One final patch for Windows XP Service Pack 2 before it reaches end-of-life

Last XP SP2 patch prevents remote code executions

A moment of silence, please, for Windows XP Service Pack 2. Today is the final day the software is eligible for security updates, and as Service Pack 2 rides off into the sunset Microsoft has given it one final patch that will prevent some zero-day attacks.  

The update closes a publicly disclosed vulnerability in Windows Help and Support Center, a feature of Windows XP and Windows Server 2003.  "This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message," Microsoft says.

The vulnerability was made public on June 10 and three exploits have been detected in the "wild," all using different attach mechanisms according to Symantec. Of the five vulnerabilities being addressed by Microsoft in this month's Patch Tuesday, it's the only one that is known to have impacted customers, says Joshua Talbot, security intelligence manager for Symantec. If left unpatched, the vulnerability could allow attachers to "execute arbitrary code with anything an attacker wants to run on the system," be it a botnet, keystroke logger, or whatever, Talbot says.

"This vulnerability is a threat to people right now," he says.

The security bulletin - number MS10-042 - affects both Windows XP Service Pack 2 and Service Pack 3.

Today is the last day Service Pack 2, as well as the much older Windows 2000, are eligible for security updates. Going forward, customers will have to upgrade to Service Pack 3 or take other measures to protect their software.

Microsoft has warned customers that "Unsupported products or service packs pose a significant risk to your computer's security," but many people have been slow to upgrade.

The vendor Qualys says about 50% of all XP machines in its user base still run on Service Pack 2. Microsoft has not been effective enough in persuading customers to upgrade, according to Qualys CTO Wolfgang Kandek.

"I believe the level of awareness for the upcoming change was not high enough," Kandek says. "Unlike the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing. Existing users are still very satisfied with the SP2 iteration of Windows XP."

While the Help and Support Center flaw is being fixed in SP2, Kandek notes that in the future "Windows XP SP2 users will not receive these types of updates anymore and their systems will start to accumulate attackable vulnerabilities. Although we don't have any insight into attackers' preparations, I am expecting attackers to take advantage of the large pool of SP2 machines as soon as a suitable vulnerability appears."

Among the other vulnerabilities announced by Microsoft today, Talbot says another potentially dangerous one is MS10-045, which leaves the door open for remote code executions when users click on attachments. 

"If they can convince the user to double click the attached message the attacker will be able to run arbitrary code on the system without the user being notified," Talbot says. "We know how skillful attackers are at crafting these messages that trick users into clicking attachments. We think this will be exploited in the wild." 

Follow Jon Brodkin on Twitter.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.