Microsoft’s latest Patch Tuesday features a raft of fixes for flaws in Windows XP, something that bodes ill for hold-out users determined to stick with the OS, experts have warned.
Windows XP’s end of life (EOL) cut off is less than a month away and still the vulnerabilities keep coming, with all five bulletins, MS14-012 to MS14-016, touching XP in some way.
The most important by far is MS14-012, a family of 18 remote execution flaws that affect all versions of XP running Internet Explorer from the ancient IE6 on to IE11 on Windows 8.1. It also fixes the non-XP IE10 zero-day issue (CVE-2014-0322) disclosed by security firm FireEye last month and used by the ‘Operation Snowman’ cyberattackers.
MS14-013, the second remote execution flaw rated 'critical', affects all versions of Windows, leaving the merely ‘important’ MS14-015 and 16 affecting various versions of Windows, including XP of course; MS14-014 fixes a privately-reported flaw in Silverlight 5.
Despite this counting as a light Patch Tuesday, the fact remains that it will be the second last security patch XP users will ever receive from Microsoft, something security experts commented on.
“We are now less than 28 days away from the final set of patches that XP will receive. Nevertheless, we are not seeing a reduction in vulnerabilities,” said Qualys CTO, Wolfgang Kandek.
“All of today's bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won't have access to patches for these problems anymore.
“This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available,” he said.
Sources disagree on the scale of the XP installed base, but Qualys’s numbers (which are skewed towards large enterprises) suggest that it will still be around 10 percent by 'end of life day' on 8 April.
Kandek recommended that admins determined to plough on with XP investigate Microsoft’s EMET 5 (Enhanced Mitigation Experience Toolkit), which offered a way of locking down XP to some extent.
Separately, US-CERT has recommended that anyone using XP beyond next month consider ditching Internet Explorer 6, 7 and 8 in favour of a third-party browser, good advice given the level of exposure demonstrated by March’s patches; browsers such as Chrome and Firefox will continue to be patched for at least a year beyond EOL.
Such is the scale of the often-pirated XP installed base in China, Microsoft recently announced that it would make an exception and continue to support it through partners without going into detail as to how that will be delivered. The company also noted that 70 percent of Chinese users had never installed a single security update for XP.
XP’s support ends in April but the story of its security woes will go on, possibly for many years. But XP won't be completely forgotten inside Microsoft. The firm recently celebrated the effect XP’s rapid security re-engineering had on the company a decade ago in its Security Development Lifecycle (SDL) website.