The two late patches fix problems in Internet Explorer and VBScript. In all, Microsoft issued seven updates today (Tuesday) - four of them ‘critical', addressing remote code execution flaws in Windows, Internet Explorer versions 6-11, VBScript and the company's Forefront security software. The three ‘non-critical' patches plug gaps in Windows and.NET Framework.
But because the fixes affect all versions of Windows, from XP to 8.1, they have reignited the controversy over the safety of Windows XP once Microsoft stops supporting it in April.
Security expert Paul Ducklin, a senior security advisor at Sophos, welcomed the fact that Microsoft changed its plans just 24 hours before the patches were released.
He told SCMagazineUK.com: “It's good news that Microsoft was able to get those extra two bulletins out this month. Otherwise a bunch of critical holes would have remained unpatched until next month.
“In the ‘old days', Microsoft would probably just have held over those extra two bulletins instead of sneaking them in at the last minute. The fact that Redmond bothered to keep plugging away at the patches - presumably doing some final testing right until the day before Patch Tuesday - isn't a sign that the company is getting slacker at patching but rather the opposite.
He added: “We need an ever-increasing urgency to fight back against the crooks by working to ever more aggressive patching deadlines.”
Ducklin pointed to Target's recent payment card breach, where crooks stole 40 million records in less than a month, as a sign that cyber criminals moves quickly and urged CISOs to be fast too when it comes to patches.
“As always, don't delay,” he said. “The days of months or weeks of change committee meetings to weigh up patches are over.”
But the Windows XP fix - one of the last before Microsoft stops supporting it on 8 April - has stirred up the debate over how vulnerable XP users will then become. Ducklin explained that patches to other Microsoft products after April could effectively ‘signpost' potential XP weaknesses to hackers.
“If Windows 7 and 8 have security holes that can be traced back to bugs originally in the XP source code, then reverse engineering Windows 7 or 8 patches might give a fantastic hint to crooks - a sort of ‘exploit beacon' - on where to look for exploitable holes in XP, holes the crooks know will never be fixed.
“As Microsoft itself has put it, any hole patched in Windows 7 that matches a hole in XP will pretty much be a zero day in XP for ever. From that time on, it's all downhill from an XP security perspective.”
Kevin Linsell, head of service development at Adapt, told SCMagazineUK.com that the April deadline should serve as a reminder to businesses that they could soon be at serious risk.
“Microsoft ending support for Windows XP next April means that companies still operating XP (estimated 30 percent of computers worldwide) will not be able to effectively maintain their IT systems and potentially put at risk their brand and customer information,” he said.
“With no new security updates, non-security hot fixes, free assisted support options or online technical content updates on the horizon, being dependent on Microsoft XP could be a disaster after April.” Linsell urged XP users to adopt Desktop as a Service (DaaS) options to reduce the threat.”