Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.
Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines. Microsoft released an interim “FixIt” tool last month to help users blunt the threat from this flaw, and users who applied that fix still should install this patch (and no, you don’t need to undo the FixIt setting first). Update 5:50 p.m. ET: I stand corrected on this — it looks like Microsoft won’t offer the patch for this flaw if you’ve already used the FixIt tool.
The one vulnerability addressed in July’s roundup that didn’t earn a critical rating — an “important” flaw in the way Microsoft Outlook handles attachments — probably should have, at least according to security vendor Symantec Corp.
“It appears fairly simple for an attacker to figure out and create an exploit for, which could cause executable file e-mail attachments, such as malware, to slip past Outlook’s list of unsafe file types,” wrote Joshua Talbot, security intelligence manager for Symantec Security Response, in a post on the company’s blog. “A user would still have to double-click on the attachment to open it, but if they do the file would run without any warning.”
If you are on Windows XP and have been putting off upgrading from Service Pack 2 to Service Pack 3, you will need to stop procrastinating this month to continue receiving security updates for Windows XP after today’s batch. Bear in mind that if you’ve held out this long, you may find that upgrading to Service Pack 3 takes a bit longer than you’d expect.
That’s because SP3 was released more than two years ago, and Microsoft has released hundreds of updates since then. As a result, if you’re upgrading to SP3, you should expect to have dozens of additional patches to install after the initial upgrade is complete, in order to bring your system up to date with the latest security fixes (yes, even if you had already installed these updates and otherwise kept up to date under SP2).
Anyone still using Windows 2000 should take note of this important change: After today, Microsoft will no longer be shipping security updates or any other updates for Windows 2000 machines.
Updates are available through Microsoft Update or via Automatic Update. Microsoft has more details on these patches at the Microsoft Security Response Center blog.
Thank you, Brian.
You’ll need to undo last month’s “FixIt” – if you want to or need to (Microsoft did say the FixIt breaks some things) – because this month’s patch does not undo it for you.
The FixIt and UndoFixit are no longer available at the original link
It should would be nice to see a date of blog post up at the top instead of down at the bottom in a faded font. Have you ever googled for a solution to discover you have been wasting your time reading a post that is 5 years old?
Otherwise, I follow your great blog!
Nogero — The date of every post is listed prominently at the top of each post, when you’re viewing them on the home page. When you’re viewing the post with the comments showing at the bottom, the date is indeed moved to just above the comments. I haven’t spent too much time investigating whether and/or how to change that, but the information is there.
Nogero: Why aren’t you using the date limitation feature of Google’s Advanced Search?
One nit. If you are running XP SP2 for x64 machines (64-bit OS), there is no SP3, and the EOL date has not been announced.
http://support.microsoft.com/lifecycle/?C2=1173
Updated two pc’s to sp3. Very time consuming. Had 55 WU patches after applying sp3 to one pc and on the other pc, I tried to install sp3 twice, it stalled both times and had to wait for it to undo itself back to sp2. Finally got it installed via safe mode. That pc only had 5 WU patches post sp3. Wonder if safe mode had anything to do with that.
I only downloaded & installed the Enable Fixit & later just allowed the latest Windows updates to XP Home. I found that neither the Enable nor Disable Fixits are available on the original link (kb/2219475).
from – http://social.answers.microsoft.com/Forums/
“Long story, short version: The KB2219475 update released yesterday is Fix It #50459. If Windows Update doesn’t offer KB2219475 to your computer, it doesn’t need it (i.e., because you ran the Fix It earlier).”
Rob: A link to the home page of the MS forums is not helpful. You needed to post the full link. I’ve tried both Google and Bing, and cannot find the entry you quoted. The word “social” in their web site name scares me; without being able to read the original post so I can judge it, your info here is just heresay or rumor to me, some random person’s wild guess, but not trustworthy.
All I can say is: on my own XPP-SP3 system, the update was offered and installed, and both before the offer, and after the installation, the HCP protocol was not present in my Registry.
Don’t be afraid – “social” is just part of the Forum’s address. The full address is:
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/b73edfcb-f7d1-429c-8d16-9c6d73d73a54
Yep. And I updated this post earlier with a link to that same forum post.
My Windows XP setup includes having the “Help and Support” service disabled (practice of disabling unneeded services to reduce the attack surface of the system), which actually provided somewhat of a mitigating step against the exploit before the patch.
I never did run the FixIt tool, rather I manually did what the tool does and backed up the registry key (HKEY_CLASSES_ROOT\HCP) before deleting it. Because of that, I was offered the patch on Microsoft Update, which installed without needing a reboot because the aforementioned service was disabled. A win-win! 🙂
The patch actually just installs a new version of the file “Helpsvc.exe” and doesn’t restore the registry key deleted via the FixIt tool. That’s why if you want the Help and Support functionality fully restored, you need to restore the registry key. Since I don’t need the functionality, I’m leaving it deleted.
The FixIt tools and file information on the patch can be found here:
http://support.microsoft.com/kb/2229593
Awesome! I got one “Dislike” already! I absolutely love this rating system. It sure would be a very interesting case study in psychology why people choose Like or Dislike! haha 😉
Thanks for the links, Brian, JVB, and xAdmin.
So xAdmin’s and my experiences are similar (the Registry change from the Fixit was not replaced). For completeness, I’ll add my experience is not identical to xAdmin: I don’t have the “Help and Support” service disabled.
But it’s beginning to seem like the MS Forum information quoted by JVB and referenced by Brian is wrong – at least, part of the time, anyway.
For what it is worth: I downloaded both FixIt files and ran Fixit50459.msi to disable the protocol. I read somewhere that I would NOT need to run Fixit50460.msi to re-enable the protocol before I ran Microsoft Update, so I didn’t.
However, when I ran Microsoft Update, if I recall correctly, it offered the Help Center patch and I chose to install it. Now Belarc Advisor lists KB2229593 as installed on my computer on 07/14/2010. I have not examined the Registry or attempted (yet) to use the Help Center. It is not very useful, so I’ve always thought of it as the Helpknot Center.
I know when reinstalling XP, the online updater works better than my SP3 disc. After a full update their(my client’s) PC works better than ever!
If I would follow all the instructions on the Microsoft site to prepare for the update CD, I’d have a lot of time involved. It takes just as long to download the SP3 online and install it as it does to throw the CD in their and do it that way. It is unbelievable how slow service pack CDs are for XP!
It appears from watching the process when using online MS update, that MS has put a lot of really good batch processes into the update when skipping over SP1 & SP2. It works 100% better than it did just 9 months ago!