Windows XP left out of the latest round of patches

Though due to receive updates until April 2014 and still in use by many people, Windows XP did not receive patches for the latest bugs, even though Vista, Server 2003 and 2008 have received them.

window avalanche Computerworld writes that Microsoft has purposely left out Windows XP to the no-patch list that previously included only Windows 2000 when it refused to include the still widely used OS in the TCP/IP patch recipients: Vista, Server 2003 and 2008.

"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP. "An update for Windows XP will not be made available," Stone and fellow program manager Jerry Bryant said during the Q&A portion of the Webcast. (…)

In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system. "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network."

Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."

Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate," "important" and "critical."

The same two bugs were ranked "moderate" for Vista and Server 2008, while a third -- which doesn't affect the older operating systems -- was rated "critical."

Obviously, it’s important to find out whether this will happen again in the future, and if yes, how often should we expect to live with known exploits:

Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.

Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."

Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003, when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.

"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.

The last thing you might want to know is whether “infeasible” is really a word. This is why we added the last link below.

Sources / More info: computerworld-microsoft-xp, ms-webcast-transcript, ms-webcast, windows-2000-infeasible, MS09-048, infeasible vs. unfeasible

blog comments powered by Disqus
Your gift enables us to continue to provide high quality reporting with little or no advertising.