Windows XP's vulnerability underscored by latest Patch Tuesday update

Penultimate patches as clock reaches 11.59pm

Microsoft's latest Patch Tuesday features a raft of fixes for flaws in Windows XP, something that bodes ill for hold-out users determined to stick with the OS, experts have warned.

Windows XP's end of life (EOL) cut off is less than a month away and still the vulnerabilities keep coming, with all five bulletins, MS14-012 to MS14-016, touching XP in some way.

The most important by far is MS14-012, a family of 18 remote execution flaws that affect all versions of XP running Internet Explorer from the ancient IE6 on to IE11 on Windows 8.1. It also fixes the non-XP IE10 zero-day issue (CVE-2014-0322) disclosed by security firm FireEye last month and used by the 'Operation Snowman' cyberattackers.

MS14-013, the second remote execution flaw rated 'critical', affects all versions of Windows, leaving the merely 'important' MS14-015 and 16 affecting various versions of Windows, including XP of course; MS14-014 fixes a privately-reported flaw in Silverlight 5.

Despite this counting as a light Patch Tuesday, the fact remains that it will be the second last security patch XP users will ever receive from Microsoft, something security experts commented on.

"We are now less than 28 days away from the final set of patches that XP will receive. Nevertheless, we are not seeing a reduction in vulnerabilities," said Qualys CTO, Wolfgang Kandek.

"All of today's bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won't have access to patches for these problems anymore.

"This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available," he said.

Sources disagree on the scale of the XP installed base, but Qualys's numbers (which are skewed towards large enterprises) suggest that it will still be around 10 percent by 'end of life day' on 8 April.

Kandek recommended that admins determined to plough on with XP investigate Microsoft's EMET 5 (Enhanced Mitigation Experience Toolkit), which offered a way of locking down XP to some extent.

Separately, US-CERT has recommended that anyone using XP beyond next month consider ditching Internet Explorer 6, 7 and 8 in favour of a third-party browser, good advice given the level of exposure demonstrated by March's patches; browsers such as Chrome and Firefox will continue to be patched for at least a year beyond EOL.

Such is the scale of the often-pirated XP installed base in China, Microsoft recently announced that it would make an exception and continue to support it through partners without going into detail as to how that will be delivered. The company also noted that 70 percent of Chinese users had never installed a single security update for XP.

XP's support ends in April but the story of its security woes will go on, possibly for many years. But XP won't be completely forgotten inside Microsoft. The firm recently celebrated the effect XP's rapid security re-engineering had on the company a decade ago in its Security Development Lifecycle (SDL) website.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityFireEyesoftwareoperating systems

More about CERT AustraliaFireEyeMicrosoftQualysSDLToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place