Microsoft is ending support for Windows XP Service Pack 2 today.
For many businesses, this means one thing — if you are still using the nearly 6-year-old version of the operating system, it is time to upgrade.
Not just because Microsoft says so, and not just because organizations still using Windows XP SP2 are not getting the advantage of the security mechanisms added in Windows Vista and Windows 7. There is also another reason: Any bugs left over in SP2 will be left open forever.
HD Moore, creator of the Metasploit Framework and now chief security officer of Rapid7, knows this well.
“I was disappointed to see that a number of privately reported flaws were not patched in this final update to Windows XP SP2,” Moore said. “This effectively leaves XP SP2 unprotected against a number of serious vulnerabilities that will be fixed for SP3 later this year. One of these is an issue I reported to Microsoft in December of 2006, which has a serious impact on most rich-text aware applications.”
While Moore said he is under an NDA (nondisclosure agreement) and cannot talk about the specifics of the bug, he added that he is also aware of a number of flaws reported by friends and associates in XP SP2 that were ignored in the July 13 Patch Tuesday update.
“The problem is that any flaws patched in Windows XP SP3 can now be turned into exploits that work as ‘skeleton keys’ against Windows XP SP2,” he said. “Since Windows XP SP2 was mass-distributed on physical media as part of a huge security push, I expect to continue seeing [SP2] on corporate networks for years to come.”
Admins should take advantage of the relative lightness of this month’s Patch Tuesday to begin upgrading machines to a supported operating system or service pack level, advised Jason Miller, data and security team manager at Shavlik Technologies. Microsoft ended support today for Windows 2000 as well.
“Microsoft will not be supplying new security Bulletins for these operating systems going forward,” Miller said. “It is important for administrators to use this light patch month to identify these systems on their network and upgrade the machines … Unlike patching, deploying new operating systems or service packs can be quite an undertaking as it requires plenty of time and effort.”