As everyone should know by now, there are a good number of known, severe issues still present in Windows XP. In some cases Microsoft has been sitting on these responsibly disclosed cases for a number of years, this is officially their last chance to patch them for a solid 27% of the Windows users out there in the world. Keep those poor folks from getting owned by the credit card gremlins, right? Here it is, itís going to be a hell storm Patch Tuesday, security teams around the world will go days without sleep, patching these four issues? Wait, what? Only 4?
Now, letís not forget, that Office 2003 is also EOL come April 8, and this PT does not neglect either of itís orphaned products. 2 apply to XP (among other Windows OSes), and 2 apply to a component of Office 2003. Technically the critical issue affecting XP is an IE issue (MS14-018), affecting versions 6-9 & 11 but somehow skipping 10.
The top story in these advisories is actually the Word issue, MS14-017. One of the issues addressed by this fix is under active exploitation in the wild and has already been temporarily addressed in security advisory 2953095. The 2953095 fix is a complete, but heavy handed fix and Microsoft is advising that it can be removed safely before or after installing the MS14-017 patch in order to restore full rich text format functionality. None of the other advisories feature attacks under active exploitation.
MS14-019 is definitely the lowest priority, in that a user would have to be enticed into executing a batch file on a malicious network share. Exploitation of this vulnerability is two steps of misdirection removed from reality. Nothing to ignore, but not a top tier, urgent concern.
There it is folks, another relatively light Patch Tuesday, 2 critical affecting all supported versions of Word and most versions of Internet Explorer (patch these first). Prioritize the Publisher issue, if you have it in your environment, because I expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents.
Is it just me, or does it seem like responsible disclosure of Windows XP vulnerabilities would allow for the public disclosure of any known vulnerabilities at this point? Iím *not* advocating for that, but Iím typically conservative on this issue. I can see how others, with a more militant stance might take a different approach here. And what about POSReady 2009? Itís still XP SP3 under the covers. Says XP when it boots up. Runs on a metric tonne of ATMs and cash registersÖ Itís still supported for another 4 years (XP on life support). How will Microsoft handle it when they release patches for that?
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.