Although some had hoped that Microsoft would reverse its own patching policy, the company has stuck to its guns and declined to provide a fix for a critical bug to users running Windows XP Service Pack 2 (SP2).
On Monday, Microsoft shipped an emergency patch for the Windows shortcut bug that attackers have been exploiting for several weeks. The vulnerability affects all versions from Windows 2000 on, including XP, Vista and Windows 7.
But, per Microsoft's practice, the oldest operating systems and service packs were denied the update.
"To be crystal clear, there is no security update for XP SP2," said Microsoft spokesman Christopher Budd in a webcast on the out-of-band patch.
Microsoft retired XP SP2, as well as the even older Windows 2000, from all support on July 13, when both editions exited the company's final five-year "extended support" phase. Products dropped from extended support no longer receive security patches or other non-security fixes from Microsoft via its Automatic Update service and business patch mechanisms like Windows Server Update Service (WSUS).
Nonetheless, a few security researchers had held out a little hope that Microsoft would issue a fix for the Windows shortcut vulnerability to machines running XP SP2.
"The only question I had was whether Microsoft would try and release a patch for unsupported operating systems," said Andrew Storms, director of security operations at nCircle Security. "There's a ton of people still running SP2, and it just went end-of-life."
Other researchers, including Jason Miller, data and security team manager for patch management vendor Shavlik Technologies, echoed Storms yesterday, saying that he had looked carefully for any sign that Microsoft was pushing a fix to Windows XP SP2 or Windows 2000. There wasn't.
Because users running Windows XP SP2 will never be offered an update for the shortcut bug - or for any other future vulnerabilities for that matter - Microsoft has been urging customers to upgrade to XP SP3 or a newer version such as Windows 7.
Failing that, users who decide to stick with XP SP2 have several options, including doing nothing, implementing the shortcut-disabling workaround that Microsoft first recommended, or installing Sophos' free tool that blocks malicious shortcuts from executing attack code.
The Sophos tool works on Windows XP SP2, but not on Windows 2000.
Comments
Mike J said: More likely they simply arent technical people they dont realise that they have to update That is most of the problem ignorance due to laziness You dont have to be an auto mechanic to know to check your engines oil every now amp thenIf you own and use a computer you should work on increasing your knowledge continually or else you deserve what you get
jtt said: Anyone still on XP SP2 is just either lazy or not keeping up to dateMore likely they simply arent technical people they dont realise that they have to update They may have even had their computer set up by someone else who has set it not to automatically download and install updates and they dont know what they little yellow notification meansI suspect that Microsoft will at some point bring out patches for Windows 2000 and XP SP2 They are likely to get too much flack if they dont This vulnerability is as bad as it gets
Andy said: Its not a problem at work now As soon as our rather small IT department found that our XP machines didnt like to talk to the Windows 7 devices they started installing Ubuntu It had been plannied for a while but I didnt think it would happen Its chaos at work but I guess it will pass
MalcolmF said: Dave have you googled for the KB numbers of the failed updates MS information is famously useless but a search for a KB and problem should turn up somebody who has not only had the same problem but fixed it Worked for me
David said: Although I have SP3 automatic updates keeps downloading 4 updates for SP2 leaving a shield symbol in my notification area I install these but next time I boot up back comes the symbol It is clearly not a vulnerability issue but is annoying nevertheless Has anyone else had this problem and if so have they been able to solve it
Cyteck said: Anyone still on XP SP2 is just either lazy or not keeping up to date Its NOT really much of a problem as it only requires a download of SP3 amp an installation of SP3 which tightens XP OS security further and will actually improve the computers performance slightly too Provided you have a legitimate version of XP installed of course otherwise SP3 wont install as the service packs checks for a valid EULA The install will fail of your copy doesnt have a valid EULA
Peter said: Microsoft has given fair warning re SP2 so if people or companies come unstuck because of not moving to SP3 on their heads be it