In the final Patch Tuesday for Windows XP and Office 2003, Microsoft released four patches today, two critical and two important, that cover a total of just 11 CVEs. While an unusually small Patch Tuesday, it isn’t surprising that Microsoft included final fixes in XP and Office 2003. For that reason, this is an important Patch Tuesday for users who rely on the outdated platforms and applications that move to self-support this month. Here’s a closer look at this month’s patches, provided by Russ Ernst, director product management, Lumension.
Click through for a closer look at this month’s patches, provided by Russ Ernst, director product management, Lumension.
MS14-017: Critical
First and foremost, Microsoft has closed the loop on the MS Word vulnerability addressed in last week’s advisory, 2953095, with MS14-017. This is a critical vulnerability for three CVEs that could allow remote code execution if a user opens a RTF file in Word. This bulletin also addresses Outlook when configured to use Word as the email viewer. Known to be under active attack, a hacker using this vulnerability could gain user rights.
MS14-018: Critical
MS14-018 is the now-expected cumulative update for Internet Explorer; it covers six CVEs but they were all privately reported and there are no known active attacks at this time. It’s also rated critical and of course key for the many IE users out there.
MS14-019 and MS14-020: Important
The remaining bulletins are MS14-019, which is rated important for all versions of Windows, and MS14-020, which impacts Microsoft Publisher users. In summary, that makes two bulletins that impact Windows XP and two for Office 2003 for their final scheduled update.
Windows XP EOS
If the exit of Windows XP sounds a little uneventful, keep in mind that administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in. This triggered updates from Google, Mozilla and Apple, in addition to this month’s Internet Explorer cumulative update. Microsoft also re-issued Security Advisory 2755801, which is a notification to update the Flash Player plug-in now native in Internet Explorer. This is the twenty-second revision to this advisory, and we can expect to see many more revisions going forward as long as the bad guys continue to target the Adobe Flash Player plug-in for Web browsers.
Third-party apps
It’s imperative that administrators continue their migration off of Windows XP, but this month we continue to see a focus on targeting third-party applications. Administrators are advised to stay vigilant with their patch deployment process to keep these applications up to date.