Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/9/2009
02:43 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Windows XP, 2000 Left Patchless Against DoS Attacks

I think most people would agree that Windows Millennium Edition (ME) was the bastard child Microsoft wanted to turn its back on. After yesterday's Patch Tuesday, I'm starting to think Windows XP and Windows 2000 have joined the ME ranks.

I think most people would agree that Windows Millennium Edition (ME) was the bastard child Microsoft wanted to turn its back on. After yesterday's Patch Tuesday, I'm starting to think Windows XP and Windows 2000 have joined the ME ranks.Not sure what I'm talking about? First off, it's not the zero-day SMBv2 denial-of-service (DoS), which might end up really being a possible remote code execution vulnerability. What I'm referring to is the group of vulnerabilities that were patched yesterday via Microsoft Security Bulletin MS09-048, titled, "Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution."

As you scroll through the affected and nonaffected software listings, a couple of things should pop out -- specifically, the items that have a single asteresk (*) next to them. The asterisk states, "Default configuration not affected. For more information, see the Frequently Asked Questions (FAQ) Related to This Security Update entry."

The FAQ starts off by telling us that Windows 2000 Service Pack 4, which has extended support until July 13, 2010, is affected, but Microsoft will not be issuing a patch because it "would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component." Sounds like that goes against the extended support statement that security patches would be available for existing customers.

Some of you could care less about Windows 2000, but, unfortunately, some companies are stuck running it because of some legacy app that will run on nothing else. The cost to upgrade could be prohibitively expensive, or maybe the vendor went out of business, and it would cost too much to hire a company to rewrite it for a modern operating system (OS).

Whatever the issue is that causes people to run Windows 2000, the fact remains that customers have been running it with the expectation that they will get security patches until mid-next year. Now they'll have to put in firewalls, NAT, or an application proxy to protect that system from receiving packets from anyone but extremely trusted systems in order to try and prevent exploitation.

Let's not forget about Windows XP, which was also listed as unaffected -- but with an asterisk. Item #2 in the FAQ tells us that Windows XP Service Pack 2 and 3 are not affected because of their default configuration. It goes on to say that "for the denial of service to succeed, an affected system must have a listening service with an exception in the client firewall."

So, because the default configuration of Windows XP SP2 & SP3 enables the firewall by default, they are not affected, which means Microsoft is not issuing a patch. Well, that's fine and dandy, but what about those people who needed to turn off the firewall or create an exception for something trivial like, let's say, iTunes or LimeWire? Guess what?!? They're screwed because they modified the default configuration and made themselves vulnerable.

I know this is coming off as a rant, but I'm frustrated. This could become a serious problem for many folks who are either stuck with Windows 2000 or decided to stick with Windows XP because they thought Vista totally sucked. I've spoken to a number of people who are scrambling to come up with workarounds because they can't just turn on the firewall and are worried about the potential for remote code execution.

Are you one of the unlucky ones?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5531
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
CVE-2020-7252
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.