Security Advisor
Microsoft Issues Last XP Security Fixes in Small April Patch
Microsoft's April Security Update features only two "critical" bulletins.
Today's release of Microsoft's April Security Update ushers in an end of an era as the company will no longer support its 12-year-old Windows XP.
Despite it being the final chance to address any last-minute issues in the aged OS, Microsoft's patch is a light one this month, with only two items rated "critical" and two "important" being released.
Even though this is Windows XP's last shot in the patch spotlight, the top priority for IT today is the one critical patch that doesn't concern that OS. Bulletin MS14-017 fixes the Word zero-day vulnerability that was disclosed by Microsoft late last month. Seen in active attacks, the remote code execution (RCE) flaw could be leveraged if a malicious Rich Text File was open in Word or Office Web Apps.
While active attacks had only been targeted at systems running Office 2010, all supported Office versions, including Office for Mac, will remain vulnerable if gone unpatched and, according to security firm Qualays' Wolfgang Kandek, attacks on the other Office versions should be coming around the corner.
"The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers," said Kandek in a blog post. "The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE). Our recommendation: patch Microsoft Word as quickly as possible."
The second and final critical item for the month (which does include a fix for Windows XP) is a cumulative security update for Internet Explorer (MS-14-018). While it's usually recommended that anything related to Internet browsers be the top patching priority, the six privately reported flaws being fixed are not in active attack as the Word flaw is.
All versions of Microsoft's Web browser are affected and this fix is rated critical for all OS versions and important for all supported server versions.
Important Items
Microsoft's April important bulletins include:
- MS14-019: In the last bulletin that affects Windows XP (along with Windows Vista, 7, 8, RT and Windows Server 2008 and 2012), this fix addresses a flaw that could lead to an RCE attack if a malicious .bat or .cmd file was opened from a network location.
- MS14-020: The final item of the month fixes a Microsoft Publisher flaw that could be leveraged if a malicious file was opened in Office 2003 or Office 2007.
Along with the four bulletin items for the month, Microsoft has also released an update for Adobe Flash in Internet Explorer that addresses a previously reported Flash flaw and a non-security update for Windows 8.1 (details can be found here).
While Microsoft didn't target XP heavily in today's patch, don't take that as a vote of confidence on the unsupported OS's security strength. Many security experts are predicting an onslaught of vulnerabilities to be released in the coming days.