Tuesday, 08 April 2014 – do you remember what you were doing on that day?
If you’re a sysadmin, you probably do: it was the day on which Windows XP received its last-ever security update and then fell out of support for ever, unless you had a special contract lined up.
Even back then, we’d already had seven years of warning and plenty of time to decide how to deal with the situation, so you might have thought that would be that…
…but it wasn’t XP’s last security update after all.
So many users and organisations were still so stuck in the XP rut that Microsoft relented just a few weeks later, publishing yet another “goodbye, farewell and Amen” update for XP at the start of the next month.
That update-after-the-last-ever-update, in May 2014, dealt with a zero-day bug (CVE-2014-1776) in Internet Explorer that not only affected all versions from IE 6 to IE 11, but also turned up in the wild, used by crooks in what Microsoft referred to at the time as “limited targeted attacks”.
Microsoft therefore did the world a favour – and that’s what it was, no matter how you look at it – by retrofitting the patch for XP and making the update available to everyone.
And that’s how the world of XP security patches remained until last month, when the WannaCry virus hit.
WannaCry was a ransomware attack that automatically wormed its way across the internet by exploiting a vulnerability in Windows file sharing.
Even though the bug behind WannaCry was patched in March 2017, details of how to exploit it were revealed soon afterwards by a hacking crew called Shadow Brokers, and the self-spreading WannaCry malware followed soon after.
Anyone who hadn’t patched was in theory at risk – including XP users, who couldn’t have patched even if they’d wanted to, because XP hadn’t had any security updates since CVE-2014-1776, three years earlier.
As a result, Microsoft decided to provide a patch against the WannaCry hole even for long-unsupported platforms, including Windows XP and Server 2003.
Well, here comes another one – or, rather, here comes another bunch of patches for XP and other superseded Microsoft products, closing yet more security holes that were made public by Shadow Brokers along with the exploit used by the creators of WannaCry.
As Microsoft puts it
We have taken action to provide additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are new, and some are for older platforms under custom support agreements, that we are making publicly available today. […] For customers managing updates, or those on older platforms, we encourage them to apply these updates as soon as possible.
Unsupported Windows versions that have just received fixes are: Windows XP, Windows Vista, Windows 8, Windows Server 2003, and Windows Server 2003 R2.
We still feel very strongly that you should have left XP and Server 2003 behind years ago, given that newer Windows versions contain a wide range of security mitigations that simply can’t be retrofitted to older versions.
But if you still haven’t got around to replacing your out-of-support versions, don’t forget that this month brings you a blast from the past: old-school Patch Tuesday updates.
It’s a long time since there was a Patch Tuesday for XP and 2003, so dust off your old notes, remind yourself how to do it, and get busy!