From: James Lay (jlayslave-tothe-box.net)
Date: Wed Sep 16 2009 - 12:34:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Reference:
>
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP
>
> MS claims the patch would require to much overhaul of XP to make it
> worth it, and they may be right. Who knows how many applications might
> break that were designed for XP if they have to radically change the
> TCP/IP stack. Now, I don't know if the MS speak is true, but it
> certainly sounds like it is not going to be patched.
>
> The other side of the MS claim is that a properly-firewalled XP system
> would not be vulnerable to a DOS anyway, so a patch shouldn't be
> necessary.
>
> -Eric
>

Apparently MS either:

a) believes that people/employees on a LAN would NEVER EVER do anything
naughty or;
b) that hostbased firewalls should be enabled on ALL workstations
regardless if they are behind corporate firewall/nat/etc...

Either way....remote code or DoS, it's still a timebomb. PCI DSS requires
these types of things to be patched or mitigated (compensating control) if
placed in the cardholder data environment. Looks like no patch means a
lot of extra work for companies taking debit/credit and running XP.

James

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]