgrade or you'll be hacked?

Two questions:
1. Does 7's XP mode potentially have this issue, or is there a compatibility layer so xp doesn't talk directly to the network?
2. They seemed to be able to make massive security updates for code that was that old, and still patch a number of other issues. What about this REALLY makes it so hard to code?

In the end, while I understand not wanting to waste resources on way older products, I think it is a marketing move.

Re:Upgrade or Else (3, Insightful)

jonbryce (703250) | more than 5 years ago | (#29424713)

The XP virtual machine is not accessible from outside as it talks via a NAT router. Any attack would need to come from the Windows 7 host machine, but if that was pwned, there are many other ways to attack the XP virtual machine.

making Vista/Win7 look good (2)

Clover_Kicker (20761) | more than 5 years ago | (#29424619)

How very serendipitous for Microsoft, people now have a reason to upgrade from XP.

I ran W2K on my desktop until a couple of years ago, i.e. until the patches stopped coming W2K did everything I needed.

Guess I'll have to consider Win7 now...

Re:making Vista/Win7 look good (1)

polar red (215081) | more than 5 years ago | (#29424695)

W2K did everything I needed.

it still does.

Seriously! (1)

ShivSena (1414571) | more than 5 years ago | (#29424625)

So now they are going to force us to upgrade to Windows 7 sooner rather than later?

Re:Seriously! (0)

Anonymous Coward | more than 5 years ago | (#29424711)

What do you mean "sooner?" This is later already. How many times has Microsoft pushed back the date they'd cease supporting XP?

Re:Seriously! (0, Troll)

Anonymous Coward | more than 5 years ago | (#29424803)

He means sooner rather than later because he is talking about upgrading to Windows 7 not upgrading from XP. Take a reading comprehension class.

That's why I like open source (5, Interesting)

jgardia (985157) | more than 5 years ago | (#29424631)

well, that's one of the positive aspects of the open source code. If the main developer doesn't want to fix something, then someone else can do it.

Re:That's why I like open source (1)

Archeopteryx (4648) | more than 5 years ago | (#29424749)

The exploit is known...

So somebody needs to turn the exploit into a patch.

Shouldn't be that hard.

Re:That's why I like open source (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29424807)

Shouldn't be that hard.

Then you do it. Oh, right, I forgot - you have no idea what you're talking about.

Re:That's why I like open source (0)

Anonymous Coward | more than 5 years ago | (#29424985)

That's exactly why MS should release MicrosoftBob open source.

Question (5, Interesting)

bjackson1 (953136) | more than 5 years ago | (#29424637)

Isn't the codebase for XP and Windows 2003 essentially the same? Why can't the 2003 patch be modified? I don't remember reading that the TCP/IP stack was that different in 2003.

Re:Question (5, Funny)

Anonymous Coward | more than 5 years ago | (#29424685)

You are forgetting that code ages overtime. I think it has something to do with the proteins and atoms. That is why they have to make new versions.

15 years old (5, Insightful)

vxvxvxvx (745287) | more than 5 years ago | (#29424653)

While the code may very well be 15 years old, that does not really matter to the user. What matters is how long ago Microsoft sold the product. If they sell software today that uses some code written 15 years ago you should be able to expect security updates for some period of time. Now, had they decided not to patch software they haven't sold in 15 years that would be totally OK.

Re:15 years old (5, Insightful)

Anonymous Coward | more than 5 years ago | (#29424701)

This is the key point. It doesn't matter when the code was written - if it was sold "today", it's current code. Current code (sold on the scale of an OS) should be fixed, or declared "broken" and not sold.

Re:15 years old (2, Informative)

ericlondaits (32714) | more than 5 years ago | (#29424971)

From the article:

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability,

Microsoft has been selling Windows XP SP2 and SP3 for some time now. I really wouldn't expect them patching plain old XP.

I agree (2, Insightful)

ZekoMal (1404259) | more than 5 years ago | (#29424655)

When you release something and then release something else, you should stop supporting the previous thing so that everyone is forced to buy the new one, even if it isn't necessarily better. You know, kind of like if Sony told you to take your PS2 and stuff it if something went wrong with it because the PS3 is out now.

