Last month, during the height of the widespread WannaCry ransomware attacks, Microsoft did an unusual move – it released a patch for the now obsolete and unsupported operating system Windows XP to protect the apparent millions of users still using this outdated software.
How obsolete is XP? Well, Microsoft stopped supporting XP more than three years ago, in April 2014.
Now, Microsoft just did the unthinkable and in a deviation from the norm, it bundled security patches for unsupported systems like Windows XP and Windows Vistas as part of its monthly security updates.
In a blog post, Adrienne Hall of Microsoft’s Cyber Defense Operations Center cites the elevated risk of cyber attacks by nation-state actors and other copycat organizations as the reason for this unprecedented change of update policy.
“To address this risk, today we are providing additional security updates along with our regular Update Tuesday service,” Hall wrote. “These security updates are being made available to all customers, including those using older versions of Windows.”
“Due to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,” she continued.
For people still running unsupported versions of Windows such as Windows XP or Windows Vista, the security patches for WannaCrypt and WanaCrypt0r 2.0 are now available on Microsoft’s Download Center or by visiting Microsoft’s Security Advisory.
Even with the security patches for outdated systems, Microsoft stressed that the best protection is to be on a modern, up-to-date system that incorporates the latest innovations. Older systems like XP and Vista, even if fully up-to-date, lack the latest security features and advancements.
Other critical security patches
All in all, Microsoft released 96 security patches this month, with 18 rated as critical and two zero-day bugs that are already exploited in the wild.
First is a zero-day remote code execution vulnerability on .LNK shortcut files (CVE-2017-8464). This appears to be similar to the bug that Stuxnet exploited where a specially crafted shortcut icon is used.
Second zero-day is a remote code execution flaw in Windows Search (CVE-2017-8543). Similar to the WannaCry vector, this bug exploits Server Message Block (SMB) vulnerabilities. (SMB is Windows’ service for file and folder sharing.)
If you’re running a supported version of Windows, like Windows 7, Windows 10 or Windows 8.1, with Windows Update enabled, then your system will update automatically.
And as usual, Adobe has its own set of security patches for its products. (The Flash security patches are included in Microsoft’s monthly updates too.)
This month, Adobe issued fixes for 21 vulnerabilities, including nine remote code execution bugs for Flash.
The update should bring your Edge browser and Internet Explorer 11 Flash Player version to 188.8.131.52. Mac, Google Chrome and Linux users should have Flash Player version 184.108.40.206.
How to update Windows
Most Windows machines are set to download and install updates automatically by default. If you haven’t changed your automatic update settings then you should be fine.
But if you want to check, here’s how:
On Windows 10, click Start (Windows logo), choose “Settings,” select “Update & Security,” then on the “Windows Update” section, click on “Advanced Options.” (Note: the “Windows Update” section is also handy for showing you updates that are currently being downloaded or applied.) Under “Advanced Options,” just make sure the drop down box is set to “Automatic.”