February advance notification: A pleasant surprise

When last month brought us only four security bulletins from Microsoft, mixed with the sighs of relief were whispers of trepidation. Past experience has shown that such light months are often – though not always – followed by a deluge of patches the next month. Well, IT pros can breathe more easily this time. We’ve dodged the bullet again, with only five bulletins coming out next week on February’s Patch Tuesday.

It’s an eclectic mixture, consisting of two remote code execution vulnerabilities, both of which are rated critical, an elevation of privilege vulnerability, an information disclosure vulnerability and a denial of service vulnerability. The latter three are all rated “important.”

Four of the five affect Windows operating systems. Bulletins 3 and 4 affect all supported versions of Windows – XP, Vista, Windows 7, Windows 8/8.1, RT, and Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including server core installations. Bulletin 1 affects Windows 7/Server 2008 R2 and later operating systems, but not XP, Vista, Server 2003 or 2008. Bulletin 5 affects Windows 8/8.1, RT and Server 2012/2012 R2, including server core installations. Bulletin 2 affects Microsoft Forefront Protection 2010 for Exchange Server.

Despite the fact that we’re seeing so few patches thus far in this new year, SC Magazine reported earlier this week that the Skybox Security vulnerability database shows Microsoft to be the software vendor with the largest number of critical vulnerabilities. Note the word “critical,” as Oracle (which released a whopping 144 updates last month) leads in the overall number of vulnerabilities of all ratings. It’s not a particularly relevant observation, though, given that Microsoft’s products have a far larger installed base than any of the other software products to which it’s being compared.

What’s more important is that Microsoft is taking steps to reduce the number of vulnerabilities and to patch, in a timely manner, those that do get through. Reports continue to find that most of the vulnerabilities are found in third-party software, with only a small percentage of exploitable flaws being in the Windows operating systems.

It’s worth noting that this month’s patches for Windows XP are among the last that will be available for that operating system. Support ends on April 8, only two months from now. That day, which is the month’s Patch Tuesday, will mark the end of security updates for the computers still running it, which still comprise (according to NetMarketShare statistics) almost 30 percent of computers despite its advanced age.

I still see XP systems in businesses all the time, especially those running legacy line of business applications that, in many cases, won’t work (at least without extensive modification) on new operating systems. Those companies range from small 1- to 10-person operations all the way up to huge corporations. All of those unsupported machines represent a threat not just to their own networks but to those they connect to over the Internet, as they will be able to spread malware to likewise unsupported machines on other networks.

And attackers will get a bonus, because when security flaws that affect Vista, Windows 7 and 8 are fixed and the vulnerabilities that the patches address are made known, many of the same flaws will also impact Windows XP. That means the attackers don’t even have to go hunt down vulnerabilities on their own; they can just wait for them to be described in each month’s security bulletins and then try out their exploits on XP.

Remember too that XP users also won’t be able to download and install Microsoft Security Essentials anti-virus/anti-malware software after the April 8 end-of-life date, either. The good news is that Microsoft has apparently changed its mind about also cutting off MSE malware signature updates for existing installations on XP at that time, and will continue to provide those updates until July 14, 2015. Nonetheless, there comes a day when it’s time to say goodbye and for Windows XP, that day has come.

See you next Tuesday with more details on this month’s patches.