When Microsoft released an out-of-band patch for the zero-day vulnerability in Internet Explorer, it included a fix for Windows XP users. You may remember that the vulnerability was the first in the post-XP-support era, and you can count me among those who were surprised that Microsoft offered the fix to XP users. Did Microsoft quietly give in to those who either wouldn’t or couldn’t upgrade from XP by the deadline? I figured we would get an answer to that question this week, as the scheduled Patch Tuesday rolls out.
Infosecurity Magazine reported that this month’s Patch Tuesday is the largest one yet this year, stating:
Microsoft is breaking with recent tradition by announcing its heaviest patch load of the year so far for next Tuesday, including two critical updates for Internet Explorer and SharePoint which will affect a large swathe of businesses.
But this time, the patches will not cover Windows XP. As Jeff Davis, vice president of engineering at Quarri Technologies, said to me in an email:
It looks like Microsoft will stick to its pledge to cut XP users off of security updates. This means Internet Explorer is now fundamentally unsafe on XP, and will be forever. Organizations and individuals still stuck on XP need to take urgent action to ensure IE won’t be used, or install third party security solutions that could help fill the gap.
Ross Barrett, senior manager of security engineering at Rapid7, echoed those thoughts, telling me:
The IE critical is the first that clearly would have applied to Windows XP, but for which a patch is not available. IE 6, 7, and 8 are vulnerable on Windows 2003 SP2. This would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure— not that they were well off to begin with.
Interestingly enough, however, even Microsoft itself says that XP is more secure than other Windows OS versions. In its latest Security Intelligence Report, Microsoft revealed XP computers had a lower infection rate than those using Windows 7 or Vista. But the study was done before Microsoft dropped support for XP, so we’ll have to see how those numbers change in the coming months.
Right now, the real culprit in this particular vulnerability situation is IE, and without a patch, XP users can take the simple security step of not using IE as a browser. Beyond that, XP security could become troublesome.