September 10, 2009, 4:00 PM — Windows is insecure. That's a given. But, Microsoft does issue monthly security patches-the first Tuesday of every month on Patch Tuesday-for many of Windows' security problems. Now, however, there's a new security problem in Windows XP's TCP/IP networking that Microsoft has deliberately decided to leave unfixed.
According to Microsoft's Security Bulletin MS09-048, Microsoft has released a patch for "several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service."
That's the fancy way of saying a hacker can take your computer over with this vulnerability. Listening services are just what you might think. They're software programs, like a Web server, that wait for a network connection before they do whatever their job is. Now, Microsoft has fixed this... for Vista and Windows Server 2003 and 2008. But, if you use XP, or Windows 2000, you're out of luck.
The company claims that it can't fix it in 2000 because it would, "require re-architecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component." Really? TCP/IP? The bread of the bread and butter network sandwich can't be fixed? Excuse if I'm a little doubtful about this claim.
Fine, though, Windows 2000 is only used by slightly less than 1% of desktop users these days, according to Net Applications' Market Share Web browser use survey. What's a million or two users left unprotected? Nothing!
But, XP, excuse me, Microsoft is still selling XP, and it's used by not quite 72% of all Web-browsing users. Aren't a few hundred million users worth protecting?
Nope. Not by Microsoft's lights. Microsoft claims "By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. The denial of service attacks require a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP."
Really? When XP users are always just one malware-bearing e-mail away from having a bug that uses IRC (Internet Relay Chat) or some other listening service to get your PC into mischief?