Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Patch Tuesday pre-Announcement - XP officially becomes the enemy next week - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Patch Tuesday pre-Announcement - XP officially becomes the enemy next week

Microsoft has posted their regular pre-announcement for Patch Tuesday here:  http://technet.microsoft.com/en-us/security/bulletin/ms14-apr

We can expect:

  • The final, yes final patches for XP
  • The final patches for Office 2003 also - this has gotten a lot less press than XP but is just as critical ( http://office.microsoft.com/en-ca/help/support-is-ending-for-office-2003-HA103306332.aspx )
  • The usual patches for other Windows and IE versions
  • A couple of updates for WSUS and Windows Update.  Changes to Windows Update often result in Tuesday's updates coming two parts - we'll see on Tuesday I guess

So after Tuesday, XP and Office 2003 join the ranks of the "internet of hostile things" - platforms that are no longer being patched by the vendor as new issues arise, so quickly become compromised.   This includes things like your TV, your DVR or home internet router, your fridge, treadmill, IV pump, heart monitor or pacemaker - oh, and likely your phone as well  - -  read our stories over the last couple of months (or years really) for more on these.  Unfortunately, this XP event happens all in one fell swoop - millions of hostile hosts being added to the opposing army all at once. 

Fortunately, we can do something about this.  Updating to Windows 7 or 8 is cheap, if your hardware is up to the task.  If you've got older hardware, I'm seeing used Windows 7/8 capable desktop hardware for $100-$200 these days, and laptops seem to be in the same range.  If going to a new Windows platform isn't in your future, you're probably already looking at one of the more popular Linux distributions - distros like Unbuntu, or  Xubunto or Mint that try to mimic the UI that many home users are familiar with.  There is a similar range of options for Office (upgrades and alternatives).

Use our comment form to let us know what you are doing or have done for your user community (or family members) that might still be on XP or Office 2003 after Tuesday.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

515 Posts
ISC Handler
Does anyone know when WinXP SP2 64bit goes EOL? The lifecycle database doesn't have a date, but instead has the same blurb that it has for WinXP Embedded...

-----
Support ends 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. For more information, please see the service pack policy here.
-----

I found a date of Jan 12, 2016 for WinXP Embedded...but I can't seem to find a date for XP/64
K-Dee

63 Posts
https://support.microsoft.com/lifecycle/?p1=8599

I read it as 4/8/2014 as well
Susan

34 Posts
Can you post an alert that the Windows 8.1 update has to be installed in order to continue to get security patches on that platform
http://blogs.windows.com/windows/b/springboard/archive/2014/04/02/windows-8-1-update-the-it-pro-perspective.aspx

"Windows 8.1 Update is a cumulative update to Windows 8.1, containing all the updates we have released for Windows 8.1, so if you install this update you do not need any earlier updates. It also becomes the new servicing baseline for Windows 8.1, so next month’s security updates (on May 13th, the next “patch Tuesday”) will be dependent on Windows 8.1 Update.

Windows 8.1 Update is categorized as “security update” because it includes two new security fixes (as well as all previously-issued Windows 8.1 updates). Separate versions of these security fixes (KB2922229 and KB2936068) are also available for those organizations that aren’t yet ready to deploy the full Windows 8.1 Update."

So this update will be part of our Patch Tuesday test and deployment as well.
Susan

34 Posts
I'm not sure how you read it as 4/8/2014 when it doesn't show that date on the link you gave.

It specifically says 4/8/2014 for 32bit WinXP Pro SP3. But 64bit doesn't have a date
K-Dee

63 Posts
Quoting K-Dee:I'm not sure how you read it as 4/8/2014 when it doesn't show that date on the link you gave.

It specifically says 4/8/2014 for 32bit WinXP Pro SP3. But 64bit doesn't have a date


https://support.microsoft.com/gp/lifepolicy (this link found on page in Susan's posted link)

FAQ No. 19, last bullet point in first section "When support for a product ends, support of the service packs for that product will also end."
CJatWork

1 Posts

Sign Up for Free or Log In to start participating in the conversation!