March Advance Notification: We’re on a roll

In past years, it seemed as if there was a loose pattern to Microsoft’s security update releases. We would have a light month with only a few patches and then it would be followed the next month by a deluge that had IT pros working late into the night to get them all applied. That didn’t always hold true, of course, but it happened often enough that many of us came to expect it.

So far, 2014 has broken the pattern with three light patch loads coming out on each Patch Tuesday of this first quarter. March once again brings us only five security bulletins, and only two of them are rated as “critical.”  That’s not to say you can afford to be a slacker in getting them applied, as the two critical patches fix vulnerabilities that can allow remote code execution, and we also have an elevation of privilege vulnerability and two security bypasses.

Four of these issues affect various versions of Windows, while the first also affects Internet Explorer and the fifth only impacts Microsoft Silverlight. The IE vulnerability applies to all supported versions, from IE 7 to IE 11, on operating systems ranging from XP and Server 2003 all the way up to Windows 8.1 and Server 2012 R2. Of course, server core installations are exempt, since they don’t run the web browser. Note that this is apparently not a fix for the zero day vulnerability we reported on a couple of weeks ago, which affects only versions 9 and 10 of IE (that was the one for which Microsoft posted a “fix it” workaround).

The Silverlight vulnerability is not only in the Windows version but also the Mac version of Microsoft’s “rich media” platform that competes with Adobe’s Flash (which of course is notorious for having vulnerabilities of its own). Silverlight has been losing penetration over the last few years, as more web sites have embraced the HTML 5 standard for playing video. When Netflix announced last year that they were abandoning Silverlight for HTML 5, some saw that as the death knell for the technology. Silverlight v.5 was released in 2011 and Microsoft has not come out with a new version since, although they have promised to support the browser plug-in until October 2021. Nonetheless, there are still many computers that have Silverlight installed, and these will need to be patched.

It’s also worth noting that this set of security updates will be the next-to-last for Windows XP.  There’s a word for that: penultimate – and it seems fitting for such a momentous event. The 12+ year old operating system is in the process of drawing its last breath, with support ending abruptly with next month’s April 8 updates. After that, Windows Update will no longer deliver any fixes for vulnerabilities that arise in XP-based systems.

The scary part of that is that according to NetMarketShare statistics, 29 percent of computers that connect to the Internet are still running XP at this late date, despite literally years of advance notice that this day was coming. That’s more than 1 out of every 4 computers that will suddenly be unprotected from new exploits.

It was fun while it lasted, but businesses need to take a look at their system inventories and bite the bullet and upgrade any XP computers they still have running on the corporate networks. And that’s not all. Many, many users are now connecting to work resources with their home computers and many of those are still running XP, as well.  It may be time to update your policies and set up technological safeguards to prevent telecommuters and mobile workers from accessing your production network with their home computers and laptops until they’ve upgraded to an OS that is still supported.

Meanwhile, be sure to get these last patches installed on XP machines and we’ll be back next Tuesday with more detailed info on the vulnerabilities they address.