This Patch Tuesday has much more significance than most. With only four security bulletins from Microsoft, it's relatively tame as far as Patch Tuesdays go, but today also marks the final patches and updates from Microsoft for Windows XP.
“So this is it, the last hurrah for the once beloved XP, the last kick at the can for patching up the old boat,” says Ross Barrett, senior manager of security engineering for Rapid7. “Sure, by today’s standards it’s a leaky, indefensible, liability, but… hey, do you even remember Windows 98? Or (*gasp*) ME?”
There are two Critical bulletins and two Important. All of them are capable of enabling remote code execution if successfully exploited.
The most urgent update is MS14-017 because one of the vulnerabilities it addresses is currently being exploited in the wild. Simply opening a malicious RTF file in Word can compromise a vulnerable system and enable the attacker to install and execute other malicious code.
The other Critical issue affects Windows XP, but it’s actually the cumulative patch for Internet Explorer (MS14-018) and impacts all versions of Internet Explorer except IE10. The update addresses six different vulnerabilities, any of which could be exploited remotely to enable an attacker to remotely execute code with the same rights and privileges as the logged in user.
The update for Windows—MS14-019—is related to a publicly disclosed vulnerability in the Windows file handling component. In order to exploit it, an attacker has to lure users into navigating to a malicious network directory and somehow trick them into executing the malicious file. “Because this requires that attackers convince users to run a specially crafted .BAT or .CMD file provided by the attacker, this bulletin is of low priority,” says Marc Maiffret, CTO of BeyondTrust.
Finally, there is MS14-020, which deals with a privately disclosed vulnerability in Microsoft Publisher. Publisher is one of the less used applications in the Microsoft Office suite, and an attacker would have to trick a user into opening a specially crafted malicious file in Publisher to exploit it, so the risk isn't too high. A successful attack will allow remote code execution with the same privileges as the logged in user, though, so there is still cause for concern.
Windows XP is going quietly, it seems. Russ Ernst, director of product management for Lumension, notes, “If the exit of Windows XP sounds a little uneventful, keep in mind that administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in.”
Regardless, future Patch Tuesdays will likely have far more significance for XP holdouts because each one will now be an opportunity for attackers to reverse engineer patches for supported versions of Windows to find the vulnerability, determine if that same flaw exists in Windows XP, and develop an exploit for it. And with no more bail-outs from Microsoft, those vulnerabilities will last forever.
If you’re one of the holdouts who refuse to surrender Windows XP, you should at least be aware of the heightened security risks. A recent post on the Microsoft Security Blog highlights the primary security concerns and provides some mitigations and precautions for those who intend to continue using the operating system.