MS hate aside, they're just doing what they've always done. We don't get our panties in a knot when they don't release a Win 98 patch, do we? With Win 7 on our doorstep, there is no reason for MS to be supporting three separate OS. Well, aside from customer service. I just sort of shrug my shoulders and deal with it. Anyone running XP knows they're doing it because Vista/7 don't appeal to them; deal with the consequences.

Re:I agree (1, Redundant)

commodore64_love (1445365) | more than 5 years ago | (#29424781)

You make a good point. Microsoft's other main competitor, Apple, doesn't provide service updates for anything older than 10.5 (2007). Why should MS support anything older than that?

Re:I agree (0)

Anonymous Coward | more than 5 years ago | (#29424913)

Because Microsoft has to compete by functionality not marketing alone. Because Apple doesn't have the massive market share to lose in corporate environments that MS has.

Re:I agree (0)

Anonymous Coward | more than 5 years ago | (#29424945)

And that's the kind of reasoning that screws over the customer time and time again - "Competitor X does this, so we can get away with it too". Competitor X are a bunch of DICKS, and shouldn't be doing that in the first place.

Wait (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29424657)

Looks like all of those netbooks microsoft allowed to be shipped with XP in the last two years will be tasty targets.

Re:Wait (1)

rbochan (827946) | more than 5 years ago | (#29424849)

Not just [dell.com] netbooks [dell.com] ...

In other News: XP not affected by Vista/W7 bugs! (3, Insightful)

kevingolding2001 (590321) | more than 5 years ago | (#29424665)

From the FA. (Emphasis mine)

The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."

Yes, it's easy to take the "We won't be backporting this fix" stance when the old OS isn't vulnerable in the first place.

Remote code execution is LOW impact? (3, Insightful)

Ancient_Hacker (751168) | more than 5 years ago | (#29424671)

For some unfathomable reason, MS rates remote code execution as a LOW impact problem for XP.

And somehow, the TCP stack, perhaps the most modular and with the most well-defined interfaces, can't be replaced wholesale.

This makes no sense, unless they're trying to get people to spend $$$ on moving to "Windows 7",
or as the congnoscenti call it, "Vista SP2".

ooooohhh.....

Re:Remote code execution is LOW impact? (0)

Anonymous Coward | more than 5 years ago | (#29424839)

Simple. Figure out a way to use this exploit to break windows media DRM. Watch the exploit get fixed the very next day.

Re:Remote code execution is LOW impact? (0)

Anonymous Coward | more than 5 years ago | (#29424843)

No, Microsoft rates a temporary denial of service vulnerability with no default attack vector as a low impact problem for XP.

While I agree that "low" is probably not the correct severity of the problem, it's certainly not the huge issue that you make it out to be.

Re:Remote code execution is LOW impact? (3, Insightful)

nielsm (1616577) | more than 5 years ago | (#29424955)

There's no remote code execution possible with this on XP, only DoS. You can make the system essentially freeze while the packeting is going on but that's it. Only Vista and Server 2008 have remote code execution exploits from this bug.

Also you can only exploit this if the machine has software accepting TCP connections. If you have an (application) firewall blocking all incoming connections with no exceptions (such as XP SP2+ has by default) there's no real problem.

XP Still uspported on netbooks. (5, Interesting)

Chrisq (894406) | more than 5 years ago | (#29424679)

Since XP is still being shipped and supported [computerworld.com] on netbooks this seems a little strange. What's the message - spend extra on memory and hard drive so that you can run XP instead of Linux but we won't give you security patches?

'We're talking about code that is 12 to 15 years' (1)

Lord Lode (1290856) | more than 5 years ago | (#29424687)

I've worked with older code than that... nothing unfeasable about it.

In other news... (5, Insightful)

Temkin (112574) | more than 5 years ago | (#29424693)

In other news... 10 year old Linux 2.4 kernel patched yesterday...

My job is to apply "The Formula" (5, Funny)

Stenchwarrior (1335051) | more than 5 years ago | (#29424697)

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

Re:My job is to apply "The Formula" (1)

insertwackynamehere (891357) | more than 5 years ago | (#29424813)

Ooh I liked that movie. Let's arbitrarily quote it some more!

Re:My job is to apply "The Formula" (1)

Stenchwarrior (1335051) | more than 5 years ago | (#29424991)

arbitrarily

Hello, my name is Inigo Montoya...and I do not think that word means what you think it means.

