Security Advisor

Microsoft Issues Last XP Security Fixes in Small April Patch

Microsoft's April Security Update features only two "critical" bulletins.

Today's release of Microsoft's April Security Update ushers in an end of an era as the company will no longer support its 12-year-old Windows XP.

Despite it being the final chance to address any last-minute issues in the aged OS, Microsoft's patch is a light one this month, with only two items rated "critical" and two "important" being released.

Even though this is Windows XP's last shot in the patch spotlight, the top priority for IT today is the one critical patch that doesn't concern that OS. Bulletin MS14-017 fixes the Word zero-day vulnerability that was disclosed by Microsoft late last month. Seen in active attacks, the remote code execution (RCE) flaw could be leveraged if a malicious Rich Text File was open in Word or Office Web Apps.

While active attacks had only been targeted at systems running Office 2010, all supported Office versions, including Office for Mac, will remain vulnerable if gone unpatched and, according to security firm Qualays' Wolfgang Kandek, attacks on the other Office versions should be coming around the corner.

"The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers," said Kandek in a blog post. "The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE).  Our recommendation: patch Microsoft Word as quickly as possible."

The second and final critical item for the month (which does include a fix for Windows XP) is a cumulative security update for Internet Explorer (MS-14-018). While it's usually recommended that anything related to Internet browsers be the top patching priority, the six privately reported flaws being fixed are not in active attack as the Word flaw is.

All versions of Microsoft's Web browser are affected and this fix is rated critical for all OS versions and important for all supported server versions.

Important Items
Microsoft's April important bulletins include:

  • MS14-019: In the last bulletin that affects Windows XP (along with Windows Vista, 7, 8, RT and Windows Server 2008 and 2012), this fix addresses a flaw that could lead to an RCE attack if a malicious .bat or .cmd file was opened from a network location.
  • MS14-020: The final item of the month fixes a Microsoft Publisher flaw that could be leveraged if a malicious file was opened in Office 2003 or Office 2007.

Along with the four bulletin items for the month, Microsoft has also released an update for Adobe Flash in Internet Explorer that addresses a previously reported Flash flaw and a non-security update for Windows 8.1 (details can be found here).

While Microsoft didn't target XP heavily in today's patch, don't take that as a vote of confidence on the unsupported OS's security strength. Many security experts are predicting an onslaught of vulnerabilities to be released in the coming days.


About the Author

Chris Paoli is the site producer for and


  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.