Microsoft will release four bulletins next Tuesday, two of which are rated as critical and two rated as important.
On the day when the final patches are released for Windows XP and Office 2003, these updates address issues in Microsoft Windows, Office and Internet Explorer.
Among the fixes is MS14-017 which fully addresses the Microsoft Word issue first described in Security Advisory 2953095, after an emergency fix was issued in late March. “Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally,” said Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing. “At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010.”
Commenting, Tyler Reguly, manager of security research for Tripwire, said: “Given that this is the last time we’ll see Windows XP patched, it’s surprising to see the issues they’re fixing. After you filter out Office and IE, we’re only going to have one operating system update next week.
“This month it’ll be interesting to see how many attackers have been holding on to XP zero-days waiting for this day to come. If a major critical issue is released, will Microsoft issue another update or will they hold fast to their planned end of support for Windows XP?”
Wolfgang Kandek, CTO of Qualys, said: “This low total number is very atypical, and at least 30 per cent under the numbers for last year – in April of 2013 we were at 36 bulletins and in 2012 we had 20 bulletins. At the same time there is no shortage of vulnerabilities as we have seen at last month’s CanSecWest, where literally all software packages (Java excepted) fell to security researchers who received cash prizes between $75,000 and $100,000.
“But back to this month, all of them enable ‘Remote Code Execution’. Bulletin #1 addresses the current zero-day vulnerability (KB2953095) in Microsoft Word. Bulletin #2 is a new version of Internet Explorer, applicable to all versions of IE starting with IE6 on XP to IE11 on Windows 8.1 and RT.
“Bulletin #3 and Bulletin #4 are the both rated ‘important’, but Bulletin #3 is the more urgent one. It affects all versions of Windows and can be used to gain Remote Code Execution. Bulletin #4 addresses a problem in Publisher 2003 and 2007, which is a software package that we do not see widely installed.”
Reguly said: “The Publisher bulletin is the perfect example of the kind updates that Microsoft wants to issue. The latest versions of the product aren’t affected, which means that it perfectly supports Microsoft’s recommended security advice, ‘Always run the latest products’.”