Patch Tuesday Update Leaves Windows Vista Users High And Dry

The April edition of Microsoft’s Patch Tuesday security update is notable for one glaring reason: the end of the line for Windows Vista.

Microsoft officially ended support for Vista on Tuesday 11 April for the operating system that was first launched way back in 2007.

Redmond has however, with this month’s security update, provided fixes for a range of products including Internet Explorer, Microsoft Edge and Windows, as well as Office, Silverlight and even Adobe Flash Player.

Light Month

Chris Goettl, product manager with Ivant noted that the April Patch Tuesday release from Microsoft is only about a third of the size as March’s was.

There is a total of 46 unique vulnerabilities (CVEs) being resolved, three of which have been publicly disclosed (CVE-2017-0210, CVE-2017-0199, CVE-2017-0203) and two of those have been exploited in the wild or zero days (CVE-2017-0210, CVE-2017-0199).

“While the number of CVEs is down, there are a lot of interesting changes that have caused anyone trying to research what has just released to have to learn how to run all over again,” said Goettl. “Microsoft has finally done away with the bulletin pages. You must now use the Security Update Guide, which provides a number of nice filtering options, but you lose a bit of the organisation.

“For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”

System admins are advised to pay special attention to the two zero days resolved this month. One is for Microsoft Word (CVE-2017-0199), whilst the other zero day is an elevation of privilege vulnerability in Internet Explorer that would allow an attacker to convince a user to visit a compromised web site that could exploit the vulnerability.

Vista Terminated

Finally, the big news this Patch Tuesday is not what is getting patched but what is not getting patched,” commented Karl Sigler, Threat Intelligence Manager at Trustwave.

“Today marks the big goodbye to Windows Vista,” he explained. “Vista was never a popular Windows platform, in fact according to Net Market Share there are still more legacy Windows XP systems in use than there are Vista systems. Hopefully however, where these systems are being used there is a plan for an upgrade. In this day and age there are few things more dangerous on the Internet than running an abandoned, unpatched operating system.”

This point was echoed by Greg Wiseman, Rapid7’s Senior Security Researcher. “Administrators should be aware that after today, Windows Vista will no longer be supported,” he said. “Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day Internet Information Services (IIS) exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.”

Unfortunately for Vista users, Microsoft’s decision to end support for the operating system has left them with an uncertain future. This is because there is no clear way for a Vista user to upgrade to Windows 10, Microsoft’s latest operating system.

Effectively, a Vista user would have to pay to upgrade twice, once to Windows 7 or Windows 8, and then pay again to upgrade to Windows 10.

Quiz: Are you a security pro?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

12 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

16 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

17 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

2 days ago