Microsoft fixes security flaws in retired OS versions

Microsoft fixes security flaws in retired OS versions

Microsoft says it is releasing updates for Windows XP, Windows Vista, and all other more recent unsupported and supported versions of Windows due to an “elevated risk” of attacks that are similar to the WannaCry malware.

Previously, Microsoft released a special out-of-band security update for XP and Server 2003 in May this year, after the WannaCry ransomware outbreak, patching XP and Server 2003 against exploitation via the ETERNALBLUE SMB exploit.

“In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations”, says Adrienne Hall, general manager of crisis management at Microsoft. However the hacker group, TheShadowBrokers, last month vowed to release monthly dumps, including new Windows exploits that were stolen from a hacking team within the US National Security Agency (NSA).

Some of the updates are new while others are for older platforms that would usually be restricted to customers on paid-for custom support agreements, but are being made publicly available. Those exploits are code-named “EsteemAudit”, “ExplodingCan”, and “EnglishmanDentist”.

Microsoft has provided guidance for users on these older systems here, which include the relevant bulletin, KB article reference, and an indication of whether the version of Windows is affected.

These XP patches have been included with Microsoft’s June 2017 Patch Tuesday, which the company released a few hours ago. These patches must be installed manually.

Since then, Windows Phone 8.1 has not received any updates, and Microsoft never pushed the Windows 10 Mobile update to all eligible Windows Phone 8.1 handsets. “Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly”.