It was heralded as a game changer when it was released  nearly six years ago, but now it’s being let out to pasture without a path back to the barn. It’s Windows XP Service Pack 2 and last week, Microsoft released the last security patches it’s ever going to release for that version of its operating system.

What made XP SP2 different from other maintenance releases from Microsoft was it added new features to the operating system and wasn’t just an amalgam of all the fixes and patches that came before it. What’s more, many of those new features beefed up the security of the OS in a way that profoundly influenced the modus operandi of the Black Hat community.

Among the security features added to XP by SP2 were a local firewall that was on by default, a security-status dashboard and nascent moves at using Data Execution Prevention (DEP) to block attacks. DEP works like this: as Windows monitors programs running under its hood, if it sees an application engaging in malicious activity, it will shut it down.

Measures like those are why SP2 is given credit for forcing cyber bandits away from operating system and network-targeted attacks and toward desktop applications like Microsoft Office and Adobe Reader.

In its day, the SP2 firewall feature was a particular favorite of network administrators. It gave them the power to manage local firewalls. Prior to SP2, local firewalls had to be obtained from third-party vendors, and they were difficult to manage. That discouraged installation of the firewalls on local machines, which left them sitting ducks for malware once it breached an organization’s perimeter defenses.

Now that SP2 won’t be patched again no matter how severe the vulnerability uncovered, no matter what part of Windows may be involved, it is wise for SP2 shops to move to SP3, which Microsoft has pledged to support until at least April 2014. Should organizations start moving to SP3, it would be a major migration. It’s estimated that some 77 percent of organizations are still operating under XP and of those still using XP, 10 percent or more are using SP2.

It should be noted that Microsoft’s cutting its umbilical to SP2 affects more than just a machine’s operating system, but other components of the service pack as well, such as Windows Media Player and Outlook Express.

Continue reading So long XP SP2, it was good to know you

Microsoft set dubious record in 2009.

Microsoft set a dubious record in 2009. In the month of October, it released the most updates (13) to address the most vulnerabilities (34) in the history of the company.

Ironically, if all the updates released by the company during the year were ignored, a user would still have averted more than 70 percent of all attacks launched during the period–if he or she kept their Microsoft Word patches up to date through June 2006. That’s because, according to one researcher, 71 percent of all attacks in 2009 exploited a vulnerability in the company’s word processor that was patched three years ago. Another 13 percent of all attacks exploited a vulnerability on Microsoft Excel that was patched in March 2008.

Since one never knows what vulnerabilities will catch a cracker’s fancy, the wisest course of action is to install patches when they become available, but if you’ve fallen behind in that department, you may want to move the following patches to the top of your to-do list. According to security experts, they’re the most important ones released in 2009, although one was actually introduced in 2008.

One such patch fixes a flaw in the Active Template Library used to build ActiveX controls. ActiveX has long been a juicy target for malware writers because it can be used to automatically download malicious software. In this case, the vulnerability negates certain security patches previously released by Microsoft. This patch for Microsoft Visual Studio allows developers to produce programs with vulnerability-free code.

In 2009, information highwaymen boosted their efforts to compromise Adobe PDF files. Adobe has contributed to efforts to poison its products by acting slowly to address vulnerabilities in them. Last year, the company emulated Microsoft’s action by releasing a monster update aimed at 29 vulnerabilities. Implementing this patch now, though, will just be a stop-gap measure as the most recent Acrobat exploit won’t be tackled until Adobe’s next update expected to be released in January 12. Continue reading Top patches, data breaks of 2009