Re:My job is to apply "The Formula" (2, Insightful)

jollyreaper (513215) | more than 5 years ago | (#29424965)

A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crushes and burns with everyone trapped inside. Now: do we initiate a recall? Take the number of vehicles in the field (A), multiply it by the probable rate of failure (B), then multiply the result by the average out-of-court settlement (C). A times B times C equals X...

If X is less that the cost of a recall, we don't do one.

The first rule of screwing the public is we don't talk about screwing the public.

The second rule of screwing the public is WE DON'T TALK ABOUT SCREWING THE PUBLIC!

Re:My job is to apply "The Formula" (1)

jabuzz (182671) | more than 5 years ago | (#29424967)

Ford tried that one, and when found out C became much larger. It is not a good business plan.

infeasible? (1)

hal2814 (725639) | more than 5 years ago | (#29424707)

Oh, Dusty. In-feasbile is when you're MORE than feasible. This TCP/IP fix, it's not just feasible, it's IN-feasible.

"Infeasible": Translation.. (5, Funny)

multipartmixed (163409) | more than 5 years ago | (#29424727)

...we lost the source code, we kept it in Microsoft Source Safe and it ate it.

Re:"Infeasible": Translation.. (0)

Anonymous Coward | more than 5 years ago | (#29424883)

True.

the true cost (3, Insightful)

mach1980 (1114097) | more than 5 years ago | (#29424733)

The true cost of releasing a patch is not in compiling and distributing the fix. The money is spent on verification. By not releasing the patch to XP and w2k my estimates are that Microsoft is saving man-years in verification.

Re:the true cost (1)

knarf (34928) | more than 5 years ago | (#29424947)

Bogus, don't be a tool. The patch for WS2003 most likely works on XP as well given the shared heritage of these systems. They just want current XP users to move to Vista7.

Also said in was "afeasable" (1)

BlueBoxSW.com (745855) | more than 5 years ago | (#29424735)

"retrofeasable," "antifeasable," "inflamafesable," and "!feasable."

Xubuntu (or your favorite) for Netbooks (2, Insightful)

Archeopteryx (4648) | more than 5 years ago | (#29424745)

There is really no reason for XP on a netbook any more. You aren't using it a high end gaming platform. You aren't running Adobe Creative stuff on it.

You are using it to run FireFox, edit documents, read, IM and send email.

Linux has all that covered and is even document-compatible with Windows.

I have a Eee 900A with a 32GB SSD in it running Xubuntu and I connect to a corporate Radius network, bluetooth tether to my phone, and even use the web version of outlook on it to get at calendars.

Flash even works.

The only thing I can't do that would be nice is play Netflix movies as the Moonlight package does not have DRM in it (and likely never will.)

Re:Xubuntu (or your favorite) for Netbooks (0)

Anonymous Coward | more than 5 years ago | (#29424857)

There's really no reason for XP, but then in your same post you go and give a reason for XP. Brilliant!

Good Bye Microsoft (0, Flamebait)

curmudgeon99 (1040054) | more than 5 years ago | (#29424785)

This is just another reason to abandon Microsoft. I am so happy with my Mac, open office and a variety of other non-Microsoft technologies. The last time I spent money on one of their "products" was Windows 98. No reason to ever drop a dime again on their crap.

So will you buy a new Mac then? (1)

tjstork (137384) | more than 5 years ago | (#29424815)

This is just another reason to abandon Microsoft. I am so happy with my Mac

So... because you don't want to update Windows from XP to Windows 7, you will instead update your entire computer to a brand new Macintosh running a brand new operating system.

I mean, if you are shopping for a new computer, isn't Microsoft's abandonment of XP kind of irrelevant? If you are not shopping for a new computer, why would anyone care?

Re:Good Bye Microsoft (1)

Yosho (135835) | more than 5 years ago | (#29424885)

This is just another reason to abandon Microsoft.

Really? How often does Apple backport patches from OS X 10.6 to 10.0? You realize that XP is even older than 10.0, right?

This degrades the internet (0)

Anonymous Coward | more than 5 years ago | (#29424789)

There are how many XP machines on the web? Who won't issue a repair for that many machines? If they won't do it, release the code to someone else who will. Car companies tried to do this - not releasing spare parts. Other companies won the right to make the parts.

Its not just an issue of upgrading to Vista or Windows 7 - Microsoft has a responsibility to fix their stuff because of their place in the market and their presence on the web.

