Patch Tuesday bids au revoir to Windows Server 2003

Microsoft issues 14 bulletins for Internet Explorer, Microsoft Office and Windows, including the last for Windows Server 2003.

Microsoft delivered a 14 fixes labeled critical or important to seal vulnerabilities in the desktop and server versions of Windows, Internet Explorer and Office. But the asterisk to these releases is that they are the last that will be offered for Windows Server 2003.

July 14 was the last day Microsoft made technical support available for the venerable operating system. This means all IT shops running any of the estimated 10 million active servers must buy new and expensive contracts for technical support from Microsoft or face increased risks from a formidable legion of hackers.

Nine of the 14 patches released this month apply to Windows Server 2003, including two of the four critical patches.

Some observers believe the end of technical support could see an increase in attacks on Windows Server 2003.

"This [end of technical support] may make attackers look even more strongly at Server 2003 with no patches being available," said Wolfgang Kandek, CTO of Qualys, Inc. "It is a bad idea to continue running [Windows Server 2003] unless it is run under very controlled circumstances."

As a cautionary tale, Kandek points out when Microsoft stopped technical support of Windows XP earlier this year, within two months a significant vulnerability popped up that affected the aging desktop operating system.

But perhaps the most significant vulnerabilities to affect Windows this month are three that Microsoft doesn't have any direct responsibility for, have to do with Adobe's Flash Player. Kandek said it is these three critical vulnerabilities that are the top priority for his company. The vulnerabilities permit an attacker to remotely take control of an infected system.

"More than 90% of all Windows machines have Adobe Flash installed," Kandek said. "Microsoft will patch Flash for you if you are a user of Internet Explorer versions 10 or 11. So they have acknowledged it is an important piece of software, but it is a piece of third party software so they can’t get too directly involved."

With this patch, Adobe addressed two of the three vulnerabilities and one it addressed last week.

Of those critical updates Microsoft is directly responsible for, topping the list are vulnerabilities affecting Internet Explorer (IE), 29 in all, the most severe of which allows remote code execution if users view a specially crafted Web page using the browser, according to the company.

Tayla Holman is the assistant site editor for and can be reached at [email protected] Ed Scannell is a senior executive editor at TechTarget. He can be reached at [email protected]  

Dig Deeper on Legacy operating systems