Microsoft has released fixes for 31 bugs, including critical vulnerabilities in Internet Explorer, Windows and Forefront Protection for Exchange, in its latest Patch Tuesday, including two last-minute efforts to fix problems in Internet Explorer and VBScript
The monthly security update contains seven patches all up. Four were ranked “critical” and addressed remote code execution flaws in Windows, Internet Explorer versions 6-11, VBScript and the company's Forefront security software.
The remaining three ‘non-critical' patches plug gaps in Windows and.NET Framework.
Two of the critical patches - which address issues in IE and VBScript - were added after Microsoft's Patch Tuesday preview released last week.
But because the fixes affect all versions of Windows, from XP to 8.1, they have reignited the controversy over the safety of Windows XP once Microsoft stops supporting it in April.
Security expert Paul Ducklin, a senior security advisor at Sophos, said patches to other Microsoft products after April could effectively ‘signpost' potential XP weaknesses to hackers.
“If Windows 7 and 8 have security holes that can be traced back to bugs originally in the XP source code, then reverse engineering Windows 7 or 8 patches might give a fantastic hint to crooks - a sort of ‘exploit beacon' - on where to look for exploitable holes in XP, holes the crooks know will never be fixed," he said.
“As Microsoft itself has put it, any hole patched in Windows 7 that matches a hole in XP will pretty much be a zero day in XP for ever. From that time on, it's all downhill from an XP security perspective.”
Ducklin also welcomed the fact that Microsoft changed its plans just 24 hours before the patches were released.
“It's good news that Microsoft was able to get those extra two bulletins out this month. Otherwise a bunch of critical holes would have remained unpatched until next month," he said.
“In the ‘old days', Microsoft would probably just have held over those extra two bulletins instead of sneaking them in at the last minute. The fact that Redmond bothered to keep plugging away at the patches - presumably doing some final testing right until the day before Patch Tuesday - isn't a sign that the company is getting slacker at patching but rather the opposite.
Ducklin said the industry needed an "ever-increasing urgency to fight back against the crooks by working to ever more aggressive patching deadlines.”
He pointed to Target's recent payment card breach, where crooks stole 40 million records in less than a month, as a sign that companies needed to keep up with quickly-moving cyber criminals.
“As always, don't delay,” he said. “The days of months or weeks of change committee meetings to weigh up patches are over.”