Microsoft's Patch Tuesday to leave Windows Server 2003 unprotected

Windows Server 2003 to remain unpatched against major year-old flaw due to effort required to fix it

Microsoft's latest Patch Tuesday has fixed three vulnerabilities rated "critical" among a total of nine updates, including a major fix for cross-site-scripting (XSS) vulnerability in Internet Explorer. However, a recently publicised XSS flaw in Windows will remain unpatched in Windows Server 2003 due to the level of work required to fix it, say Microsoft.

The patch for current versions of Windows, MS15-011, fixes flaws more than a year after they were reported privately to Microsoft by Jeff Schmidt, founder and CEO of JAS Global Advisors, who had been working for domain name organisation ICANN at the time. According to Schmidt, the fix required a major re-engineering of several components of the Windows operating system.

"The fix required Microsoft to re-engineer core components of the operating system and to add several new features. Careful attention to backwards compatibility and supported configurations was required, and Microsoft performed extensive regression testing to minimize the potential for unanticipated side effects. Additionally, documentation and other communication with IT systems administrators describing the changes were needed," according to Schmidt.

Together with MS15-014, they address network vulnerabilities that can be used to launch remote-code execution attacks in domain networks. Most of the patches are intended to improve corporate PC and network security, rather than home users'.

"The MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product. MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines. These two updates are important improvements that will help safeguard your domain network," explains Microsoft in a blog posting.

However, this flaw will not be fixed in Windows Server 2003, which is going ex-support this year. "The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003," argues Microsoft.

It continues: "To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system."

MS15-009 fixes the XSS and other flaws in IE - a total of 40 reported security flaws in Microsoft's web browser, including one that enables attacks to steal credentials from visitors to a compromised website. MS15-010, meanwhile, closes several vulnerabilities in Windows 7, Windows 8 and 8.1 and Windows Server 2008, release two.