Establishing Digital Trust: Don't Sacrifice Security for Convenience
PC administrators and security staff may feel a bit safer after Microsoft issued patches for a pair of zero-day vulnerabilities on Tuesday, as well as fixes for an additional pair of previously undisclosed security flaws.
All four vulnerabilities are rated "critical" -- the highest ranking on Microsoft's (NASDAQ: MSFT) four-tiered severity scale.
However, if technical staff were thinking that July would be a quiet month for updates, some might be feeling differently now that Microsoft has also concluded support for Windows XP Service Pack 2 (SP2).
This month's Patch Tuesday security release fixes the publicly revealed Windows Help and Support Center flaw that Microsoft says had already garnered some 10,000 attacks in the wild after it was disclosed last month by a Google security researcher.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The security flaw is present in versions of Windows XP and Windows Server 2003, according to Microsoft's Security Bulletin.
Also fixed on Tuesday was a publicly disclosed hole in a display driver included with 64-bit versions of Windows 7 and Windows Server 2008 R2 that surfaced in mid-May, although no attacks have been associated with the vulnerability so far, Microsoft said.
The display driver vulnerability, however, is only rated critical for Windows 7; the security hole as it exists in Windows Server 2008 R2 is rated "important," which normally indicates that the user has to perform some additional action -- such as loading a file from a malware-laden site -- to become vulnerable to attack.
The third and fourth critical vulnerabilities in this month's Patch Tuesday update are fixes in Microsoft's Access database, which comes with some editions of the Office productivity suite. Affected versions of Access came in Office 2007 Service Pack 1 (SP1) and SP2, as well as in Office 2003 SP3.
Microsoft's fixes remedy two critical security flaws that both exist in the way Access handles memory when loading ActiveX controls, the Microsoft Security Bulletin for the flaw said. Neither hole was publicly-disclosed prior to release of the patch.
Support ends for Windows XP SP2
Tuesday was also the last day of extended support for Windows XP SP2, meaning that after today, SP2 users can no longer get support or security patches.
Users of XP SP3, however, are still covered until April 2014, while the venerable Windows 2000 also hit the end of the road for support on July 13. There is no Service Pack for 64-bit editions of XP, so those editions will continue to be supported.
The expiration of support for XP SP2, though, may have far-reaching effects as administrators scramble to either move SP2 PCs to Windows XP SP3, or upgrade them to Windows 7.
"Microsoft's July update is a small step for security updates, but a huge leap for enterprise security," Wolfgang Kandek, CTO at security researcher Qualys, said in an e-mail to InternetNews.com.
"Windows 2000 and Windows XP SP2 are being retired from official support today and will not receive security updates anymore. Our own internal statistics indicate that approximately 50 percent of Windows XP machines are still on the SP2 level and external surveys put the number of organizations that still depend on SP2 at 77 percent," Kandek added.
Other researchers agreed on the task ahead for admins as they adjust to the end of support for SP2.
"This may seem like a light patch month in the amount of effort required by administrators to protect their networks, but all administrators could have quite a workload as Windows 2000 and Windows XP SP2 have officially reached end-of-life support," Jason Miller, data and security team manager at security firm Shavlik Technologies, said in an e-mail to InternetNews.com.
"Unlike patching, deploying new operating systems or Service Packs can be quite an undertaking as it requires plenty of time and effort," Miller added.