We're not in a hole. A lot of companies would like to be in our hole - Scott 'touch'n'feely' McNealy
SOFTWARE PATCHER Microsoft has fixed 23 common vulnerabilities and exposures (CVEs) in five bulletins for its Patch Tuesday release this month, correcting critical flaws in Internet Explorer (IE) and Silverlight, in what is the firm's penultimate security bulletin covering Windows XP.
The patch includes two fixes rated as "critical", the first of which is Bulletin one (MS14-012), which patches the open vulnerability in IE from v6 through v11 that hackers have been exploiting since January.
The Redmond firm rolled out a patch for a Remote Code Execution vulnerability in January for a recent version of Internet Explorer to ensure protection against web based attacks. The critical bulletin in the March Patch Tuesday release updates that January bulletin.
Security company Tripwire's manager of research, Tyler Reguly, said that the IE update doesn't come as a surprise and should be at the top of everyone's list this month.
"This update resolves multiple vulnerabilities including two zero-day issues, one that we were expecting (affecting IE10) and a second one affecting IE8. Once again, we're seeing evidence that IE11 is the way to go," he said.
The second critical flaw addressed in Bulletin two patches affecting all Windows OS versions from Windows XP through Windows Server 2012, except Windows RT.
These two critical bulletins should be seen as priorities by administrators, security researchers have warned, and should be updated immediately.
Bulletins three and four address important but not critical vulnerabilities in Windows, and bulletin five is for users of Silverlight on Mac and Windows.
The issue fixed in Silverlight (MS14-014) is an ASLR bypass vulnerability that could be used in conjunction with another exploit to evade mitigation techniques.
"Last week I mentioned that I thought it was time for Microsoft to give up on Silverlight - it sees a lot of patches given its limited adoption. It appears that the Microsoft EOL date for Silverlight 5 reaches into 2021. That's a long time for this technology to continue to receive updates," Reguly added.
"Since Microsoft is committed to supporting it, it'd be nice to see websites still using it commit to dropping it, then we could all uninstall Silverlight and effectively increase the security of end user systems. Running a web technology to support one or two sites is not an effective way to limit the attack surface of a system."
Another noteworthy update from Microsoft this month is MS14-016, which fixes an API call in the security account manager that allows you to brute-force Active Directory accounts while avoiding the password attempt lock-out policy.
"Password attempt lock-out policies are put in place specifically to prevent brute-force attempts and allowing a malicious attacker to bypass the policy completely defeats the protection it provides," Reguly added.
The March Patch Tuesday release includes the penultimate patch covering Windows XP, as the firm plans to retire Windows XP from patch support on 8 April. However, late last year it emerged in a Spiceworks report that almost 80 percent of IT professionals are still running Windows XP on at least one system, raising security concerns as Microsoft counts down to the end of extended support for the obsolescent PC operating system (OS).
In a report entitled "Getting Over Your [Windows] XP", Spiceworks revealed that 76 percent of IT professionals haven't upgraded all of their systems from Windows XP to a later version of Windows yet, and nearly half admitted that they will leave the 2002 Windows XP OS on at least one system past its end of support that is due next month.
Microsoft warned organisations to upgrade their systems in April 2012 when it announced the two year countdown to the end of support for Windows XP and Microsoft Office 2003, saying that "the technology environment has shifted" and that those leaving the migration to the last minute might find it difficult to accomplish in time.
In April, software specialist 1E marked the one year countdown to the end of Windows XP support by reporting that less than a quarter of UK companies had completed the migration of their PC estate to a newer version of Windows, with 40 percent still "in the process of upgrading".
Those that don't upgrade can expect to be faced with the threat of increasing security concerns, as Windows XP continues to be one of the PC operating systems most targeted by malware attacks. µ
Sign up for INQbot – a weekly roundup of the best from the INQ