Microsoft support

Microsoft does not patch vulnerability for supported version of Windows

Last week was the September issue of Microsoft “patch Tuesday”. The September 2009 Microsoft Security Bulletin lists a number of vulnerabilities. Microsoft held the bulletin webcast on Wednesday, September 9, to discuss the vulnerabilities and customer concerns.

One particular bulletin is creating some concerns for Microsoft Windows 2000 users. MS09-048 is a bulletin for a vulnerability to the TCP/IP stack in all current supported versions of Windows. The bulletin describes the vulnerability:

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Even though the bulletin here describes it as potential remote code execution, the webcast focused more on the denial of service threat due to this vulnerability. Unfortunately, Microsoft has chosen to not issue a patch for Windows 2000, even though Windows 2000 is a supported version of Windows with regards to patches and security fixes. ComputerWorld gives a good amount of detail in the article: Microsoft: Patching Windows 2000 ‘infeasible’ Dark Reading published Microsoft, Cisco Issue Defenses For TCP Denial-Of-Service Attack and The Register published Microsoft, Cisco issue patches for newfangled DoS exploit.

I know that there is a reasonable population of Windows 2000 machines in operation at my organization. So, this choice by Microsoft to not issue a patch for this vulnerability raises some concerns. Fortunately the vulnerable population is not publicly exposed and does not have mobile users. The layered defenses we have in place should help mitigate the risks to our environment. However, the risk is still there and the threat needs to be addressed. What other vulnerability will come out that Microsoft chooses not to address in a supported operating system? Are you facing the same situation in your environment? How large is the risk to your environment? What are you doing to address these threats? Why are you doing what you are doing? Share your thoughts with other ITKE readers.

Thanks for reading & let’s continue to be good network citizens.

Did you see this? - Microsoft Team Blogs - BlogMS

BlogMS consolidates a large number of highly relevant and up-to-date information sources across the Microsoft product and online services portfolio.  You can expect to find important Microsoft announcements, news, product releases, service packs, updates, and important support issues.

All blogs are grouped into logical categories, so you can quickly skim the entire document and find the most relevant information which is important to you.

You can find the February posting here:

http://blogs.technet.com/blogms/archive/2009/03/02/blogms-monthly-articles-published-in-february-2009.aspx

Monthly Report - 214 Microsoft Team blogs searched, 876 new articles found in 152 blogs between the 1^st February 2009 and 28^th February 2009.

Get some good scoop at BlogMS!

Thanks for reading & let’s continue to be good network citizens.

Microsoft announces a Support Lifecycle Informational Update newsletter

Microsoft has created a new resource for customers - the Microsoft Support Lifecycle Informational Update.  This quarterly newsletter highlights current information regarding the support of Microsoft products and includes:

·         News and information on the Support Lifecycle policy and programs

·         Key products currently transitioning to different phases of the Support Lifecycle

    o   Mainstream Support to Extended Support

        o   Extended Support to Non-Support

    o   Mainstream Support to Non-Support

        o   Service packs going out of support

·         A three-year calendar of Microsoft products and where they are in the Support Lifecycle

·         Resources and links to additional information

Understanding where your products are in the Support Lifecycle will help you plan your IT environment, including product upgrades and migrations.  It will also enable you to better understand what you can do to keep your products supported, such as transitioning to new service packs or exploring existing alternatives to the end of support.

To subscribe to the quarterly newsletter follow this link:  https://profile.microsoft.com/RegSysProfileCenter/subscriptionwizard.aspx?wizid=98973176-f0b1-4f60-957d-5936c3b933c0&lcid=1033

Microsoft will not use or sell your contact information for any purpose other than to send you the Microsoft Support Lifecycle Informational Update.  Your information will remain private and secure.  You can review the Microsoft Privacy Policy at http://privacy.microsoft.com.

You can also learn more about the Support Lifecycle by visiting http://support.microsoft.com/lifecycle.