Tuesday, July 13, 2010

Vole plugs hole while pulling the plug on Windows XP SP2

Microsoft is contradicting itself today by ending support for Windows XP SP2 while also plugging a hole in XP that saw over 10,000 computers attacked.

In efforts to get people to upgrade to SP3 or, more preferably for Microsoft, Windows 7, the software giant is ending support for XP SP2 users, which amounts for nearly half of the PCs in most organisations according to a recent survey by Softchoice.

This will leave a substantial number of computers exposed to attack. Microsoft is simultaneously fixing the vulnerability in XP which a Google employee discovered, saving potentially thousands of computers from attack. Is it just us or are these two things a little antithetical?

Microsoft has confirmed that it will continue to support SP3 until April 2014, but with such a large volume of people still on SP2, and with such gaping holes found recently in XP overall, is it really helping to ensure its older operating system is secure?

Today's patch will see the CVE-2010-1885 Windowx XP vulnerability mended, along with another in 64-bit versions of Windows 7, and two holes in Office. It will be the last patch XP SP2 users will see, which means any further vulnerabilities and exploits will not be addressed by Microsoft, making that version of XP very risky to use.

In fact, it effectively completely disables the security update feature for SP2 users, meaning that other software, such as Internet Explorer and Windows Media Player will also not receive any updates - even when critical patches are available for the same software on SP3, Vista, or Windows 7. And should a certain Google employee find another flaw in XP, SP2 users will not receive a fix for it.

Microsoft is obviously urging users to upgrade to SP3, but when SP3 originally launched in May 2008 it caused more problems for people than it solved. Numerous reports revealed complete computer crashes or looping reboots, while others had problems getting their web browsers and other software to work. It caused such an uproar that many users decided it was a much safer bet to simply not upgrade. 

Two years on and it seems that the bad taste from the original SP3 launch is still very tangible, but wary XP users will need to upgrade now or risk a volley of attacks aimed at the unsupported service pack.

Source: http://www.techeye.net/security/vole-plugs-hole-while-pulling-the-plug-on-windows-xp-sp2