14 DAY TRIAL // Microsoft launched this month’s Patch Tuesday updates this morning, fixing 24 different vulnerabilities in its software, including Windows and Internet Explorer.
While the company has indeed addressed a zero-day flaw in the way Windows handles TIFF files, the company has actually ignored a security glitch found in Windows XP and allowing attackers to run malicious code through a specially-crated PDF document.
Wolfgang Kandek, CTO of Qualys, says in a statement that exploits are already available out there in the wild, which means that all users should update to the latest version of Adobe Reader as soon as possible.
“The second currently open 0-day vulnerability does not get addressed in this patch cycle, as it was discovered too late to make it into this release. It is also less severe as it depends on a second vulnerability for delivery on the targeted machine. In the wild, exploits have been delivered through a PDF document abusing an older vulnerability in Adobe Reader,” he notes.
“If you have a vulnerable configuration, we recommend you implement the work-around specified in security advisory KB2914486 and turn off the NDPROXY component. Side-effects should be minimal and limited to the telephony and modem interfaces which should not be in use in most environments.”
The vulnerability only affects Windows XP and since Microsoft needs so much time to address it, some could believe that it’s actually a strategy to push users to a newer operating system version, as XP will officially go dark on April 8, 2014.
Kandek recommends users to start considering the migration to a newer version of Windows, as similar zero-day flaws in Windows XP are very likely to be found in the coming months. After April 8, 2014, Microsoft will no longer fix them, he pointed out.
“If you are impacted by these two 0-days, you are running older versions of Microsoft software and should evaluate whether it is worth maintaining that strategy. In particular, Windows XP and Office 2003 are on their way out and will be discontinued in April 2014. Their security situation will then become very quickly unmaintainable as Microsoft will cease to publish updates.”