They're still minting XP disks. They'll have to make the patch for big\secure customers. They should be made to release the patch.

AC

FailzOrs (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#29424791)

to underscore development. bSD iT. Do not share ones in software

Okay, we get it. This is leverage for 7 migration (1, Insightful)

erroneus (253617) | more than 5 years ago | (#29424841)

Clearly, this is something Microsoft is leveraging to get people to move to Win7. (You know, in some fonts "Win7" looks rather similar to "Win?") But I have to wonder:

There will be large government installations that still need to use Windows XP. Will they get this impossible patch? Also, does Microsoft's support claims for Windows XP fit within this windows and if not, how can Microsoft pull a stunt like this? Doesn't this mean they are dropping support for Windows XP "early"?

What really needs to happen is that "the public" needs to be aware of what is happening and, in Fox News style, be instructed how to feel and respond to it.

Unsupported New Computers (1)

ViViDboarder (1473973) | more than 5 years ago | (#29424845)

They are still selling computers with WinXP on them. It's unfair for them to just not support it. This is all a ploy to sell more copies of Windows 7 and we all know it.

If we thought Windows was insecure before, just wait to see how vulnerable it's about to become with all the unsupported XP boxes that are going to be around!!!

2014 ???? (4, Insightful)

m0s3m8n (1335861) | more than 5 years ago | (#29424847)

I guess these guys did not read: http://support.microsoft.com/gp/lifepolicy [microsoft.com] XP extended support goes thru 2014 and supposedly covers security fixes. I would think this counts as a security fix.

Here's an idea... (0)

Anonymous Coward | more than 5 years ago | (#29424867)

To: Steve Balmer, CEO of Microsoft

Dear Steve

Here's an idea for you. If you're not going to support XP any longer, open source it! The community will be happy to fix your dirty work for you. Just don't blame us when noone buys Windows 7 afterwards.

Regards

XP_phantom

Windows 7's 15 Year Old Code (1)

Doc Ruby (173196) | more than 5 years ago | (#29424921)

Microsoft didn't write all of Windows 7 from scratch. It's surely got plenty of "15 year old code", and probably older. So Microsoft's policy says that it cannot patch some Windows 7 bugs.

Maybe there indeed isn't any 15 year old code, as MS cycles its codebase slowly through "new" OS releases over the years. But there's doubtless 10 year old code, and certainly 5 year old code. So in 5-10 years, everyone buying Windows 7 today (and tomorrow) will be forced to buy the next "upgrade". And the one after.

Or run seriously insecure code that the bad guys have had 5, 10, 15 years to figure out how to exploit.

Microsoft: job security through product insecurity.

I am DITCHING M$FT FOR GOOD (0)

Anonymous Coward | more than 5 years ago | (#29424949)

I will never feat the miscreant attacking and then commanding MY PC AGAIN !! I hearby swear to all mighty GOD that I am though with M$ and will abandon everything I've spent for it over these past 20 YEARS because some miscreant will, might, maybe could, DENY ME MY SERVICE of MY COMPUTER !! I have seen these SMALL WINDOW SIZE TCP PACKETS and they are HORRIBLE, HORRIBLE I tell you !! And they WILL, might, maybe, could DEMY ME MY SERVICE of MY COMPUTER. Well, I won't STAND FOR THAT. I am hearby DENYING MYSELF of MY SERVICE of MY COMPUTER before the miscreant CAN, might, maybe could DENY ME MY SERVICE of MY COMPUTER.

God bless and keep you,
Right Reverend M$ Can Suck My Balls Kartmann

Bad Car Analogy. You know it is coming ;-) (4, Insightful)

140Mandak262Jamuna (970587) | more than 5 years ago | (#29425003)

Would we really accept the following situation?

Today GM announced that the GMC trucks have some fundamental flaw and they are prone to explode randomly. GM said it wont fix the issue because the design is very old, and fixing it is unfeasible. When asked if they will when they stopped shipping trucks with the fatal flaw, GM spokesman said, "we have not stopped building or shipping them yet. We need to compete with the low cost competitors in the net-truck market and so we continue to make and ship the trucks, but we wont fix the safety issue. The drivers may wrap themselves in bags filled with thermocol peanuts to get some measure of protection.

If not, why do we let Microsoft get away with it?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?