So this is it.
The big one.
We’ve had false starts before, but this time Microsoft really *are* going to tell the world about security vulnerabilities in Windows and *not* patch them in XP.
As soon as Microsoft releases its regular bundle of security patches on Tuesday at approximately 10:00 am PDT, the clock starts ticking.
Because malicious hackers and penetration testers will be exploring how they can reverse-engineer Microsoft’s fixes in more modern versions of Windows to see if they can be exploited on the no-longer-supported Windows XP.
And, trust me, although the numbers are falling – there are still plenty of home users and businesses running computers on Windows XP.
It may be that they are still running XP because they don’t have the cash to upgrade old computers to run the likes of Windows 7. It may be the people who own those computers are simply in the dark about the final death of Windows XP.
Or maybe the companies running those XP PCs are reliant upon a critical application that was written an eternity ago for Windows XP, but which never got updated and the vendor who originally sold it to them has either gone out of business, or no longer has the source code.
And, to be fair, if those computers rarely access the internet (if at all) or are heavily locked-down, then maybe it’s okay that they’re still running Windows XP. Although, ideally, they would still be upgraded and running a properly supported and regularly patched operating system.
But, the clock will start clicking as soon as Microsoft releases its patches and I would not be surprised at all if we see some people either try to get themselves some media exposure by showing how clever they were to get one of Microsoft’s latest vulnerabilities to work on XP, or exploit them for their own financial ends.
Microsoft says that this month’s Patch Tuesday will address vulnerabilities in .NET Framework, Sharepoint, Microsoft Office, Internet Explorer and Windows in the form of eight bulletins – two rated Critical and six rated Important in severity.
Chances are that some of the fixes Microsoft has planned for Internet Explorer relate to vulnerabilities discovered during March’s Pwn2Own contest.
You can get a few more details (Microsoft doesn’t say too much in advance of the release of the Patch Tuesday updates for obvious reasons) in its advance notice, and it’s certainly very odd reading that page without seeing the words “Windows XP” mentioned once.
Whichever version of Windows you are running, do the right thing. If you’re running most versions of Windows that means rolling out the security patches as quickly as possible. If you’re still running Windows XP, it means moving forward with your plan to switch from the operating system to something better at the earliest, safest opportunity.
Oh, and don’t forget. Security holes aren’t just the domain of Microsoft.
As Lumension’s Russ Ernst wrote a few days ago, Microsoft will be joined on Patch Tuesday by Adobe – which will be releasing highly critical security patches for Reader and Adobe Acrobat at the same time.
This article originally appeared on the Lumension blog.