Patch Tuesday sounds death knell for Win XP SP2
Hasta la vista
Microsoft released the expected four security advisories on Tuesday, three of which earn the dread rating of critical. They collectively address five security vulnerabilities.
There are two critical fixes for Windows in the batch, including an update designed to resolve a zero-day vulnerability involving Windows Help and Support Centre that's become a hackers' favourite over recent weeks. The vulnerability was controversially disclosed by Google staffer Tavis Ormandy prior to Microsoft providing a fix.
The other two critical updates cover flaws in Microsoft Access ActiveX component and the CDD display driver for Windows 7 and Windows 2008R2. Lesser risk "important" updates cover security bugs in the handling of attachments by Microsoft Outlook.
Tyler Reguly, senior security engineer at security firm nCircle, described July's patches as "pretty mundane" in terms of corporate security.
"The most interesting vulnerability for the enterprise is MS10-045, which lets an attacker use a specially-crafted UNC path in an Outlook attachment to bypass Outlook’s warning about opening potentially malicious attachments," Reguly said. "This is significant because Operation Aurora and other high profile email based attacks over the last year have proven to be highly successful."
July 2010's Patch Tuesday marked the last month Microsoft will issue patches for either Windows XP Service Pack 2 and Win 2000. Security watchers reckon a significant proportion of Windows machines are still running Win XP SP2.
"Since Windows XP is still the most popular OS version for Windows, I believe we’re dealing with hundreds of millions of Windows XP SP2 systems that need to be upgraded," said Wolfgang Kandek, CTO of Qualys. "Our own monitoring shows that roughly 50 percent of all XP machines still run on the SP2 version. XP SP2 machines can be found both in corporate installations and are also very often the OS on home machines." ®