With less than a week to go before Microsoft ends support for Windows XP, over 27% of Internet-connected computers are still running the venerable O/S, according to an Ars Technica report.
Microsoft has clearly been unable to convince XP users to switch to another O/S, and the days and weeks following April 8 will likely be filled with stories about new malware and attacks on XP-based systems.
Microsoft’s Malicious Software Removal Tool (MSRT) checks for and attempts to remove known malware from Windows computers during the Windows Update process.
This is good news for anyone who will still be running XP after April, but it’s important to note that MSRT is not a substitute for a full anti-malware solution, and should not be seen as protection against the flood of malware, targeted at Windows XP computers, expected to appear after April 8.
Yesterday was Patch Tuesday, and Microsoft released five updates for Windows, Internet Explorer, and Silverlight. Two of the updates are flagged as Critical. The official summary bulletin has all the technical details, and a post on the MSRC blog has a less technical breakdown of the updates.
This month’s Ouch! (PDF) provides a useful overview of what you need to know if you’re still using Windows XP.
The SANS Ouch! newsletter is aimed at users, so it may not be useful for IT professionals. On the other hand, it’s a great place to send users looking for information adapted to their level of understanding.
Patch Tuesday for March 2014 happens on March 11. Microsoft currently plans to publish five new bulletins and associated patches starting at 10am PST on that date. The patches will address vulnerabilities in Windows, Internet Explorer, and Silverlight. Two of the patches are flagged as Critical.
Microsoft will prod you to upgrade your Windows XP computers after support for that O/S ends in April.
According to Ars Technica, a message will pop up on the 8th of every month, starting on March 8, 2014. Although this may be viewed as a nuisance by some users, at least the message has a “don’t bother me again” checkbox.
Adobe will no longer test Flash on Windows XP after the next quarterly update. You can continue to use Flash on Windows XP after that, but it will become increasingly risky, especially if it’s enabled in your web browser. This is yet another nail in the coffin for Windows XP.
When a new Windows vulnerability is discovered, and particularly when exploits for that vulnerability are discovered in the wild, a common refrain from Microsoft is “use EMET”. EMET is security software that protects Windows systems from certain types of behaviour common to vulnerability-based attacks.
Installing and configuring EMET properly provides a level of protection beyond that of regular anti-malware software. Well, that was the idea, anyway.
Now it appears that attackers have found a way past EMET. The EMET bypass was discovered by security researchers at Bromium Labs and the details published in a whitepaper.
Malicious hackers are likely to start using this new information soon. Microsoft is working with Bromium Labs, but it may not be possible to prevent the bypass by improving EMET, in which case EMET will be reduced to a minor speed bump for attackers.
We previously posted about Microsoft fiddling with Windows 7’s lifecycle dates. At the time, it seemed clear that Microsoft would be foolish to stop making Windows 7 available to computer builders in October 2014 as originally stated.
Microsoft recently updated the lifecycle dates for Windows 7 again, and now Windows 7 Professional OEM will be available until at least February 23, 2015 (a year from today). No specific cut off date is provided on the lifecycle page for Windows 7 Pro, but a footnote states that Microsoft will provide at least one year of notice before any cut-off date is actually set.
Meanwhile, other versions of Windows 7 (Home, Ultimate) will no longer be available as of October 31, 2014, as originally planned.
Anyone still running Windows XP and planning to upgrade to Windows 7 will find that Win7 is no longer available in retail stores. And now we know that even OEM packages for all but the Pro version will stop being available in October 2014.
It’s the second Tuesday in February 2014, so it’s time to patch your Windows computers. Originally there were only going to be five bulletins this month, but two more were added late. The updates fix security vulnerabilities in Internet Explorer, Windows and .NET. Four of the updates are flagged as Critical.
As usual, a SANS ISC Diary post provides a security-focused interpretation of the month’s updates, with its own recommendations, as well as useful references (CVE identifiers) to the specific vulnerabilities addressed.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.