UPDATE: a previous version of this story mistakenly stated that Microsoft’s March patch Tuesday would be the last one providing support for Windows XP. Windows XP’s last patches will in fact be shipped with next month’s patch Tuesday release.
Microsoft has finally pushed a fix for a stubborn and widely publicized Internet Explorer zero day vulnerability known to have been exploited in a number of recent attacks targeting the website of Veterans of Foreign Wars, a French aeronautical firm, and at least three other sites.
This fix is part of Microsoft’s March edition of Patch Tuesday, a five bulletin affair resolving some 23 vulnerabilities of varying severity.
The top priority this month is – of course – the cumulative update to IE. This bulletin resolves one publicly disclosed bug and 17 privately disclosed ones. On unpatched systems, these vulnerabilities could give an attacker the ability to remotely execute code if a user is compelled to visit a maliciously crafted website. Upon successful exploitation, the attacker would achieve the same rights as the victim. As always, individuals with more privileges would be more impacted by these bugs.
Among this group of vulnerabilities is the now-notorious IE zero day, which is precisely why this bulletin should be considered the highest priority for installation this month. Qualys CTO Wolfgang Kandek noted in an email to Threatpost that – if it weren’t for the zero day fix – one would likely consider this an uneventful patch cycle.
The second critically rated bulletin – also of high installation priority according to Kandek – resolves an issue in Microsoft DirectShow, a Windows-based API for streaming media content. This privately reported vulnerability could allow remote code execution if a user opens a specially crafted image file. Upon exploitation, the attacker would have the same rights as the user.
The few remaining important bulletins resolve two elevation of privilege bugs in the Windows kernel-mode driver, a security feature bypass flaw in the Windows Security Account Manager Remote (SAMR) protocol, and another security feature bypass problem in Microsoft Silverlight.
As a side note, this patch tuesday release pushes us one month closer to the end of an era: after April’s patch Tuesday release, no longer will Microsoft provide security fixes for it’s more-than-a-decade old and once-ubiquitous XP operating system. It’s well-known that XP has for some time been marred by security vulnerabilities. Despite this, the operating system still commands 29.53 percent of the market, according to the market share statistics firm, Net Marketshare.
“All of today’s bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won’t have access to patches for these problems anymore,” says Kandek. “This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.”
Kandek cites different figures than Net Marketshare, claiming that his scans suggest that XP commands 14 percent of the operating system market. Whichever figure is most accurate – and 15 percentage points is a rather large gulf–entirely too many organizations and individuals are still running the archaic operating system, and things are only going to get worse for those people.