Microsoft Patch Tuesday for April 2014: The final call for XP updates

Well, how do you start with such a big ending? This Microsoft Patch Tuesday is the final set of updates and security fixes for Windows XP.

pier-christian-keller.jpg

Windows XP has been a tremendously successful operating system and has truly defined the desktop ecosystem for the past decade. In case you have not yet quite moved on to a later more modern operating system (Windows 7 or 8.x), Microsoft has provided this helpful set of hints and tips regarding your now unsupported favourite desktop operating system.

The Microsoft Windows XP End of Support web page , points out the following risks and potential compliance issues;

  • Security & Compliance Risks: Unsupported and un-patched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.
  • Lack of Independent Software Vendor (ISV) & Hardware Manufacturers support: A recent industry report from Gartner Research suggests "many independent software vendors (ISVs) are unlikely to support new versions of applications on Windows XP in 2011; in 2012, it will become common." And it may stifle access to hardware innovation: Gartner Research further notes that in 2012, most PC hardware manufacturers will stop supporting Windows XP on the majority of their new PC models.

In this auspicious Microsoft Patch Tuesday, we see a relatively small update with four patches -- two rated as Critical and another two rated as Important by Microsoft. This is an historically small update for Microsoft as previous years have seen as many as 17 Patch Tuesday updates for April and with an estimated average over the past ten years of 11 patches.

This first update (MS14-017) for this April 2014 Microsoft Patch Tuesday is rated Critical by Microsoft and relates to one private and two publicly disclosed Remote Code Execution vulnerabilities in Microsoft’s Office productivity suite. This particular attack requires the user to click-on a specially crafted file which allows a successful attacker the same rights as the affected user. This vulnerability in Microsoft Office affects the entire spectrum of Office document handling products includig all versions of Microsoft Word (2003, 2007, 2010, 1013, RT) and the Office Word document handling Web services such as SharePoint and Microsoft Web Apps. Interestingly, this security issue also affects the Microsoft Word Viewer and the Microsoft Compatibility Pack. We should also note that this is the second attempt by Microsoft to resolve this issue (with three privately reported issues) as this update is a direct replacement for the very first Microsoft Security update that Microsoft delivered for this year (2014). In addition to this update, Microsoft released a Security Advisory a few weeks ago (March 24, 2014) that related to an “in the wild” RTF file exploit (which therefore affects Microsoft Word) provided by the Google Security team (thanks to Drew Hintz, Shane Huntley, and Matty Pellegrino). This patch ( MS14-017 ) includes this fix which means that most system administrators (me and you) should hit the “Patch Now” button for this one.

The second Microsoft update from Microsoft for this April ( MS14-018 ) release relates to six privately reported memory corruption vulnerabilities that affect almost all versions of Internet Explorer from version 6 to Version 11 for both 32 and 64-bit platforms and for the Windows RT platform - but not Internet Explorer 10 due to its recent Out of Band Update from Microsoft . Like the previous Microsoft word vulnerability this vulnerability is exposed through a user accessing a specially crafted web page which could result in the same privileges as the logged in user. For those advanced system administrators out there, you won’t have to worry about this update for all of your Windows Server Core Installations, as Internet Explorer is not installed by default on this systems.

So, administrators take note: this update ( MS14-018 ) is actually composed of a number of security and feature updates. Added to this Microsoft security update are several new and improved features including that only apply to Windows Windows 7 desktop platforms and Server 2008 R2 server environments;

  • F12 Developer Tools
  • Internet Explorer WebGL Renderer
  • Enterprise Mode for Internet Explorer

And quite helpfully, Microsoft has added a Knowledge Base article ( KB2956283 ) that details that IE11 will crash if you turn on and then turn off Enterprise mode. And, for even more fun, the link to this KB article delivers a Microsoft message; “The page you are looking for may have a new location, or is no longer available.”

The third ( MS14-019 ) update for the April 2014th Patch Tuesday is rated as Important which deals with a single privately reported vulnerability in the file handling functionally in ALL windows platforms (32 and 64-bit). Using specially crafted batch or Command files (.bat or .cmd) files an attacker could gain the same access as a user through a Remote Code Execution vulnerability. Microsoft has resolved this particular security issue with an update to how these files (.bat and .cmd) files are run from remote or network based locations. As an additional note to this vulnerability, a failed attack may result in a denial-of-service scenario. It looks like we have Setfan Kanthak from Symantec to thank for exposing and helping Microsoft resolve this security issue. Symantec has some really helpful hints on how to reduce these types of attacks including;

  • Run all software as a nonprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.
  • Deploy NIDS to monitor network traffic for signs of suspicious or anomalous activity.
  • Do not accept or execute files from untrusted or unknown sources.
  • Implement multiple redundant layers of security.

And the last update ( MS14-020 ) relates to Microsoft Publisher which may not top the list of your high-priority “it runs the business” applications but it may be present as part of your installed application portfolio and therefore will require this security update. This is a privately reported issue that deals with a Remote Code Execution security vulnerability if a user opens a specially crafted file in Microsoft Publisher (i.e. .pub files).

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.