Patch Tuesday this month comes with nine security bulletins and one security-related reminder – Windows XP is a year away from its end-of-life.
On April 8, 2014, Microsoft will no longer provide security updates for Windows XP, which remains one of the most widely used versions of the operating system. According to Net Applications, roughly 39 percent of Windows users are running XP.
“Of course, Windows XP leaving support doesn’t mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system.”
Windows XP was originally released in October 2001, meaning that by 2014 that version of the operating system will be more than 12 years old, noted security blogger Joshua Long in a post on Sophos’ Naked Security blog.
“Rarely does any operating system continue to receive security patches for so many years,” Long blogged. “Numerous security improvements have been introduced in every subsequent version of Windows. If you’re concerned about security and you’re still using Windows XP, it’s time to move on.”
Beyond upgrading operating systems, Microsoft is also urging customers to apply the latest round of patches issued today. Of the nine security bulletins, two are rated ‘critical’, while seven are considered ‘important.’ The two critical bulletins address issues in Internet Explorer and Windows Remote Desktop Client ActiveX control. In both cases, the vulnerabilities being addressed can be exploited by the hackers to remotely execute code provided the attackers can convince the victims to visit a specially-crafted website.
“Even today’s IE bulletin, the usual candidate for the ‘patch immediately’ award, only has an exploit index rating of two — indicating that Microsoft believes building a successful attack in the next 30 days will be difficult,” said Andrew Storms, director of security operations at nCircle.
“The second critical bug, a vulnerability in the ActiveX controls for the remote desktop client, presents a more interesting attack scenario,” he said. “Fortunately, there are enough mitigating circumstances to make it less problematic for most businesses. The bug does not affect the latest RDP client, version 8, which dramatically reduces the affected number of machines. Microsoft has released mitigation steps to disable the affected ActiveX control. Also, if your users browse with default IE settings, they will be presented the ‘gold bar’ warning providing them with an opportunity to opt out of an attack.”
The remaining bulletins address vulnerabilities in Microsoft Office, Windows Defender, Microsoft Server Software and Windows. Five of the seven bulletins deal with privilege escalation issues, while the remaining bulletins address a denial-of-service vulnerability and a information disclosure issue.
What were not addressed were issues exploited during the Pwn2Own contest at CanSecWest earlier this year. According to Childs, Microsoft is not aware of any attacks exploiting the issues raised by the researchers at the contest.
In addition to the Microsoft vulnerabilities, Adobe Systems issued an update for ColdFusion, Flash Player and Shockwave Player. According to Adobe, none of the bugs are currently being exploited in the wild.