Yes, there are still some rather large organizations maintaining their investments in Windows XP, as we recently learned when an unclassified U.S. Navy document showed that it had extended a support contract with Microsoft for two more years meaning that its systems will continue to receive XP security patches until 2017.
For other XP installations that have not entered into similar commitments, the clock ran out yesterday on signatures. Keeping to its word, Microsoft ended security support for existing Microsoft Security Essentials customers running Windows XP, a little more than a year after support officially ended April 8, 2014. Microsoft said last year that signatures and updates for Microsoft Security Essentials would continue for a limited time, and the Microsoft Malicious Software Removal Tool would also be available for XP users for a limited time.
Both expired yesterday as Microsoft reaffirmed that customers should move on to current versions of the operating system. Netmarketshare, however, reports that XP still holds 12 percent of the desktop market share, and a number of breaches, in particular those in the retail and hospitality space, involved point-of-sale servers still running the 14-year-old OS.
The news was buried in an avalanche of patches not only from Microsoft, but also from Adobe and Oracle. All of the zero-day vulnerabilities uncovered in the Hacking Team breach to date were fixed. In case you’re keeping score, there have been three Adobe Flash Player zero days, another in the Windows kernel, and a Java 0day.
Microsoft also released a pair of security advisories that merit attention, in particular one warning of a vulnerability in the Malicious Software Removal Tool, a utility that removes malware infections from supported versions of Windows. Microsoft said yesterday that it had updated the MSRT to patch a race condition flaw that would allow an attacker with credentials to elevate privileges on a compromised system
“The vulnerability could allow elevation of privilege if an attacker logs on to a target system and places a specially crafted dynamic link library (.dll) file in a local directory. An authenticated attacker who successfully exploited the vulnerability could elevate privileges on a target system,” the advisory said. “An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”
The vulnerability, CVE-2015-2418, was reported to Microsoft by James Forshaw of Google’s Project Zero research team and will be addressed in version 5.26 of the MSRT.
The second advisory from yesterday is an update that enhances use of Data Encryption Standard (DES) encryption keys. Though disabled by default beginning with Windows 7 and Windows Server 2008 R2, DES is still supported in some cases to maintain application compatibility.
Yesterday’s update, Microsoft said, disables DES for a number of built-in accounts, including krbtgt accounts, trust accounts, machine accounts and machine accounts/user accounts. The latter, Microsoft said, may still enable DES if required.
The advisories capped a busy day for Windows administrators, who were handed, in total, 60 CVEs to look at and install on Patch Tuesday. Microsoft released 14 bulletins yesterday, including four rated critical, and two that addressed zero days uncovered among the stolen Hacking Team data.