more news on xp and ms09-048

Bejtlich has been far more active on this than I, so I’ll defer to his updates here and here.

I’ve heard from a couple places now that reference a report last year in regards to the TCP/IP dos vuln CVE-2008-4609 that Microsoft, Cisco, and others coordinated patch releases for this week (one of the the dos parts to MS09-048). This is probably accurate since Outpost24 (Jack C. Louis who passed away earlier this year) is credited in the Microsoft bulletin.

Here are the key points:

1. Windows XP is vulnerable to the two dos issues in MS09-048 when it has a listening service open.

2. Windows 2000 is vulnerable to the two dos issues in MS09-048, and will not be patched.

3. Windows XP currently has no MS09-048 patch, and may not get one for the same reason Windows 2000 is not getting one: the change is too big/hard/impacting to the underlying TCP/IP (NDIS) implmentation.

4. So far this just deals with a vulnerability that leads to a low-cost DOS attack (i.e. you don’t need 10,000 distributed systems). There may still be a potential for r00t code to be developed, or malware payload that may be used to storm through a network and just repeatedly down every XP/2000 box. Better yet, if you need a box rebooted as part of your attack, this could be a sure way to do it, or to get an admin’s attention to then log into the box and snag some credentials while he investigates.