navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
Open Discussions
My Threads
Create Thread

Forum Thread: Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
mogs Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle
Expert Contributor 11th Dec, 2013 14:05
Ranking: 2265
Posts: 6,268
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
December 11th, 2013, 08:33 GMT · By Bogdan Popa
Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle

Microsoft launched this month’s Patch Tuesday updates this morning, fixing 24 different vulnerabilities in its software, including Windows and Internet Explorer.

While the company has indeed addressed a zero-day flaw in the way Windows handles TIFF files, the company has actually ignored a security glitch found in Windows XP and allowing attackers to run malicious code through a specially-crated PDF document.

Wolfgang Kandek, CTO of Qualys, says in a statement that exploits are already available out there in the wild, which means that all users should update to the latest version of Adobe Reader as soon as possible.

“The second currently open 0-day vulnerability does not get addressed in this patch cycle, as it was discovered too late to make it into this release. It is also less severe as it depends on a second vulnerability for delivery on the targeted machine. In the wild, exploits have been delivered through a PDF document abusing an older vulnerability in Adobe Reader,” he notes.

“If you have a vulnerable configuration, we recommend you implement the work-around specified in security advisory KB2914486 and turn off the NDPROXY component. Side-effects should be minimal and limited to the telephony and modem interfaces which should not be in use in most environments.”

The vulnerability only affects Windows XP and since Microsoft needs so much time to address it, some could believe that it’s actually a strategy to push users to a newer operating system version, as XP will officially go dark on April 8, 2014.

Chart shows that Windows XP is losing users on a regular basis, as many move to modern OSes

Kandek recommends users to start considering the migration to a newer version of Windows, as similar zero-day flaws in Windows XP are very likely to be found in the coming months. After April 8, 2014, Microsoft will no longer fix them, he pointed out.

“If you are impacted by these two 0-days, you are running older versions of Microsoft software and should evaluate whether it is worth maintaining that strategy. In particular, Windows XP and Office 2003 are on their way out and will be discontinued in April 2014. Their security situation will then become very quickly unmaintainable as Microsoft will cease to publish updates.”


mogs RE: Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle
Expert Contributor 13th Dec, 2013 18:24
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 13th Dec, 2013 18:24
Microsoft releases certificate spoof fix for Windows XP, Server 2003

Summary: The company initially released protection against improper certificates issued by the French government certificate authority without support for XP and Server 2003, but have now come through.
By Larry Seltzer for Zero Day | December 12, 2013 -- 22:53 GMT

On Monday of this week Microsoft annouced measures take to respond to the creation of an improper intermediate certificate authority (CA) by the CA for the government of France, and the use of that intermediate CA to sign fake certificates for domains in the and other domains for which they had no authority.

Initially, Microsoft released countermeasures to protect users against any potential effects of these certificates —although none have been reported and the problem seems to have been contained — but they only released that protection for devices running supported editions of Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Phone 8 — not for Windows XP or Windows Server 2003. All support for Windows XP will end after Patch Tuesday this coming April, 2014. Support for Windows Server 2003 will extend into 2015.

Tonight, Microsoft released separate certificate protection for Windows XP and Windows Server 2003 users. The protection may be installed from Microsoft Update or downloaded from the Microsoft Download Center.

In their advisory on the issue Microsoft thanks Google's Adam Langley and the Google Chrome Security Team for bringing the incident to their attention and working with them on the response.

Was this reply relevant?
mogs RE: Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle
Expert Contributor 16th Dec, 2013 07:09
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
December 16th, 2013, 04:06 GMT · By Bogdan Popa
Microsoft Warns That Windows XP Won't Keep Pace with Attackers

We all know that Microsoft will officially end support for Windows XP on April 8, 2014, but that doesn't necessarily mean that Redmond is ready to stop all its campaigns to move users to newer software.

In fact, the company has launched a new warning for XP users as part of its security predictions for 2014, explaining that the aging platform won't keep pace with attackers after end of support comes.

“Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. This venerable platform, built last century, will not be able to keep pace with attackers, and more Windows XP-based systems will get compromised,” Tim Rains, Director Trustworthy Computing, said.

“The best way to stay ahead of attackers in 2014 and beyond is to migrate from Windows XP to a modern operating system that can provide increased and ongoing protections like Windows 7 or Windows 8, before April 2014.”

Windows XP is right now the second top OS in the world, with a market share of approximately 30 percent, but Microsoft hopes to reduce it to only 13 percent by April.

Was this reply relevant?


RE: Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle
This reply has been deleted
mogs RE: Windows XP Stays Vulnerable After December 2013 Patch Tuesday Cycle
Expert Contributor 19th Dec, 2013 20:36
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Windows XP: The state of third party security

Summary: If you're going to stick with XP when security updates from Microsoft are gone, your security software will become more crucial than ever. Which are best?

By Larry Seltzer for Zero Day | December 19, 2013 -- 15:05 GMT

Markus Selinger of independent test lab AV-Test has written a warning about the impending end of Windows XP security updates and summarizing their most recent test results for third party security suites for that operating system.

The useful parts of Selinger's analysis focus on the test data, part of which is embedded below.** If users are going to stick with Windows XP past the support end date of April 8, 2014, then the quality of your security suite is crucial. Because there will certainly be new vulnerabilities in Windows XP that will remain unpatched you'll need other protections to keep them away from your computer. A quality security suite can provide these.

Selinger notes that the free options for Windows XP security are not the very best ones. The best of the free solutions, AVG Anti-Virus Free Edition, came close to the top, but G Data, Avira, BitDefender and especially Kaspersky's subscription products did better.

The detection rates of protection packages when tested using Windows XP: The products' detection rates in the real-world test are particularly important because they reflect their ability to detect brand-new attackers (as shown in the test results from Sept/Oct 2013 using Windows XP)

Selinger criticizes Microsoft heavily for abandoning XP users, a position with which I must disagree. Microsoft has been supporting XP for 12 years, far longer than any other vendor supports any other software product, and the core of the OS simply can't be securited to the degree that newer versions can. His point about Windows 8 usage share being (according to only 9% compared to XP's 21% misses the point that Windows 8 is relatively new and it's share is rising while XP's is dropping.

In fact, while you should secure your Windows XP system as best you can if you keep running it past April, you would be better off moving to a newer version of Windows, either Windows 7 or Windows 8

See the comparison chart at :-

Was this reply relevant?

This thread has been marked as locked.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
Secunia © 2002-2015 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+