Microsoft today addressed a scant 11 vulnerabilities spread across four bulletins as part of its April 2014 Patch Tuesday release, but more importantly this month's batch includes the final security updates for its Windows XP operating system and Office 2003 productive suite.
Windows XP patches have come to an end. Does your organization have a plan for securing lingering XP systems and transitioning away from XP once and for all? It's not too late. Get the advice you need from SearchSecurity's enterprise guide to Windows XP end-of-life security.
All told, Microsoft has issued a total of 452 security bulletins for XP over the course of its lifecycle, but the company will no longer provide security support for XP or Office 2003 unless organizations pay for expensive custom support agreements. Despite repeated warnings from Microsoft and IT security experts in recent years, many enterprises and consumers are still stuck on XP.
Wolfgang Kandek, chief technology officer for Redwood City, Calif.-based vulnerability management vendor Qualys Inc., said the most recent numbers from its BrowserCheck scans shows that U.S. and U.K. enterprise XP usage has fallen to 8% as of the end of the second quarter of 2014; other countries around the world show a heftier XP presence. Office 2003 lingers as well, an October 2013 survey from Cambridge, Mass.-based analysis firm Forrester Research showed that among more than 150 of its clients, 28% were still running Office 2003.
The persistence of XP and Office 2003 has been a serious concern for the security industry in recent months, but Kandek said Adobe's plans to end support for XP users running its Reader software is even more alarming, considering the number of attacks that seek to compromise Reader and other popular third-party applications.
Kandek expected Adobe to ship an update for Reader this month to address any outstanding issues for XP users. At press time, the San Jose, Calif.-based vendor has only issued an update for its Flash Player multimedia software to address four vulnerabilities, including an exploit demonstrated by French firm VUPEN Security at this year's Pwn2Own competition in Vancouver.
"[Third-party software] represents maybe even a bigger attack vector than pure Windows XP," said Kandek, who advised XP users to consider installing Microsoft's Enhanced Mitigation Experience Toolkit (EMET) software as it applies additional security controls to third-party software, limiting the risk of zero-day exploits.
Beyond the final Office 2003 and XP security updates, April's Patch Tuesday batch also features an update for a recent Word zero-day vulnerability.
Originally addressed by temporary "Fix it" in Security Advisory 2953095, Microsoft said in March that "limited targeted attacks" were being carried out using the vulnerability, which depended on Word and Outlook users previewing a maliciously crafted rich text format (RTF) file. The Redmond, Wash.-based software giant warned at the time that a successful exploit could give attackers the same rights as the current user.
Security bulletin MS14-017, rated critical, provides a permanent fix for both the Word zero-day and two other privately disclosed remotely exploitable vulnerabilities spread across various versions of Office, including 2003. Before applying this particular patch, Kandek suggested that organizations evaluate whether the workaround Microsoft provided in March may be the better option.
"If you have the 'Fix it,' I think this time you should leave that in place and if you don't have the Fix it, you might actually want to think about [applying it instead] because RTF vulnerabilities are not frequent," said Kandek. "The question is: do you actually need that file format? If you can live without RTF, that's probably not a bad defensive move to tell Word, 'Do not process that file format.' And that is basically what the Fix it does."
This month's other critical Microsoft security bulletin, MS14-018, resolves a total of six vulnerabilities in Internet Explorer, affecting versions 6 through 11. The flaws are remotely exploitable, according to Microsoft, and can be triggered by malicious webpages.
Security bulletin MS14-019 -- rated important -- provides a fix for one publically disclosed vulnerability, which can be successfully exploited but requires an attacker to lure a user into running "specially crafted .bat and .cmd files from a trusted or semi-trusted network location."
"Microsoft has blocked off a potential attack vector with MS14-019 which could allow context-dependent attackers to execute attacker-controlled code within poorly implemented programs," said Craig Young, security researcher at Portland, Ore.-based Tripwire Inc. "Similar to DLL preloading, this attack vector relies on a process loading executable code from an untrusted path."
Finally, security bulletin MS14-020 -- rated important -- addresses one privately reported vulnerability in the 2003 and 2007 versions of Microsoft Publisher, the company's desktop-publishing software. The flaw can be exploited remotely if a target opens a maliciously crafted file in an affected version of Publisher; if successful, an attacker could gain the same rights as the current user.
With the final XP security updates now released, Tripwire's Young is already looking forward to the impact that XP's end-of-life will have on May's Patch Tuesday.
"May 13, 2014, will be a more interesting date than April 8, by far," said Young, "because it will be the first Patch Tuesday that will provide attackers with the opportunity to reverse-engineer Windows 7 security content and use it to identify vulnerabilities in Windows XP."