Microsoft had better watch out; IT professionals are going to get spoiled and lazy if this keeps up. Thus far, 2014 has brought us a light workload every month when it comes to patching time, and the trend continues in April. After releasing only five security updates in March, Microsoft has done us one better and has only four scheduled for next Tuesday.
That doesn’t mean this month’s patching can be taken lightly, though. Two of the upcoming patches are rated as critical, and most computer users will be affected by one or both of the critical vulnerabilities.
The first impacts Microsoft Word – all supported versions from Word 2003 Service Pack 3 to Word 2013 and 2013 RT, and also including Office for Mac 2011, Word Viewer, the Office Compatibility Pack and Word Automation Services on SharePoint Server 2010 and 2013. This is almost certainly a fix for the zero day vulnerability that we reported on near the end of March. You’ll recall that was an exploit that took advantage of a flaw in the way Word handles .RTF (rich text format) files. At that time, Microsoft had released a Fix It solution to disable opening of .RTF files altogether and suggested a couple of other workarounds but did not release an emergency patch at that time.
The second critical bulletin pertains to one or more vulnerabilities in the Internet Explorer web browser. All supported versions of IE, from IE 6 on XP to IE 11 on Windows 8.1 and Server 2012 appear to be affected by this one. Of course, server core installations won’t be affected since they don’t run the web browser, and Microsoft’s advance notification doesn’t show IE 11 on Windows RT in its list of affected software. All we know about it at this time is that it’s a remote code execution vulnerability, so that means there is the potential for an attacker to gain administrative control of the system – always a particular serious ramification.
The remaining two security bulletins for this month are rated important, which usually indicates that an attacker would have to persuade (or trick) the user into taking some explicit action to be able to exploit the vulnerability, and/or that the impact is less. Bulletin 3 applies to all supported versions of the Windows operating system, from XP SP3 to Windows RT 8.1, including the server operating systems and that means the server core installations as well. This is another remote code execution vulnerability.
Finally, Bulletin 4 is likely to impact far fewer users. It’s yet another remote code execution vulnerability, but it only affects Microsoft Publisher 2003 and 2007. Publisher 2010 and 2013 are not listed, so apparently it’s only the older versions that are at risk. Pub was once a fairly popular member of the Microsoft Office suite (and a low cost alternative to Aldus PageMaker (later Adobe) which was the standard during the heyday of desktop publishing). Today, the U.S. Department of Labor lists desktop publishing as a “dying career field,” due to the fact that businesses and individuals are moving away from printing content on paper and taking everything to the web.
For information, check out Microsoft Advance Notification page on TechNet, and stay tuned here for the full coverage of these security updates next Tuesday when Microsoft releases them to the public. It’s also worth mentioning that these are the very last patches that will be available for Windows XP. As we’ve mentioned many times before, April 8 marks the end of support for that venerable twelve year old operating system – although if you have enough money and influence, Microsoft might make an exception for you, as they did with the U.K. government, to the tune of 5.5 million pounds.