Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Journal jginspace's Journal: Windows XP now requires 99 security updates

The first Patch Tuesday of 2012 gave us seven security bulletins with five of them applying to Windows XP. A fully-patched machine would require the installation of six additional patches as of Tuesday, however if you were to install Windows XP today, followed by Service Pack 3, you'd have 99 patches to install. And you'd better move fast because a grand total of 47 are rated by Microsoft as "Critical".

(If you installed Fax Services, IIS and FTP server you'd need 106 patches but only masochists would install those on Windows XP right?)

Most of those critical patches are marked with a severity of 9.0 or higher on the National Vulnerability Database. Eight receive a rating of 10.0 - meaning that they're both high-impact and easy to exploit. Several of the high-impact vulnerabilites that don't quite attain the coveted 10.0 rating are docked points (decimal points) because potential adversaries require authentication credentials to proceed. Those who reuse the password they use for Windows to log into their favourite forums while they're using unencrypted wifi could get into trouble.

The 47* patches marked by Microsoft as "Critical" require a total download of 49,962 KB, so quite how one should download and apply all these while the machine is getting constantly probed is an exercise best left to the reader. (* Note that the Cumulative Security Update for Internet Explorer is not included in the critical list - Microsoft rate MS11-099 as "Important", which is a bit odd considering it accumulates three years' worth of "Critical" patches.)

Support for Windows XP ends on April 8, 2014 (that's a patch Tuesday) and it seems like Microsoft do not intend to release another service pack - fair enough - but don't they think it might be time to release a security roll-up? They released such a package for Windows 2000 in 2005, two years after the release of SP4 - we're approaching four years since the release of Windows XP SP3.

So it's probably time to get patching - if you're running across the street to help out with a neighbour's particularly neglected machine or you want to email a few links to granny then you might want to prioritize the eight bulletins rated 10.0 by the NVD - these are:

CVE-2011-1868 / MS11-042, Vulnerability with DFS;
CVE-2011-1268 / MS11-043, Vulnerability in SMB client;
CVE-2011-0661 / MS11-020, Vulnerability in SMB server;
CVE-2009-2494 / MS09-037, Vulnerabilities in Active Template Library - a whole bunch of patches to download here;
CVE-2009-0086 / MS09-013, Vulnerabilities in Windows HTTP Services;
CVE-2008-4250 / MS08-067, Vulnerability in Server Service
... and CVE-2009-3677 / MS09-071, Vulnerabilities in Internet Authentication Service - rated by Microsoft as "moderate" for XP
... and CVE-2009-1930 / MS09-042, Vulnerability in telnet - rated by Microsoft as "important".

Or you could use Secunia - their two most severe ratings are labelled "Highly Critical" and "Extremely Critical" - with the latter defined thus: "... used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild". Secunia have six advisories rated "Extremely Critical":

CVE-2011-3402 / MS11-087, Vulnerability in Windows Kernel-Mode Drivers
CVE-2010-3970 / MS11-006, Vulnerability in Windows Shell Graphics Processing
CVE-2009-2493 / MS09-035, Visual C++ Redistributable Package - not present on a fresh install, but shipped with applications that require it.
CVE-2008-0015 / MS09-032, CVE-2008-0020 - MS09-037, vulnerabilities in Active Template Library (appears in the NVD list)
CVE-2009-1537 / MS09-028, Directx
CVE-2009-0235 / MS09-010, Vulnerabilities in WordPad ...

As you can see there's little overlap between the two lists. Most of the vulnerabilities given top-billing by Secunia actually require user interaction to be exploited. I think Secunia tend to assume that Windows XP users will open any .exe and click on this, that and every link; whereas the NVD ratings work on the assumption that you'll exercise more restraint.

Of course some of us understand the futility of trying to patch a system that's been vulnerable for months/years, or of carrying around a USB stick full of updates, and we use a program called nLite - it's no longer updated but it's still fit for purpose.
This discussion has been archived. No new comments can be posted.

Windows XP now requires 99 security updates

Comments Filter:

It appears that PL/I (and its dialects) is, or will be, the most widely used higher level language for systems programming. -- J. Sammet