Microsoft today released its April Patch Tuesday update, providing four security bulletins, including the final updates for the Windows XP operating system.
Among the most critical bulletins is MS14-017, which details three remote code execution vulnerabilities in Microsoft Word and Office applications. Microsoft first became aware of one of the issues, identified as CVE-2014-1761, on March 24 and issued Security Advisory 2953095 to provide guidance to users.
“A remote code execution vulnerability exists in the way that Microsoft Word parses specially crafted files,” Microsoft explains in its security advisory on CVE-2014-1761. “An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.”
The other two remote execution flaws patched in the MS14-017 update include CVE-2014-1758, a Microsoft Word stack overflow issue, and CVE-2014-1757, a Microsoft Office File Format converter vulnerability.
The fact that it took Microsoft two weeks to patch the CVE-2014-1761 vulnerability is not surprising to Karl Sigler, manager at security vendor Trustwave. “There were two other client-side patches released today for Internet Explorer and MS Publisher, both of which could also result in arbitrary code execution,” Sigler told eWEEK. “Avoiding out-of-cycle patches and keeping these patches together helps admins in the end and makes the process a little less painful.”
The other critical bulletin released today by Microsoft is MS14-018, which includes fixes for six privately reported vulnerabilities in the Internet Explorer Web browser.
None of those vulnerabilities, however, fix any of the IE issues reported at the Pwn2own hacking event in March. IE was exploited twice during the Pwn2own 2014 event. Apple’s Safari Web browser, as well as Mozilla’s Firefox, were also exploited during the Pwn2own event. Apple patched Safari for its Pwn2own flaws on April 1 and Mozilla patched Firefox on March 18.
“Microsoft works with the security community to protect our customers against all threats, and we are investigating possible issues identified by researchers during the Pwn2Own competition,” Dustin Childs, group manager for Microsoft Trustworthy Computing, told eWEEK. “We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition’s findings.”
The April Patch Tuesday update is also very noteworthy in that it is the last time that Microsoft’s patches will provide fixes for the Windows XP operating system. Of the critical bulletins released this month, only the MS14-018 bulletin for IE impacts Windows XP users.
Trustwave’s Sigler noted that XP is 13 years old, and today’s end-of-support date has been known for seven of those 13 years.
“Microsoft has done more than most companies to support what should be considered legacy software by now,” Sigler said. “It lacks not just the functionality but also the security features of newer OSes like Windows 7 and 8.
Sigler added that in his view risk reduction is done not just through patching, but also by not continuing to use obsolete legacy software.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.