Security Watch

End of XP As We Know It

Plus: Microsoft cozies up to Russia, China on security; virtualization's security shortcomings.

Patch Tuesday, July 13, 2010 is the day of reckoning for Windows XP Service Pack 2. That's right -- no more security patches for that version of the Windows OS. What's included among the four security patches is a fix for what will be the last XP SP2 patch ever. This is significant because all the relevant applications -- Internet Explorer, Office, Windows Media Player etc. -- on this OS will cease to be patched as well.

IT administrators running in an XP environment and XP users must either find stopgaps or update to XP SP3 completely. Or even Windows 7, as most security experts advocate bunny-hopping Vista, due to its less than stellar security application.

Redmond's XP SP3 Migration Guide
Microsoft is providing details here on how to upgrade to XP and Windows 7. There's one exception in the upgrade: Because there is no XP SP3 iteration for the 64-bit version of the OS, users can continue to receive security updates if they're running XP SP2 of that particular edition.

The key question going forward will likely surround Internet Explorer, which during the first half of 2010, saw exploits spike. Mozilla, Google, Apple and Opera will continue shipping fixes for XP with Firefox, Chrome, Safari and Opera browsers sitting on them.

Microsoft in Bed with Russians
I've mentioned in this column that Microsoft has gotten cozy with the U.S. government, sharing information and collaborating on IT security. Microsoft is now furthering its collaboration aims globally with its Government Security Program.

Under that program Redmond is vibing with the Russian Federal Security Service, even giving that agency a look-see into its source code of Windows Server 2008 R2, Office 2010 and SQL Server. The software giant had already opened up source code secrets with the Russians in 2002 for XP, Windows 2000 and Windows Server 2000. This comes after Microsoft cut similar pacts with China in 2003, updating its source code sharing agreement this year as well.

Microsoft obviously is looking for some cooperation on investigating breaches, piracy and exploits that are frequent in these countries, so it will be interesting to see if such aims backfire, given the proliferation of knowledgeable hackers in those locales who are getting increased access to the software giant's architecture.

Access Controls Needed for Virtualization
Virtualization is said to offer a more nimble system. But with that also comes a more malleable and vulnerable operating environment, one security pro tells me.

The key here is going to be whether it's easier to hack a virtual system and commandeer administrative credentials, says Brian Anderson, CMO of IT security group BeyondTrust.

"The majority of virtualized servers are substantially less secure than their physical counterparts, but the cost benefits are so powerful, IT is forced to turn a blind eye to security shortcomings," Anderson said. "The results are that security processes, technologies and policies either don't apply, aren't effective, or just don't have visibility into the hypervisor layer."

Anderson point to the ease with which crooked IT administrators can easily circumvent monitoring tools, flout regulations, and access or copy sensitive data freely using the hypervisor to cloak their actions.

If data images are undetected in the hypervisor, they have unlimited, unmonitored access to millions of dollars worth of data.

That's not virtual bad news; that's actual bad news and definitely something that admins considering virtual environments or hybrid PC and virtual server environments should look into.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.