Patch Tuesday – no critical updates for XP…then Microsoft adds two XP fixes after all


Here’s a quick run-down of what you’ll face in the February 2014 Patch Tuesday update from Microsoft, which comes out tomorrow.

There are just five bulletins this month, with two of them critical.

But there’s a giant irony in Bulletin One, listed simply as a Microsoft Windows update.

It’s a remote code execution hole in all non-Server core versions of Windows, except for Windows XP. (You are allowed to smile at this point, but please don’t laugh.)

Update. As commenter Jimmy Braden points out below, Microsoft just added two more bulletins. Both are critical, and patch remote code execution holes. And, wouldn’t you just know it, both patches are critical on XP. The first is an Internet Explorer update that affects all supported versions, from IE 6 to IE 11; the second is a Microsoft Windows update that applies all the way from XP, through Server Core installations, to 8.1 and Server 2012. [Added 2014-02-10T20:20Z.]

We’ve been advising you for some time to get your operating system upgrade done in time for the official end of XP security updates in April 2014.

One of the concerns we’ve raised is that from May 2014 onwards, vulnerabilities patched in Windows 7 and 8 may actually act as “exploit beacons” to the crooks, on the grounds that many holes found in Windows 7 and Windows 8 trace back to bugs that have been around since the days of XP.

In other words, by matching up the now-fixed code in Windows 7 with the equivalent but buggy code left in Windows XP, attackers might get a sort of “free pass” into XP computers.

But if May’s updates are like February’s, all the insecurity recidivists who have failed to updgrade from XP will be saying, “See, we told you it wouldn’t be so bad.”

→ Don’t forget, of course, that from May 2014 onwards, you won’t actually know whether the bugs patched in Windows 7 and 8 can be backported to XP or not, because there won’t be any patch information about XP in the first place.

Bulletin Two is a must-patch for users of Microsoft Forefront for Exchange, which has a remote code execution vulnerability that could turn software that’s supposed to be a security asset into a liability.

The last three bulletins, all rated Important, round out the four main vulnerability types, being respectively an elevation of privilege, an information disclosure and a denial of service hole.

Here’s more on understanding these main sorts of vulnerability:

(Audio player not working? Listen on Soundcloud.)

All Windows versions are affected by at least one of these non-critical holes, including XP, Vista, 7, 8, 8.1, Server Core and RT.

Only Bulletin Five, the denial of service bug, is listed as “requires restart,” which means one less excuse than usual for not patching your clients and servers against the other four holes.

And, before you go, repeat after me, “The lack of XP critical holes this month is not an argument that XP is OK after all!”

Here’s why:

(Audio player not working? Listen on Soundcloud.)