Security Advisor

Microsoft Issues Last XP Security Fixes in Small April Patch

Microsoft's April Security Update features only two "critical" bulletins.

Today's release of Microsoft's April Security Update ushers in an end of an era as the company will no longer support its 12-year-old Windows XP.

Despite it being the final chance to address any last-minute issues in the aged OS, Microsoft's patch is a light one this month, with only two items rated "critical" and two "important" being released.

Even though this is Windows XP's last shot in the patch spotlight, the top priority for IT today is the one critical patch that doesn't concern that OS. Bulletin MS14-017 fixes the Word zero-day vulnerability that was disclosed by Microsoft late last month. Seen in active attacks, the remote code execution (RCE) flaw could be leveraged if a malicious Rich Text File was open in Word or Office Web Apps.

While active attacks had only been targeted at systems running Office 2010, all supported Office versions, including Office for Mac, will remain vulnerable if gone unpatched and, according to security firm Qualays' Wolfgang Kandek, attacks on the other Office versions should be coming around the corner.

"The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers," said Kandek in a blog post. "The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE).  Our recommendation: patch Microsoft Word as quickly as possible."

The second and final critical item for the month (which does include a fix for Windows XP) is a cumulative security update for Internet Explorer (MS-14-018). While it's usually recommended that anything related to Internet browsers be the top patching priority, the six privately reported flaws being fixed are not in active attack as the Word flaw is.

All versions of Microsoft's Web browser are affected and this fix is rated critical for all OS versions and important for all supported server versions.

Important Items
Microsoft's April important bulletins include:

  • MS14-019: In the last bulletin that affects Windows XP (along with Windows Vista, 7, 8, RT and Windows Server 2008 and 2012), this fix addresses a flaw that could lead to an RCE attack if a malicious .bat or .cmd file was opened from a network location.
  • MS14-020: The final item of the month fixes a Microsoft Publisher flaw that could be leveraged if a malicious file was opened in Office 2003 or Office 2007.

Along with the four bulletin items for the month, Microsoft has also released an update for Adobe Flash in Internet Explorer that addresses a previously reported Flash flaw and a non-security update for Windows 8.1 (details can be found here).

While Microsoft didn't target XP heavily in today's patch, don't take that as a vote of confidence on the unsupported OS's security strength. Many security experts are predicting an onslaught of vulnerabilities to be released in the coming days.


About the Author

Chris Paoli is the site producer for and


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.