OSPCSecuritySecurity ManagementWorkspace

Patch Tuesday Update Leaves Windows Vista Users High And Dry

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Windows Vista is now officially dead, as Microsoft leaves users of the old operating system with no clear upgrade path

The April edition of Microsoft’s Patch Tuesday security update is notable for one glaring reason: the end of the line for Windows Vista.

Microsoft officially ended support for Vista on Tuesday 11 April for the operating system that was first launched way back in 2007.

Redmond has however, with this month’s security update, provided fixes for a range of products including Internet Explorer, Microsoft Edge and Windows, as well as Office, Silverlight and even Adobe Flash Player.

windows vista

Light Month

Chris Goettl, product manager with Ivant noted that the April Patch Tuesday release from Microsoft is only about a third of the size as March’s was.

There is a total of 46 unique vulnerabilities (CVEs) being resolved, three of which have been publicly disclosed (CVE-2017-0210, CVE-2017-0199, CVE-2017-0203) and two of those have been exploited in the wild or zero days (CVE-2017-0210, CVE-2017-0199).

“While the number of CVEs is down, there are a lot of interesting changes that have caused anyone trying to research what has just released to have to learn how to run all over again,” said Goettl. “Microsoft has finally done away with the bulletin pages. You must now use the Security Update Guide, which provides a number of nice filtering options, but you lose a bit of the organisation.

“For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”

System admins are advised to pay special attention to the two zero days resolved this month. One is for Microsoft Word (CVE-2017-0199), whilst the other zero day is an elevation of privilege vulnerability in Internet Explorer that would allow an attacker to convince a user to visit a compromised web site that could exploit the vulnerability.

Vista Terminated

Finally, the big news this Patch Tuesday is not what is getting patched but what is not getting patched,” commented Karl Sigler, Threat Intelligence Manager at Trustwave.

“Today marks the big goodbye to Windows Vista,” he explained. “Vista was never a popular Windows platform, in fact according to Net Market Share there are still more legacy Windows XP systems in use than there are Vista systems. Hopefully however, where these systems are being used there is a plan for an upgrade. In this day and age there are few things more dangerous on the Internet than running an abandoned, unpatched operating system.”

This point was echoed by Greg Wiseman, Rapid7’s Senior Security Researcher. “Administrators should be aware that after today, Windows Vista will no longer be supported,” he said. “Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day Internet Information Services (IIS) exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.”

Unfortunately for Vista users, Microsoft’s decision to end support for the operating system has left them with an uncertain future. This is because there is no clear way for a Vista user to upgrade to Windows 10, Microsoft’s latest operating system.

Effectively, a Vista user would have to pay to upgrade twice, once to Windows 7 or Windows 8, and then pay again to upgrade to Windows 10.

Quiz: Are you a security pro?