Bad firewall

Summary: As ISPs may prepare to require full patching as a precondition to connecting, what does Microsoft's refusal to patch actually mean?

THE PREVIOUS post showed that Windows is now at risk of being kicked off the Internet if it cannot be properly secured (it hardly can). This gets worse though.

Mentioned the other day was the fact that Microsoft is leaving Windows XP vulnerable with no intention of patching known security bugs. That, by definition, may render Windows XP unsuitable for use on the Internet; it cannot ever be made fully patched and since there is no access to the source code, only one company rules on the matter. As the debate carries on, Slashdot reveals that Microsoft is indeed saying "no" to patching of XP.

Microsoft says it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008. The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4. 'We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible,' said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.

Here is the newly-cited report.

Microsoft late last week said it won't patch Windows XP for a pair of bugs it quashed Sept. 8 in Vista, Windows Server 2003 and Windows Server 2008.

The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.

[...]

The bugs in question are in Windows' implementation of TCP/IP, the Web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.

[...]

During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"

Amazing!

Does that mean that Microsoft intends to stop sales of XP on all machines? What about the fact that Vista 7's principal feature is virtualisation of XP? How can that be secured? What about the many existing users?

“What about the many existing users?”"Since Linux is faster and easier to use on the netbooks," tells us a reader, "Microsoft is still shipping XP in order to hang on to the OEM monopoly. Yet at the same time the official party line is that there will be no patches for XP.

"Do you suppose Microsoft employees managed to lose or erase the source code for that part of XP?"

Could Microsoft be trying to urge people to abandon XP? If so, Vista 7 sure seems like a problem because not only does it rely on XP but it is already a problematic downgrade/upgrade (no genuine consensus or verdict on whether it's an "upgrade" yet). Ars Technica claims that it can take an entire day just to move to this operating system, even on a fast machine. The source of the claim is Microsoft Corporation.

Microsoft: Windows 7 upgrade can take nearly a day

[...]

The biggest thing that stands out about this chart is the very broad range of the upgrade time: from 30 minutes to 1,220 minutes. That second extreme is not a typo: Microsoft really did time an upgrade that took 20 hours and 20 minutes. That's with 650GB of data, 40 applications, on mid-end hardware, and during a 32-bit upgrade. We don't even want to know how long it would take if Microsoft had bothered doing the same test with low-end hardware.

Assuming a wage of roughly $100 per day, the price of Vista 7 sure is higher than the price tag suggests. And what about the cost of insecurity? ⬆