Enterprise IT/Software

Microsoft identifies new vulnerabilities

Software Joe Curtis

10:02, May 12 2014


Hackers will use the latest Patch Tuesday to target OS weaknesses.

Users running Windows XP face more risk of attack as Microsoft's latest security patches reveal critical vulnerabilities to the out-of-support operating system.

The tech giant is due to release eight updates tomorrow (May 13th) in what will be its largest Patch Tuesday this year.

At least half of the bulletins affect the 13-year-old OS for which support expired on April 8.

Two of the eight security bulletins are critical, with SharePoint Server and Internet Explorer (IE) the worst affected. However XP users won't get any help from Microsoft to address them.

Ross Barrett, senior manager of security engineering at Rapid7, said: "Anyone still using XP just got a little less secure - not that they were well off to begin with. The IE critical vulnerability is the first that clearly would have applied to Windows XP, but for which a patch is not available."

He added that the SharePoint weakness "may prove to be a legitimate remotely exploitable issue" for hackers.

It is possible that hackers could use the security sore spots that also affect XP and target users of the retired operating system by performing before and after patch update comparisons of OS codes.

Karl Sigler, threat intelligence manager at Trustwave, warned anyone who has not upgraded from XP yet to do so as soon as possible. "This security bulletin will include vulnerabilities seen exploited in the wild and those running Windows XP will be out of luck," he added.

XP accounted for 26% of worldwide web traffic in April, according to research firm Net Applications, while warnings have been issued that hackers are ready to hit XP users now they are no longer protected.

Will Markham, security practice lead at IT managed services firm Colt, said: "You're guaranteed you're going to be targeted. If I'm a paid criminal...I will save up the ammo and then bang, when the doors are down I'll hit it."

Russ Ernst, director of product management at IT security firm Lumension, said the IE vulnerability (for versions 6, 7 and 8 on XP) would require a minimum of monthly updates from IT departments running a newer OS, and confirmed hackers are still focused on the browser.

"The bad guys continue to wage war on what remains one of the most popular browsers," he said.

While the patches will be of benefit to any user of Windows Vista, Windows 7 or later, XP support is only available through costly custom support packages with Microsoft.


Post a comment

Comments may be moderated for spam, obscenities or defamation.