09.21.09

Microsoft Confirms Windows XP is Not — and Never Will be — Secure

Posted in Microsoft, Security, Windows at 2:21 pm by Dr. Roy Schestowitz

Is XP EOL?

Summary: With Windows Server 2003 and Windows Server 2000 near the dumpster, Microsoft takes a huge risk by not patching the most ubiquitous desktop operating system

MICROSOFT HAS stopped issuing patches for security flaws in Windows XP, which makes XP unsuitable (and maybe illegal) for use on the Internet.

This very bizarre stance (if not illegal because Microsoft advertised XP as supported for years to come) is more or less being ratified now that Microsoft offers radical advice for ‘removing’ the security risk:

Microsoft says turn off Windows feature to protect Windows

[...]

There’s no real reason for SMB2, (Server Message Block 2), a Microsoft network file and print-sharing protocol that ships with Windows Vista, Windows Server 2008 and Windows 7, to exist. All it does is duplicate the basic network file and print functionality that Windows has provided for over a decade. But, SMB2 is in there, it is broken, and, now it can be used to take over PCs.

Microsoft admits that the problem is real. Mark Wodrich and Jonathan Ness, part of the MSRC (Microsoft Security Response Center) engineering team wrote that an experimental exploit is already out and that it can gain “complete control of the targeted system and can be launched by an unauthenticated user.” Just what you didn’t need.

There is a way to fix it. Well, sort of. You have to turn SMB2 off.

This stuff cannot be made up. Microsoft is also neglecting Windows Server 2003 and is officially ending support for Server 2000 at the moment. This is a huge strategic risk for the company. Now is the time to advance GNU/Linux for domestic and commercial use. █

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.

Permalink Mail Send this to a friend

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

9 Comments

Yuhong Bao said,

September 21, 2009 at 3:43 pm

“Microsoft Confirms Windows XP is Not — and Never Will be — Secure”
Against this particular vulnerability only! Besides, this isn’t unusual. Look at the last months of security bulletins before MS discontinued NT 4 support in the end of 2004, some of them say NT 4 will be never be patched for the same reason.

Roy Schestowitz Reply:
September 21st, 2009 at 3:47 pm
NT 4…

Microsoft is not a basis of comparison for Microsoft. :-p

Yuhong Bao Reply:
September 21st, 2009 at 10:39 pm
“Against this particular vulnerability only!”
To clarify, I mean that, yes, MS will not patch this vulnerability, but that do not change the fact that MS will still try their best to patch XP against new security holes until the end of Extended Support in 2014, just like how MS did with NT 4 until end of 2004 and 98/ME until mid-2006.
Yuhong Bao said,

September 21, 2009 at 5:54 pm

“There’s no real reason for SMB2, (Server Message Block 2), a Microsoft network file and print-sharing protocol that ships with Windows Vista, Windows Server 2008 and Windows 7, to exist.”
Well, I would not go that far, but the merits and disadvantages of the SMB 2.0 protocol itself is another topic altogether.

twitter Reply:
September 21st, 2009 at 10:29 pm
Ah Boa, you never “go that far.”

Anyway, what’s a softie to do? They no longer even have the illusion of network security now. If XP is never patched again and Vista is knocked off the M$ network, where does that leave the Enterprise? None of them bothered to run Vista and won’t bother running Windows 7 either. So they are left with a very broken M$ infrastructure.

Yuhong Bao Reply:
September 21st, 2009 at 10:35 pm
I was specifically talking about the SMB 2.0 protocol, not Vista in general.
“XP is never patched again”
Not true, see my previous comment.
Needs Sunlight said,

September 22, 2009 at 5:58 am

Q: When is Windows exactly like Windows?
A: When the $NEXT_VERSION is for sale.

Q: When is Windows not like Windows?
A: When the $NEXT_VERSION is for sale.

M$ always allows criticism of it’s oldest supported version when trying to drum up sales of the $NEXT_VERSION. In this case it’s trying to peddle Vista7 and stem of further upgrades to Ubuntu.

Of course it is different now than in the past. In the past, M$ embarrassed its executives and its programmers by releasing terribly poor, insecure and unstable software. But this time, honest, they’ve learned there lesson and the company will recover its reputation with
~~Windows 3.0~~
~~Windows 3.1~~
~~Windows 3.11~~
~~Windows NT~~
~~Windows 95~~
~~Windows 98~~
~~Windows NT 4.0~~
~~Windows 2000 (NT5)~~
~~Windows Millennium Edition (Me)~~
~~Windows XP~~
~~Windows XP SP2~~
~~Windows Server 2003~~
~~Windows Home Server~~
~~Windows Vista~~
~~Windows Server 2008~~
~~Windows Vista 7~~
~~Windows Vista 8~~
Windows Vista ng

… Not!

http://linuxlock.blogspot.com/2009/08/windows-users-charlie-browns-of.html

Needs Sunlight Reply:
September 22nd, 2009 at 6:02 am
Forgot overpriced in the description above.

http://www.law.com/jsp/article.jsp?id=1088699765289

There are 49 other states not counting the UK.
Roy Schestowitz said,

September 22, 2009 at 6:14 am

Watch this video from 2007 (when Vista was released). Around the 5th minute Linus speaks about how Vista is mostly hype.