Thank you Bejtlich for posting about this and making me revisit this for what is probably the fifth time in 2 days. I fully blame Microsoft poor wording for the confusion.
Yesterday, my first reaction (heck I even Tweeted it) to MS09-048 was to call it a Big Deal. Truly, it should be: On affected systems, any listening service exposes the system to at least one of the vulnerabilities.
Microsoft played dumb with Windows XP, however, stating the default configuration for XP SP2 and SP3 has the Windows Firewall turned on and not allowing any listening services.
But I think anyone who has even a smidgen of tech-sense in them knows that once you network the box (or basically even just use it, it seems), listening services are started and maintained or the Windows Firewall is flatly turned off.
So, the question remains: Let’s stop playing dumb and just say XP SP2 and SP3 at least potentially should be considered vulnerable. Does that mean XP is vulnerable to just the DOS/reboot vulnerabilities or also the part that allows remote code execution?
A big fail on Microsoft’s part for basically omitting this information.
Update 1:00pm: I can also confirm that there are no patches at all for XP systems relating to ms09-048 in WSUS or Windows Update. This could mean a few things. Maybe XP is en total not affected (but why the asterisk?). Maybe no patch was ready (of course, this could mean Microsoft just indirectly released their own 0day once what was released is reversed). Or maybe something screwed up. But the bulletin certainly reads like XP is potentially vulnerable if you, god forbid, expose listening services.
Update 1:37pm: Fabs has released details on one of the dos vulns, CVE-2009-1926