The Inquirer-Home

Microsoft's final Windows XP Patch Tuesday is brief

Fixes remote code execution in Internet Explorer and Microsoft Office
Wed Apr 09 2014, 12:55
Microsoft logo

THE WINDOWS XP ERA draws to a close as Microsoft fixes nine common vulnerabilities and exposures (CVEs) in four bulletins for its Patch Tuesday release this month, a lighter release than last month's and the last to cover Windows XP which reached end of life on Tuesday.

This month's patches address seven vulnerabilities in Internet Explorer (IE) and two in Microsoft Office, including Web Apps and Office Services.

Two of the patches are rated Critical. MS14-017 patches a vulnerability in Microsoft Word and Office Web Apps that could allow remote code execution if a Rich Text Format (RTF) file is opened or previewed. This could allow an attacker to gain the attacked user's rights, making the code particularly dangerous for users with administrative privileges.

Karl Sigler, Threat Intelligence manager at Trustwave said, "A few weeks ago, Microsoft posted security advisory 2953095 after reports of attacks in the wild targeting Microsoft Word 2010 installations. To exploit the vulnerability, an attacker would craft a malicious RTF file and use social engineering techniques to trick a user into previewing or opening it. All Windows users should apply this patch as soon as possible."

MS14-018 is a cumulative update for Internet Explorer that patches six vulnerabilities, which - as with MS14-017 - could let an attacker gain the user's privileges if a web page is viewed. Again, administrator accounts are at most risk.

Marked Important are MS14-019, designed to patch a remote code execution vulnerability that could cause .cmd or .bat files to run local code from a remote location, while MS14-020 is a specific memory corruption vulnerability in Microsoft Publisher.

As well as the final updates for Windows XP, today also sees the end of support for Microsoft Office 2003, and given that two of today's patches apply to it, users should be aware that it might be time to stop using it.

Sigler added, "So this is it. We've been warned. And warned and warned. Today marks the last day that Microsoft will issue public patches for Windows XP, even though [Windows] XP still represents almost 30 [percent] of all desktop installations and anywhere from 80-95 [percent] of the world's ATMs."

Although some think that Windows XP's retirement is a cynical move on the part of Microsoft, Sigler didn't agree. He said, "Although [third] party security solutions like AV and IDS will help protect [Windows] XP users for the near future, there's no denying that those that continue to use [Windows] XP will be at a much greater risk of compromise.

"Windows XP is old, almost ancient in technology years. Modern Windows operating systems like Windows 7 or 8 provide security features like Drive Encryption, User Account Control, Applocker, UEFI Secure Boot and Trusted Boot.

"Windows XP is not being retired because [Microsoft] wants to blackmail people into upgrading. It's being retired because it is obsolete and Microsoft has given the public ample opportunity to do what is in their own best interest. It's now time to close the lid on [Windows] XP."

In a recent poll, however, INQUIRER readers indicated in no uncertain terms that they will not flock to Windows 8, with more planning to stay with Windows XP regardless or move to Linux than upgrade to Microsoft's latest operating system release. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?