As part of its monthly Patch Tuesday, Microsoft has also announced the end of support for Windows 2000 and XP Service Pack 2.
Recently, Gartner encouraged businesses to look to the end of XP, which Microsoft has said it will stop supporting at the end of 2014.
In a blog entitled ‘nirvana for cyber criminals?' Kaspersky Lab researcher Roel Schouwenberg claimed that while there are still a lot of machines running XP/SP2, he was not convinced that there was a serious problem.
He said: “Let's look first at consumer machines – those which aren't being centrally managed. Why would these machines still be running SP2? Obviously, Windows Updates (WU) must have been disabled. I can only think of two main reasons why that would be the case: either a malware infection which is somehow preventing WU from working, or people have disabled WU on pirate versions to be sure they can continue to use Windows without having to pay for it.
“In the first case, infection already occurred. In the second case, it is very unlikely that the machine was ever patched after the initial SP2 install. That means that such machines are vulnerable to any of the exploits that exploited XP vulnerabilities discovered after 25th August 2004, when SP2 was released. In other words, these computers have been vulnerable for a long, long time.”
Looking at business environments still running SP2, Schouwenberg said that in the vast majority of cases administrators will have decided that the time just is not ripe for SP3, but if administrators have not rolled out SP3 yet, it seems unlikely that the other software they are running - such as Office and Adobe Reader – is going to be up-to-date.
He said: “These are the same companies that are still running Internet Explorer 6. Given all this, I don't think ending support for SP2 will create any sort of nirvana for cyber criminals. All the unpatched (and attackable) machines have been this way for a long time now – and chances are, if they were going to be infected, it would have happened a long time ago.”
Commenting on the end of support for SP2 Dave Marcus, research and communications director for McAfee Labs, said that many enterprises and consumer users still deploy and depend heavily on applications that run on this Windows build. He expected cyber criminals to capitalise on this opportunity and recommended users of Windows XP SP2 to consider migration options and robust security solutions to mitigate risk.
Wolfgang Kandek, CTO at Qualys, called this update a small step for security updates, but a huge leap for enterprise security. He said: “Our own internal statistics indicate that approximately 50 per cent of Windows XP machines are still on the SP2 level and external surveys put the number of organisations that still depend on SP2 at 77 per cent.”
Tyler Reguly, senior security engineer for nCircle, called the end of support for Windows 2000 ‘by far the most interesting part of today's patch'.
He said: “Some Microsoft customers may continue to get updates via Microsoft's custom support agreement, but for most people, today is the end of the line. Curiously, even though this is the end for most Windows 2000 users, there are no Windows 2000 patches today.”