Microsoft sketches out final Windows XP security updates for next week

Microsoft sketches out final Windows XP security updates for next week

Also plans to patch Word vulnerability already being exploited by cyber criminals

Microsoft today said it will ship four security updates to customers next week that will include the final public fixes for flaws in Windows XP and Office 2003, both slated for retirement from security support on Tuesday.

Of the four updates, two were tagged "critical," Microsoft's most serious threat rating, and the other pair was marked "important," the next step down in the firm's four-part scoring system.

All four, however, were labeled in today's advance notification with the phrase "remote code execution," meaning that attackers could hijack an unpatched PC if they managed to exploit the vulnerabilities. Microsoft often downgrades remote code flaws to the important category when there are mitigating factors -- say, a requirement that users click through multiple warnings or deviate from a standard configuration -- that prevent easy exploitation.

One of the quartet will directly affect Windows XP -- all versions of Windows, actually, including the newest, Windows 8.1 -- while another will also impact the 13-year-old OS because it will patch all editions of Internet Explorer, including IE6, which faces retirement, too, and IE8, the most popular Microsoft browser for XP.

The small number of fixes for XP on the eve of its retirement didn't surprise Andrew Storms, director of DevOps at San Francisco-based security vendor CloudPassage.

"I think a lot of people have made much ado about nothing regarding the end of life for XP," said Storms in an interview conducted via instant messaging. "One of those being the hallucination that we would see a dump truck full of last-minute XP patches next week. It's not like Microsoft to sit on a bunch of known bugs for a long time and release them all on an arbitrary date. Take Pwn2Own for example: We almost never see a bunch of IE bugs get squashed the month before."

Also on next week's slate: A fix for the Word vulnerability that Microsoft confirmed March 24 is being exploited in the wild using malformed RTF (rich text format) documents. Microsoft has rated the Word update as critical.

All versions of Word -- Word 2003, Word 2007, Word 2013 and Word 2013 RT on Windows, and Word 2011 on OS X -- will be patched next week to quash the bug.

"Since the bug affected Office 2003 and it, like XP, goes EOL [end of life] next week, they pretty much were required to issue the patch," said Storms. "Leaving a known zero-day bug in the wild would have been bad news."

Office 2003, which debuted in October 2003, will be retired from support next Tuesday along with Windows XP.

The other critical update will patch all supported versions of IE except for IE10, which launched in 2012 with Windows 8, but was also pushed to Windows 7 users in February 2013. Although newer code is often immune from bugs in older software, the fact that the older IE6, IE7, IE8 and IE9 will be patched, and the newest browser, IE11, will be too, was unusual.

Storms didn't have any ideas on why IE10 was not affected. "I have no insight or good guesses as to what about IE10 makes it special," he said.

He recommended that Microsoft customers apply the IE update as soon as possible. "It's almost always 'IE first,'" he said. "Then, no question -- apply that Word fix pronto."

Bulletin 1, the update that will patch Word, will also affect SharePoint Server 2010 and SharePoint Server 2013, the collaboration software many enterprises have deployed to support Office. Because SharePoint Server runs a service called "Word Automation Services," which automatically opens documents in several formats, including RTF, it could also be exploited, potentially spreading attack code throughout a company.


"This sounds like a pretty interesting possible attack vector," observed Storms. "Aren't we always told not to just automatically open everything we get?"

Microsoft will release the security updates on April 8 around 1 p.m. ET.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

CAPTION: Microsoft's death-to-XP countdown clock keeps tickin' toward Tuesday's retirement date. (Image: Microsoft.)

Read more about endpoint security in Computerworld's Endpoint Security Topic Center.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareendpoint securityWindows

Brand Post



Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments