MICROSOFT HAS ISSUED its Patch Tuesday security bulletin for May, warning that it will not release any more Windows XP security updates, despite going back on its word last month when it patched a major Internet Explorer (IE) vulnerability.
Overall, Microsoft issued eight bulletins this month, fixing 13 vulnerabilities in Windows, Microsoft Office and Internet Explorer.
None of the fixes in the bulletins patched Windows XP or Microsoft Office 2003, because Microsoft dropped support of these versions as of 8 April. However, most of the patches do fix code vulnerabilities that probably originated in Windows XP or Office 2003, and earlier versions.
Announcing the fixes from the Patch Tuesday release, Microsoft Trustworthy Computing group manager of response communications Dustin Childs said that Windows XP definitely has been left to fend for itself.
"For those wondering, Windows XP will not be receiving any security updates today," he said.
"For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe."
Childs' comments come after an emergency security bulletin warning of a vulnerability affecting almost every version of Internet Explorer (IE) was released in April to patch a major issue that had come to light. This month's Patch Tuesday update contains further enhancements to this fix.
"This security update resolves two privately reported vulnerabilities in IE. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE," Microsoft said.
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."
Other key fixes cover major products including Office and SharePoint, with two rated as critical and six as important.
The securtiy bulletin's MS14-029 is a fix similar to the out-of-band MS14-021 from 1 May, while MS14-021 addresses the zero-day CVE-2014-1776, which had been found in the wild by Fireeye on 26 April.
In a similar fashion, MS14-029 addresses CVE-2014-1815, which was detected as having attacks in the wild by the Google Security Team.
"For good measure Microsoft also included MS14-021/CVE-2014-1776 in this bulletin, so if you have not installed it yet, you can just install MS14-029 and address both issues at the same time," said Qualys CTO Wolfgang Kandek. "The remaining issues in Internet Explorer that were originally scheduled (Pwn2own, for example) will have to be included in next month's bulletin. Note that you need the last cumulative update to IE installed for this update to be applicable."
MS14-024 and MS14-025 of the Bulletin both provide fixes for issues that have been abused by malware, pen-testers and hackers, Kandek added.
"MS14-024 is a new version of the MSCOMCTL DLL that has ASLR set, an easy fix for the developers to implement (basically a recompile), but one that took extensive testing as this DLL is widely used," he said. "With ASLR set ON the DLL attacks that were addressed by MS12-027, MS12-060, MS13-096 and MS14-017 could have been avoided.
"[The fix is] highly recommended and will go a long way to making your setup more robust."
The Patch Tuesday update comes after Microsoft extended the deadline for users to install the Windows 8.1 Update release, the benchmark for all future security and software upgrades, as the firm looks to simplify its operating system environments. µ