MS09-048 on Windows XP: Too Hard to Fix

This is a follow-up to MS09-048 is Microsoft's Revenge Against XP in the Enterprise. Everyone is talking about how Windows 2000 will not receive a patch for MS09-048:

If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?

The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system.

Let's think about that for a minute. Vista's TCP/IP stack is the Next Generation TCP/IP Stack. This means XP shares at least some of the TCP/IP stack of Windows 2000. Microsoft (as noted in my last post) didn't patch XP because it said the client firewall mitigated the problem, as long as you don't expose any ports -- not because XP is invulnerable. From what we can gather, XP is at least vulnerable to the two DoS flaws (TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926).

In other words, patching Windows XP is also architecturally "infeasible."

This appears to be more than a theory. Just about the only straight answer I could get from a Microsoft rep this evening was the answer that MS09-048 is too hard to fix on XP, just like it was too hard to fix on 2000.

I think it's time to tell Microsoft this situation is not acceptable.