Windows XP, 2000 Left Patchless Against DoS Attacks

I think most people would agree that Windows Millennium Edition (ME) was the bastard child Microsoft wanted to turn its back on. After yesterday's Patch Tuesday, I'm starting to think Windows XP and Windows 2000 have joined the ME ranks.Not sure what I'm talking about? First off, it's not the zero-day SMBv2 denial-of-service (DoS), which might end up really being a possible remote code execution vulnerability. What I'm referring to is the group of vulnerabilities that were patched yesterday via Microsoft Security Bulletin MS09-048, titled, "Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution."

As you scroll through the affected and nonaffected software listings, a couple of things should pop out -- specifically, the items that have a single asteresk (*) next to them. The asterisk states, "Default configuration not affected. For more information, see the Frequently Asked Questions (FAQ) Related to This Security Update entry."

The FAQ starts off by telling us that Windows 2000 Service Pack 4, which has extended support until July 13, 2010, is affected, but Microsoft will not be issuing a patch because it "would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component." Sounds like that goes against the extended support statement that security patches would be available for existing customers.

Some of you could care less about Windows 2000, but, unfortunately, some companies are stuck running it because of some legacy app that will run on nothing else. The cost to upgrade could be prohibitively expensive, or maybe the vendor went out of business, and it would cost too much to hire a company to rewrite it for a modern operating system (OS).

Whatever the issue is that causes people to run Windows 2000, the fact remains that customers have been running it with the expectation that they will get security patches until mid-next year. Now they'll have to put in firewalls, NAT, or an application proxy to protect that system from receiving packets from anyone but extremely trusted systems in order to try and prevent exploitation.

Let's not forget about Windows XP, which was also listed as unaffected -- but with an asterisk. Item #2 in the FAQ tells us that Windows XP Service Pack 2 and 3 are not affected because of their default configuration. It goes on to say that "for the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall."

So, because the default configuration of Windows XP SP2 & SP3 enables the firewall by default, they are not affected, which means Microsoft is not issuing a patch. Well, that's fine and dandy, but what about those people who needed to turn off the firewall or create an exception for something trivial like, let's say, iTunes or LimeWire? Guess what?!? They're screwed because they modified the default configuration and made themselves vulnerable.

I know this is coming off as a rant, but I'm frustrated. This could become a serious problem for many folks who are either stuck with Windows 2000 or decided to stick with Windows XP because they thought Vista totally sucked. I've spoken to a number of people who are scrambling to come up with workarounds because they can't just turn on the firewall and are worried about the potential for remote code execution.

Are you one of the unlucky ones?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.