Microsoft patches older versions of Windows again

Microsoft has for the second time this month released security patches for discontinued operating systems including Windows XP, citing concerns about potential nation-state activity.

The company has released security updates for Windows XP, Windows Vista, Windows Server 2003 and Windows 8 along with a host of updates for still supported platforms.

The fixes address a list of 15 critical security vulnerabilities, comprising 14 with the potential for remote code execution and one involving illegitimate escalation of privilege.

The vulnerabilities include some that could be attacked with the exploits released by the Shadow Brokers earlier this year, which were exploited with the global WannaCry ransomware outbreak. Microsoft released patches for older operating systems in May to help plug these vulnerabilities.

In a blog post, Microsoft Security Response Center General Manager Eric Doerr said the company is taking the unprecedented step in order to “provide additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures”.

But he insisted that the releases should not be viewed as a departure from standard servicing policies such as the Windows support cycle.

“Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly,” he said.

“As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defence-in-depth innovations. Older systems, even if fully up to date, lack the latest security features and advancements.”

Separately, the US Office of Management and Budget has announced it has rescinded a number of obsolete IT requirements for US government agencies, including one that required agencies to prepare their readiness plans for the anticipated Y2K IT disruption that dominated headlines at the turn of the millennium.

Other directives include those made potentially obsolete by newer regulations, including a mandate for agency CIOs to directly review high-risk processes and outdated reporting requirements for the PortfolioStat IT spending dashboard used by agencies.

Image courtesy Microsoft.

Follow us on Twitter and Facebook