Is Microsoft abandoning XP security updates?
Windows is insecure. That's a given. But, Microsoft does issue monthly security patches-the first Tuesday of every month on Patch Tuesday-for many of Windows' security problems. Now, however, there's a new security problem in Windows XP's TCP/IP networking that Microsoft has deliberately decided to leave unfixed.
According to Microsoft's Security Bulletin MS09-048, Microsoft has released a patch for "several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service."
That's the fancy way of saying a hacker can take your computer over with this vulnerability. Listening services are just what you might think. They're software programs, like a Web server, that wait for a network connection before they do whatever their job is. Now, Microsoft has fixed this... for Vista and Windows Server 2003 and 2008. But, if you use XP, or Windows 2000, you're out of luck.
The company claims that it can't fix it in 2000 because it would, "require re-architecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component." Really? TCP/IP? The bread of the bread and butter network sandwich can't be fixed? Excuse if I'm a little doubtful about this claim.
Fine, though, Windows 2000 is only used by slightly less than 1% of desktop users these days, according to Net Applications' Market Share Web browser use survey. What's a million or two users left unprotected? Nothing!
But, XP, excuse me, Microsoft is still selling XP, and it's used by not quite 72% of all Web-browsing users. Aren't a few hundred million users worth protecting?
Nope. Not by Microsoft's lights. Microsoft claims "By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. The denial of service attacks require a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP."
Really? When XP users are always just one malware-bearing e-mail away from having a bug that uses IRC (Internet Relay Chat) or some other listening service to get your PC into mischief? Or, say a user is using BitTorrent (http://www.bittorrent.com/) or some other P2P (peer-to-peer) program, which also uses listening services, to share files?
I'm sorry. I don't believe for a New York minute that this bug is so insignificant that Microsoft can just ignore it. I'll tell what I think is really going on here. I think Microsoft doesn't want to go to the trouble of securing XP when it would much, much rather have you upgrade, or try to upgrade anyway, to Windows 7.
Microsoft barely makes any money on XP sales, and it doesn't make a penny from updating it. If they can skip spending the money on fixing what they claim is a minor XP problem, why not? After all, it will let them claim that Windows 7 is more secure than XP so that will be another reason for you to 'upgrade' to Windows 7.
Oh, that reminds me. Windows 7 and networking? Microsoft has just confessed to having a killer, security hole in SMB (Server Message Block) 2, part of the fundamental Microsoft network file- and print-sharing protocol, that lets attackers knock out and/or hijack Vista, Server 2008, and the Windows 7 release candidates. What it doesn't do though is successfully attack Windows XP or 2000.
Oh the irony! You know folks, just a reminder, you can still switch the far safer desktop Linux operating systems or get a Mac.