Although some had hoped that Microsoft would reverse its own patching policy, the company has stuck to its guns and declined to provide a fix for a critical bug to users running Windows XP Service Pack 2 (SP2).
On Monday, Microsoft shipped an emergency patch for the Windows shortcut bug that attackers have been exploiting for several weeks. The vulnerability affects all versions from Windows 2000 on, including XP, Vista and Windows 7.
But, per Microsoft's practice, the oldest operating systems and service packs were denied the update.
"To be crystal clear, there is no security update for XP SP2," said Microsoft spokesman Christopher Budd in a webcast on the out-of-band patch.
Microsoft retired XP SP2, as well as the even older Windows 2000, from all support on July 13, when both editions exited the company's final five-year "extended support" phase. Products dropped from extended support no longer receive security patches or other non-security fixes from Microsoft via its Automatic Update service and business patch mechanisms like Windows Server Update Service (WSUS).
Nonetheless, a few security researchers had held out a little hope that Microsoft would issue a fix for the Windows shortcut vulnerability to machines running XP SP2.
"The only question I had was whether Microsoft would try and release a patch for unsupported operating systems," said Andrew Storms, director of security operations at nCircle Security. "There's a ton of people still running SP2, and it just went end-of-life."
Other researchers, including Jason Miller, data and security team manager for patch management vendor Shavlik Technologies, echoed Storms yesterday, saying that he had looked carefully for any sign that Microsoft was pushing a fix to Windows XP SP2 or Windows 2000. There wasn't.
Because users running Windows XP SP2 will never be offered an update for the shortcut bug - or for any other future vulnerabilities for that matter - Microsoft has been urging customers to upgrade to XP SP3 or a newer version such as Windows 7.
Failing that, users who decide to stick with XP SP2 have several options, including doing nothing, implementing the shortcut-disabling workaround that Microsoft first recommended, or installing Sophos' free tool that blocks malicious shortcuts from executing attack code.
The Sophos tool works on Windows XP SP2, but not on Windows 2000.