Security Advisor

Microsoft Issues Last XP Security Fixes in Small April Patch

Microsoft's April Security Update features only two "critical" bulletins.

Today's release of Microsoft's April Security Update ushers in an end of an era as the company will no longer support its 12-year-old Windows XP.

Despite it being the final chance to address any last-minute issues in the aged OS, Microsoft's patch is a light one this month, with only two items rated "critical" and two "important" being released.

Even though this is Windows XP's last shot in the patch spotlight, the top priority for IT today is the one critical patch that doesn't concern that OS. Bulletin MS14-017 fixes the Word zero-day vulnerability that was disclosed by Microsoft late last month. Seen in active attacks, the remote code execution (RCE) flaw could be leveraged if a malicious Rich Text File was open in Word or Office Web Apps.

While active attacks had only been targeted at systems running Office 2010, all supported Office versions, including Office for Mac, will remain vulnerable if gone unpatched and, according to security firm Qualays' Wolfgang Kandek, attacks on the other Office versions should be coming around the corner.

"The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers," said Kandek in a blog post. "The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE).  Our recommendation: patch Microsoft Word as quickly as possible."

The second and final critical item for the month (which does include a fix for Windows XP) is a cumulative security update for Internet Explorer (MS-14-018). While it's usually recommended that anything related to Internet browsers be the top patching priority, the six privately reported flaws being fixed are not in active attack as the Word flaw is.

All versions of Microsoft's Web browser are affected and this fix is rated critical for all OS versions and important for all supported server versions.

Important Items
Microsoft's April important bulletins include:

  • MS14-019: In the last bulletin that affects Windows XP (along with Windows Vista, 7, 8, RT and Windows Server 2008 and 2012), this fix addresses a flaw that could lead to an RCE attack if a malicious .bat or .cmd file was opened from a network location.
  • MS14-020: The final item of the month fixes a Microsoft Publisher flaw that could be leveraged if a malicious file was opened in Office 2003 or Office 2007.

Along with the four bulletin items for the month, Microsoft has also released an update for Adobe Flash in Internet Explorer that addresses a previously reported Flash flaw and a non-security update for Windows 8.1 (details can be found here).

While Microsoft didn't target XP heavily in today's patch, don't take that as a vote of confidence on the unsupported OS's security strength. Many security experts are predicting an onslaught of vulnerabilities to be released in the coming days.


About the Author

Chris Paoli is the site producer for and


  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

  • Managing Multiple Remote Connections in One Place with mRemoteNG

    If you're juggling multiple remote connections daily, this is the utility for you. Brien walks through the steps to use mRemoteNG, from installation to deployment.

  • Microsoft Unveils Plan To Push Bing to Office 365 ProPlus Users

    Microsoft on Tuesday unveiled plans to deliver an extension that will change the default search engine to Bing in both Google Chrome and Mozilla Firefox browsers for Office 365 ProPlus subscribers.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.