Patch Tuesday is upon us once again, and with each monthly anniversary there's always a bullet point or two to highlight. If you've not seen the list of updates for February 2015, take a look through What's Headed Your Way for Microsoft Patch Tuesday.
This month, one glaring situation needs to be exposed. MS15-011 is a remote code execution vulnerability that Microsoft has deemed as critical. It affects all Windows versions from Server 2003 through Windows 8.1 and Windows Server 2012 R2. However, even though it does affect Windows Server 2003, Microsoft is not providing support to fix the flaw.
The bulletin explains the reasoning this way:
The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.
This vulnerability requires that a user connect their computer to an untrusted network such as a Wi-Fi hotspot in a coffee shop; therefore, workstations that are connected to an untrusted network are most at risk from this vulnerability.
But, before you get up-in-arms over this, consider that Windows Server 2003 reaches end of life on July 14, 2015. Many companies are deeply embroiled in migrating away from the aged server version. Plus, a successful exploit requires connecting to an untrusted network, which many Windows Server 2003 administrators will never do.
So, while it seems like a strong stance, it's a logical one. But, it is good to be aware of, if for anything but to be extra careful with those Windows Servers until the migration is complete.