Microsoft late last week said it won't patch Windows XP for a pair of bugs it quashed September 8 in Vista, Windows Server 2003 and Windows Server 2008.
The news adds Windows XP Service Pack 2 (SP2) and SP3 to the no-patch list that previously included only Windows 2000 Server SP4.
"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.
"An update for Windows XP will not be made available," Stone and fellow programme manager Jerry Bryant said during the Q&A portion of the Webcast (transcript here).
Last Tuesday, Microsoft said that it wasn't patching Windows 2000 because creating a fix was "infeasible."
The bugs in question are in Windows' implementation of TCP/IP, the web's default suite of connection protocols. All three of the vulnerabilities highlighted in the MS09-048 update were patched in Vista and Server 2008. Only two of the trio affect Windows Server 2000 and Windows XP, Microsoft said in the accompanying advisory, which was refreshed on Thursday.
In the revised advisory, Microsoft explained why it won't patch Windows XP, the world's most popular operating system . "By default, Windows XP SP2, Windows XP SP3 and Windows XP Professional x64 Edition SP2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability," the company said. "Windows XP SP2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the internet or from neighbouring network devices on a private network."
Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."
Microsoft rated the vulnerabilities on Windows 2000 and XP as "important" on Windows 2000, and as "low" on XP. The company uses a four-step scoring system, where "low" is the least-dangerous threat, followed in ascending order by "moderate", "important" and "critical".
The same two bugs were ranked "moderate" for Vista and Server 2008, while a third — which doesn't affect the older operating systems — was rated "critical".
During the Q&A, however, Windows users repeatedly asked Microsoft's security team to explain why it wasn't patching XP, or if, in certain scenarios, their machines might be at risk. "We still use Windows XP and we do not use Windows Firewall," read one of the user questions. "We use a third-party vendor firewall product. Even assuming that we use the Windows Firewall, if there are services listening, such as remote desktop, wouldn't then Windows XP be vulnerable to this?"
"Servers are a more likely target for this attack, and your firewall should provide additional protections against external exploits," replied Stone and Bryant.
Another user asked them to spell out the conditions under which Microsoft won't offer up patches for still-supported operating systems. Windows Server 2000 SP4, for example, is to receive security updates until July 2010; Windows XP's support doesn't expire until April 2014.
Stone's and Bryant's answer: "We will continue to provide updates for Windows 2000 while it is in support unless it is not technically feasible to do so."
Skipping patches is very unusual for Microsoft. According to a Stone and Bryant, the last time it declined to patch a vulnerability in a support edition of Windows was in March 2003 , when it said it wouldn't fix a bug in Windows NT 4.0. Then, it explained the omission with language very similar to what it used when it said it wouldn't update Windows 2000.
"Due to these fundamental differences between Windows NT 4.0 and Windows 2000 and its successors, it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability," Microsoft said at the time.