Journal jginspace's Journal: Windows XP now requires 99 security updates
The first Patch Tuesday of 2012 gave us seven security bulletins with
five of them applying to Windows XP. A fully-patched machine would
require the installation of six additional patches as of Tuesday,
however if you were to install Windows XP today, followed by Service
Pack 3, you'd have 99 patches to install. And you'd better move fast
because a grand total of 47 are rated by Microsoft as
"Critical".
(If you installed Fax Services, IIS and FTP server you'd need 106 patches but only masochists would install those on Windows XP right?)
Most of those critical patches are marked with a severity of 9.0 or higher on the National Vulnerability Database. Eight receive a rating of 10.0 - meaning that they're both high-impact and easy to exploit. Several of the high-impact vulnerabilites that don't quite attain the coveted 10.0 rating are docked points (decimal points) because potential adversaries require authentication credentials to proceed. Those who reuse the password they use for Windows to log into their favourite forums while they're using unencrypted wifi could get into trouble.
The 47* patches marked by Microsoft as "Critical" require a total download of 49,962 KB, so quite how one should download and apply all these while the machine is getting constantly probed is an exercise best left to the reader. (* Note that the Cumulative Security Update for Internet Explorer is not included in the critical list - Microsoft rate MS11-099 as "Important", which is a bit odd considering it accumulates three years' worth of "Critical" patches.)
Support for Windows XP ends on April 8, 2014 (that's a patch Tuesday) and it seems like Microsoft do not intend to release another service pack - fair enough - but don't they think it might be time to release a security roll-up? They released such a package for Windows 2000 in 2005, two years after the release of SP4 - we're approaching four years since the release of Windows XP SP3.
So it's probably time to get patching - if you're running across the street to help out with a neighbour's particularly neglected machine or you want to email a few links to granny then you might want to prioritize the eight bulletins rated 10.0 by the NVD - these are:
CVE-2011-1868 / MS11-042, Vulnerability with DFS;
CVE-2011-1268 / MS11-043, Vulnerability in SMB client;
CVE-2011-0661 / MS11-020, Vulnerability in SMB server;
CVE-2009-2494 / MS09-037, Vulnerabilities in Active Template Library - a whole bunch of patches to download here;
CVE-2009-0086 / MS09-013, Vulnerabilities in Windows HTTP Services;
CVE-2008-4250 / MS08-067, Vulnerability in Server Service
... and CVE-2009-3677
/ MS09-071,
Vulnerabilities in Internet Authentication Service - rated by Microsoft
as "moderate" for XP
... and CVE-2009-1930
/ MS09-042,
Vulnerability in telnet - rated by Microsoft as "important".
Or you could use Secunia - their two most severe ratings are labelled "Highly Critical" and "Extremely Critical" - with the latter defined thus: "... used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild". Secunia have six advisories rated "Extremely Critical":
CVE-2011-3402 / MS11-087, Vulnerability in Windows Kernel-Mode Drivers
CVE-2010-3970 / MS11-006, Vulnerability in Windows Shell Graphics Processing
CVE-2009-2493 / MS09-035, Visual C++ Redistributable Package - not present on a fresh install, but shipped with applications that require it.
CVE-2008-0015 / MS09-032, CVE-2008-0020 - MS09-037, vulnerabilities in Active Template Library (appears in the NVD list)
CVE-2009-1537 / MS09-028, Directx
CVE-2009-0235 / MS09-010, Vulnerabilities in WordPad ...
As you can see there's little overlap between the two lists. Most of the vulnerabilities given top-billing by Secunia actually require user interaction to be exploited. I think Secunia tend to assume that Windows XP users will open any .exe and click on this, that and every
link; whereas the NVD ratings work on the assumption that you'll
exercise more restraint.
Of course some of us understand the futility of trying to patch a system that's been vulnerable for months/years, or of carrying around a USB stick full of updates, and we use a program called nLite - it's no longer updated but it's still fit for purpose.
(If you installed Fax Services, IIS and FTP server you'd need 106 patches but only masochists would install those on Windows XP right?)
Most of those critical patches are marked with a severity of 9.0 or higher on the National Vulnerability Database. Eight receive a rating of 10.0 - meaning that they're both high-impact and easy to exploit. Several of the high-impact vulnerabilites that don't quite attain the coveted 10.0 rating are docked points (decimal points) because potential adversaries require authentication credentials to proceed. Those who reuse the password they use for Windows to log into their favourite forums while they're using unencrypted wifi could get into trouble.
The 47* patches marked by Microsoft as "Critical" require a total download of 49,962 KB, so quite how one should download and apply all these while the machine is getting constantly probed is an exercise best left to the reader. (* Note that the Cumulative Security Update for Internet Explorer is not included in the critical list - Microsoft rate MS11-099 as "Important", which is a bit odd considering it accumulates three years' worth of "Critical" patches.)
Support for Windows XP ends on April 8, 2014 (that's a patch Tuesday) and it seems like Microsoft do not intend to release another service pack - fair enough - but don't they think it might be time to release a security roll-up? They released such a package for Windows 2000 in 2005, two years after the release of SP4 - we're approaching four years since the release of Windows XP SP3.
So it's probably time to get patching - if you're running across the street to help out with a neighbour's particularly neglected machine or you want to email a few links to granny then you might want to prioritize the eight bulletins rated 10.0 by the NVD - these are:
CVE-2011-1868 / MS11-042, Vulnerability with DFS;
CVE-2011-1268 / MS11-043, Vulnerability in SMB client;
CVE-2011-0661 / MS11-020, Vulnerability in SMB server;
CVE-2009-2494 / MS09-037, Vulnerabilities in Active Template Library - a whole bunch of patches to download here;
CVE-2009-0086 / MS09-013, Vulnerabilities in Windows HTTP Services;
CVE-2008-4250 / MS08-067, Vulnerability in Server Service
Or you could use Secunia - their two most severe ratings are labelled "Highly Critical" and "Extremely Critical" - with the latter defined thus: "... used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild". Secunia have six advisories rated "Extremely Critical":
CVE-2011-3402 / MS11-087, Vulnerability in Windows Kernel-Mode Drivers
CVE-2010-3970 / MS11-006, Vulnerability in Windows Shell Graphics Processing
CVE-2009-2493 / MS09-035, Visual C++ Redistributable Package - not present on a fresh install, but shipped with applications that require it.
CVE-2008-0015 / MS09-032, CVE-2008-0020 - MS09-037, vulnerabilities in Active Template Library (appears in the NVD list)
CVE-2009-1537 / MS09-028, Directx
CVE-2009-0235 / MS09-010, Vulnerabilities in WordPad
As you can see there's little overlap between the two lists. Most of the vulnerabilities given top-billing by Secunia actually require user interaction to be exploited. I think Secunia tend to assume that Windows XP users will open any
Of course some of us understand the futility of trying to patch a system that's been vulnerable for months/years, or of carrying around a USB stick full of updates, and we use a program called nLite - it's no longer updated but it's still fit for purpose.
Windows XP now requires 99 security updates More Login
Windows XP now requires 99 security updates
Slashdot Top Deals