Qualys Blog

494 posts

End of Life for Windows XP SP 2 – Time to Migrate

On July 13 of 2010, Microsoft will stop releasing security updates, hotfixes and other updates for Windows XP Service Pack 2. Microsoft advises users who are currently on XP SP2 to update to XP SP3 or Windows 7. Windows XP SP3 was released in April of 2008, which started the 24 month wind-down phase for SP2, so this end of support date by itself does not come as a surprise to IT admins who follow Microsoft’s lifecycle.

Nevertheless we see a large number of machines in enterprise networks still running under Windows XP SP2. The following graph shows that only half of all Windows XP installations have upgraded to SP3 since its release. Even with a significant increase in the upgrade ratio, up from the 20% and 30% achieved in 2008 and 2009 respectively, we are still over a year away from having all machines migrated, threatening to leave many machines exposed to exploits for the vulnerabilities that we expect in the second half of 2010. Home users should be better off, as XP SP3 is being pushed down automatically to machines that participate in Windows or Microsoft update. On the enterprise side however it seems that 2 years of burn-in time is not enough, and it would be helpful if Microsoft could extend support for one more year.

PS: Support for Windows Embedded XP SP2, an OS quite frequently used for ATMs and POS systems is extended to Jan 2011, so users of embedded systems have a bit longer to prepare. Frequently these embedded systems represent an even bigger challenge to keep up to date; they are often managed by a 3rd party and sometimes not even properly recognized as Windows computer systems.

Patch Tuesday Bottomline – May 2010

Microsoft’s release for May 2010 contains 2 Bulletins (MS10-030 and MS10-031) fixing 2 vulnerabilities, one of its low impact releases. MS10-031 is for Microsoft Office and addresses a remote code execution vulnerability present in all versions, Office XP, 2003 and 2007. Its exploitability index is 2, so exploit code within the next 30 days is unlikely. Microsoft’s blog post at the SRD goes into further detail on the difficulties in writing a working exploit. While the bulletin only carries a severity of "important", we consider it to be the more urgent of today’s release.

The second bulletin MS10-030 fixes a vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". Successful exploitation however is unlikely (exploitability index = 2) as it requires extensive user involvement including setting up an e-mail account on a malicious server. We don’t see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.

Microsoft did not address the recent SharePoint vulnerability (KB983438). We recommend looking into the advisory and implementing the suggested work-around which restricts the access to the Help functionality in SharePoint.

Patch Tuesday – Preview for May 2010

Following the large April update Microsoft will have only 2 Bulletins to release in May. One of the bulletins is for Windows and is rated "critical" for all members of the family but Windows 7 and 2008R2. On the Win7/2008R2 combo it is rated "important", continuing the consistently better showing of Microsoft’s newer OSs. The second bulletin is for Office, where all versions are affected and it is rated "important", however it is rated "critical" for Visual Basic for Applications and its SDK. .

Microsoft will not address the recent SharePoint vulnerability (KB983438) and recommends applying into the work-arounds shown in the advisory, restricting the access to the Help functionality in SharePoint.

Last month’s bulletins have been seen a fair amount of discussion. Microsoft reissued MS10-025 on April 27 after the initial patch was found to be ineffective. The bulletin only applies to Windows 2000 and is rated "critical", so if it affects your installation please check whether you have applied the latest version. As support for Windows 2000 (and XP SP2) is being discontinued in the summer, IT admins that still run either of these Operating Systems should be working on a replacement strategy. Earlier this week Core Security published 2 advisories concerning MS10-024 and MS10-028, showing that they contained fixes for vulnerabilities not listed in the bulletins. While the inclusion of internally found vulnerabilities is considered normal, Core suggests that the severity for MS10-024 should be upgraded.

Infosec UK 2010 presentation online

Last week Qualys was at Infosecurity Europe meeting customers and demoing the new QualysGuard Malware Detection service. We also gave a presentation on integrating Vulnerability and Patch data, which you can download from here.