Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.
Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines. Microsoft released an interim “FixIt” tool last month to help users blunt the threat from this flaw, and users who applied that fix still should install this patch (and no, you don’t need to undo the FixIt setting first). Update 5:50 p.m. ET: I stand corrected on this — it looks like Microsoft won’t offer the patch for this flaw if you’ve already used the FixIt tool.
The one vulnerability addressed in July’s roundup that didn’t earn a critical rating — an “important” flaw in the way Microsoft Outlook handles attachments — probably should have, at least according to security vendor Symantec Corp.
“It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file e-mail attachments, such as malware, to slip past Outlook’s list of unsafe file types,” wrote Joshua Talbot, security intelligence manager for Symantec Security Response, in a post on the company’s blog. “A user would still have to double-click on the attachment to open it, but if they do the file would run without any warning.”
If you are on Windows XP and have been putting off upgrading from Service Pack 2 to Service Pack 3, you will need to stop procrastinating this month to continue receiving security updates for Windows XP after today’s batch. Bear in mind that if you’ve held out this long, you may find that upgrading to Service Pack 3 takes a bit longer than you’d expect.
That’s because SP3 was released more than two years ago, and Microsoft has released hundreds of updates since then. As a result, if you’re upgrading to SP3, you should expect to have dozens of additional patches to install after the initial upgrade is complete, in order to bring your system up to date with the latest security fixes (yes, even if you had already installed these updates and otherwise kept up to date under SP2).
Anyone still using Windows 2000 should take note of this important change: After today, Microsoft will no longer be shipping security updates or any other updates for Windows 2000 machines.
Updates are available through Microsoft Update or via Automatic Update. Microsoft has more details on these patches at the Microsoft Security Response Center blog.