The latest of Microsoft's monthly patches, released on Tuesday, has reinforced the need for organisations to move on from older versions of software to avoid attacks.
The Microsoft Patch for December addressed 24 vulnerabilities with 11 security bulletins. The bulletins covered Windows, Office, Internet Explorer, Visual Studio and Sharepoint among other pieces of Microsoft software. Five of the bulletins held a critical rating, stressing the need to apply the patches as soon as possible.
MS13-096, one of the patches, fixes a vulnerability (already being exploited by attackers) in the GDI+ library for parsing TIFF image files. It affects older Microsoft software including Vista and Office 2003, 2007 and 2010. It has already been recorded as being used in attacks in the Middle East and Asia.
Among other problems addressed by the patch this month include malicious webpage attacks, script functionality and fake Authenticode algorithms.
Easy targets
Newer software, naturally, tends to have less vulnerability to these attacks than older software. Windows 8 has more security features than 7, and 7 more than Vista. "Even if you fully patched Windows XP you are running far more of a risk than with Windows 7" Qualys chief technology officer, Wolfgang Kandek, says.
Kandek notes as an example that there is a zero-day vulnerability in XP (not addressed in this month's patch) which exploits have already been crafted for. In this case, an infected PDF file can be sent to a user that, when opened, deposits code that grants an outside user administrative access.
Qualys estimates that 15% of businesses are still running Windows XP. Though its use is declining, it is doubtful that no companies will be on the OS by April 2014 when Microsoft stop issuing security patches. "After April, all these machines will be very easy targets," stresses Kandek.
In 2013 Microsoft has covered 330 vulnerabilities with 106 bulletins.
