Patch Tuesday - no critical updates for XP...then Microsoft adds two XP fixes after all

Filed Under: Featured, Microsoft, Vulnerability

Here's a quick run-down of what you'll face in the February 2014 Patch Tuesday update from Microsoft, which comes out tomorrow.

There are just five bulletins this month, with two of them critical.

But there's a giant irony in Bulletin One, listed simply as a Microsoft Windows update.

It's a remote code execution hole in all non-Server core versions of Windows, except for Windows XP. (You are allowed to smile at this point, but please don't laugh.)

Update. As commenter Jimmy Braden points out below, Microsoft just added two more bulletins. Both are critical, and patch remote code execution holes. And, wouldn't you just know it, both patches are critical on XP. The first is an Internet Explorer update that affects all supported versions, from IE 6 to IE 11; the second is a Microsoft Windows update that applies all the way from XP, through Server Core installations, to 8.1 and Server 2012. [Added 2014-02-10T20:20Z.]

We've been advising you for some time to get your operating system upgrade done in time for the official end of XP security updates in April 2014.

One of the concerns we've raised is that from May 2014 onwards, vulnerabilities patched in Windows 7 and 8 may actually act as "exploit beacons" to the crooks, on the grounds that many holes found in Windows 7 and Windows 8 trace back to bugs that have been around since the days of XP.

In other words, by matching up the now-fixed code in Windows 7 with the equivalent but buggy code left in Windows XP, attackers might get a sort of "free pass" into XP computers.

But if May's updates are like February's, all the insecurity recidivists who have failed to updgrade from XP will be saying, "See, we told you it wouldn't be so bad."

→ Don't forget, of course, that from May 2014 onwards, you won't actually know whether the bugs patched in Windows 7 and 8 can be backported to XP or not, because there won't be any patch information about XP in the first place.

Bulletin Two is a must-patch for users of Microsoft Forefront for Exchange, which has a remote code execution vulnerability that could turn software that's supposed to be a security asset into a liability.

The last three bulletins, all rated Important, round out the four main vulnerability types, being respectively an elevation of privilege, an information disclosure and a denial of service hole.

Here's more on understanding these main sorts of vulnerability:

(Audio player not working? Listen on Soundcloud.)

All Windows versions are affected by at least one of these non-critical holes, including XP, Vista, 7, 8, 8.1, Server Core and RT.

Only Bulletin Five, the denial of service bug, is listed as "requires restart," which means one less excuse than usual for not patching your clients and servers against the other four holes.

And, before you go, repeat after me, "The lack of XP critical holes this month is not an argument that XP is OK after all!"

Here's why:

(Audio player not working? Listen on Soundcloud.)

, , , , , , ,

You might like

13 Responses to Patch Tuesday - no critical updates for XP...then Microsoft adds two XP fixes after all

  1. Texas ISO · 607 days ago

    >It's a remote code execution hole in all non-Server core versions of Windows, except for Windows XP.

    Actually, that is not completely correct. Vista and Server 2008 are also not affected.

    Windows Vista
    Bulletin Identifier Bulletin 1
    Aggregate Severity Rating None
    Windows Vista Service Pack 2 Not applicable
    Windows Vista x64 Edition Service Pack 2 Not applicable

    Windows Server 2008
    Bulletin Identifier Bulletin 1
    Aggregate Severity Rating None
    Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable
    Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable
    Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable

  2. Andrew · 607 days ago

    If XP is being terminated, what is the point of the fixes, there is no point, everyone will be moving to windows 7 or windows 8 or some other operating system. Personally I believe windows has shot itself in the foot and won't be a popular as it once was.

    • Paul Ducklin · 606 days ago

      XP isn't "being terminated." (This isn't iOS :-) But support is ceasing, and with it the provision of security fixes.

      That's the problem...lots of people are still using XP, and many of those don't intend to move to 7 or 8. So they will stick with an OS that is decreasingly good for them in particular and the ecosystem as a whole.

      So I suspect that some of these insecurity recidivisists, if I might quote myself, will look at this month's patches and say, "The rumours of XP getting more dangerous are greatly exaggerated...see, XP was the *safe* one this month."

  3. Why you say Windows Server 2003 will not get updates after May 2014?
    It will.

  4. Amy · 606 days ago

    Just waiting for my work to get the hint. Perhaps after our HEALTHCARE COMPANY is hacked and PERSONAL HEALTH INFORMATION is stolen, they will upgrade the rest of our machines. dingbats.

  5. jimmy braden · 606 days ago

    Ms just added two more bulletins for feb. One is for all current workstation operating systems and applies to all internet explorer versions.

    • Paul Ducklin · 606 days ago

      So they did! And that Bulletin One, it seems, has suddenly turned into a "Windows and IE" fix, so it seems is *does* apply to XP after all, as IE 6 to 11 are affected.

      So my article was correct when I wrote it, but is now, sadly, off the mark.

      Oh, well. I guess my claim that "XP *is* dodgy, believe me" is no longer in even the tiniest doubt :-)

  6. Anonymous · 606 days ago

    Well as reported recently sales of Xp has risen in January compared to windows 8 sales declining ..... Microsoft are surely thinking twice about what the customer wants the customer gets or we vote with our purchasing power.

  7. cdg · 605 days ago

    XP is a far superior OS to Windoze 7 and 8. Everything in the latter two takes far more effort for the same result, uses twice the disk and memory resources, and provides absolutely no benefit of note. Equally important, Windoze 7 and 8 will not run a huge number of programs that run quite well on XP. Would you replace your house in order to obtain a new mailbox? That is what M$ wants us to do every time they come up with a new version of Windoze. I'll find another solution to the security risks of M$ operating systems than to downgrade to an inferior OS.

  8. Peter Jones · 605 days ago

    Whilst I take in all you are saying about XP I will not be upgrading to any other Windoze version at all. I will carry on using XP for around a year or so, maybe more, whilst I work on my options. I only use a limited number of sites, have good security and now really only use Chrome Browser which is great. Chrome will support XP for at least 12 months, I believe?

    I have downloaded UBUNTU to my grandsons lappy and we are evaluating its far very good BUT I do want to look at other operating systems before I take the leap. There is another not released yet, I have forgotten its name but it is in my "Hard Book" looks like it could be promising

    I will not be forced to change by Windoze threats as their only interest is $$$$'s, there are a huge number of XP users who will carry on as I will. I rather think that big as they are Windoze have really chopped off their own legs as people WILL go elsewhere.

    PS. Paul, I do appreciate the dangers but I just cannot afford Windoze upgrade anyway and would not have it if I could. Can they try to make something simple without all the bells and whistles that are not used and make the system more vulnerable anyway???

    • Paul Ducklin · 605 days ago

      I'm not sure it's fair to say that Microsoft's only interest is in the money. Love 'em or hate 'em, the company *has* put a lot of time and effort (and money) into making the newer version of Windows more secure. And part of that additional security involves doing things in a way that isn't easy (in fact, isn't really possible) to retrofit into Windows.

      Making a 1960s car as safe as a modern vehicle would cost you far more than the new vehicle...and you'd still have a car that was old and much less fuel efficient. Cars make bad analogies for computer systems, I know, but this one isn't *too* far off :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog