Out with the old, in with the April 2013 security updates
Windows XP was originally released on August 24, 2001. Since that time, high-speed Internet connections and wireless networking have gone from being a rarity to the norm, and Internet usage has grown from 360 million to almost two-and-a-half billion users. Thanks to programs like Skype, we now make video calls with regularity, and social media has grown from a curiosity to a part of our everyday lives. But through it all, Windows XP keeps chugging along. With its longevity and wide user base, Windows XP has served its customers faithfully over the years, but all good things must come to an end, and Windows XP is no exception.
In just 52 shorts weeks, support for the Windows XP will come to an end. I won’t go into the benefits of upgrading platforms here - you can read about these in Tim Rains’ blog "The Countdown Begins" - but I will highlight that this means there will be no more security updates for Windows XP after April 2014. Of course, Windows XP leaving support doesn’t mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed. We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system.
And since we are talking about going out with the old, let’s talk about what’s new today. We are releasing nine bulletins, two Critical-class and seven Important-class, addressing 14 vulnerabilities in Tools Microsoft Windows, Internet Explorer, Microsoft Antimalware Client, Office, and Server Software. For those who need to prioritize deployment, we recommend focusing on MS13-028 and MS13-029 first.
MS13-028 (Microsoft Internet Explorer)
This security update resolves two issues in Internet Explorer, both of which could allow remote code execution if a customer views a specially crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. Both of these issues were privately disclosed and we have not detected any attacks or customer impact.
MS13-029 (Windows Remote Desktop Client)
This security update resolves an issue in the Windows Remote Desktop Client ActiveX control. The vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This issue was privately reported and we have not detected any attacks or customer impact.
Please watch the bulletin overview video below for a quick summary of today’s releases.
As always, we urge you deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).
Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).
For more information about this month’s security updates, visit the Microsoft Security Bulletin summary webpage.
Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, April 9, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about the April security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
It’s been great strolling down memory lane, recalling a time when mobile phones where used for phone calls, but I look forward to hearing your questions during our future webcast via the "Internet."
Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing