After the mad rush of the holiday season that, for IT pros, was exacerbated by a moderate load of eleven patches to get tested and applied in December, Microsoft is giving us some breathing room. January brings us only four security updates – and there’s not a critical one among them. The vulnerability impact types comprise the usual suspects: remote code execution, elevation of privilege and denial of service, but are rated “only” Important, indicating that the risk is less severe and/or less immediate.
Although two of the patches – the escalation of privilege issues addressed in Bulletins 2 and 3 – are for Windows, they apply to Windows XP and Windows Server 2003. The market share of Windows XP is still significant, at almost 29 percent according to NetMarketShare statistics for December 2013, but it has been steadily falling and in a short three months, on April 8, Windows XP’s life cycle ends and it will no longer be supported by Microsoft (which means it will no longer receive security updates).
Despite that quickly-approaching deadline, it’s not just home users who have procrastinated. Last October a Microsoft business manager estimated that one in three business computers are still running XP. The importance of upgrading those machines becomes clear when you look at this month’s and all recent Patch Tuesday updates and see that pretty much all of them include vulnerabilities that affect Windows XP. After the April cut-off date, those vulnerabilities will go unpatched, leaving XP computers at risk.
Windows Server 2013 has a little more time left; it doesn’t reach end-of-life until July 2015. However, upgrading servers is often a more complex and time-consuming process than upgrading desktop computers (albeit that’s ameliorated somewhat by the fact that there are usually fewer of them to upgrade) so companies that are still running the older server operating system should be planning now for the move to a newer and more secure OS.
Bulletin 1, the one that deals with a remote code execution vulnerability, applies to Microsoft Office and to certain Server products. We’ve seen several such vulnerabilities recently, which generally involve opening a specially crafted file in an Office application. In fact, remote code vulnerabilities in Office programs and/or SharePoint servers were patched in September, October, November and December, so this is just more of the same. Any time an attacker is able to run code on a system, it can have far-reaching results, so this patch should certainly be taken seriously and applied as soon as possible.
Bulletin 4 is the DoS vulnerability and it affects only Microsoft Dynamics AX. This is an enterprise resource planning (ERP) solution that handles accounting, inventory, project and production management, human resources and so forth. While Microsoft has generally been in the top 5 in that market, its share is small compared to market leader SAP, so this one will impact relatively few businesses.
All in all, next week’s Patch Tuesday should be an easy one for both IT professionals and end users, with minimal disruption and down time. And that definitely makes for happy new year.