Last Security Patches Coming Tuesday for XP, Office 2003
That's a wrap. Microsoft is closing the books on Windows XP and Office 2003 support, offering its last update to the software on Tuesday.
Microsoft will deliver four bulletins. Two are rated critical and two are rated important. The bulletins cover Microsoft Office, Microsoft Office Services, Microsoft Office Web Apps, Microsoft Windows, and Internet Explorer.
"This month is a low count of what seem to be fairly serious security holes," Ken Pickering, director of engineering at CORE Security, told us. "Targeting Office, Windows, and IE, they're affecting products with the most market share in the Microsoft universe. Requiring a restart and including a core window service vulnerability is always troublesome, as it typically delays rollout."
We also asked Ross Barrett, a senior manager of security engineering at Rapid7, for his thoughts on next Tuesday's release. He told us this is indeed the last hurrah for the once-beloved XP. He called April 8 the "last kick at the can" for Windows XP.
"As everyone should know by now, there are a good number of known, severe issues still present in Windows XP," Barrett said. "In some cases Microsoft has been sitting on these responsibly disclosed cases for a number of years. This is officially their last chance to patch them for a solid 27 percent of the Windows users out there in the world."
Barrett recommends prioritizing the Windows patch. He's also asking a pointed question: Does it seem like responsible disclosure of Windows XP vulnerabilities would allow for the public disclosure of any known vulnerabilities at this point? Although he's clear that he's not advocating for that sort of disclosure, he said he can see how others with a more militant stance might take a different approach.
Pwn2Own Fallout Continues
We caught up with Russ Ernst, director of product management at security solutions firm Lumension, to get his take on the final Patch Tuesday for Windows XP and Office 2003. He told us this will be an important Patch Tuesday for users who rely on this outdated code that moves to self-support this month.
"Most notably, Microsoft has closed the loop on the MS Word vulnerability addressed in last week's advisory, 2953095," Ernst said. "This is a critical vulnerability that could allow remote code execution if a user opens a RTF file in Word 2010 or in Outlook while using Word as the email viewer. Known to be under active attack, a hacker using this vulnerability could gain user rights."
As if pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren't enough, Ernst noted that administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe's Flash Player plug-in.
"With security updates coming from so many sources this month, IT will be challenged to effectively prioritize their rollouts," he said. "The best thing to do is to maintain your patch process, and consider consolidating to a single allowed browser as part of your migration plan to the latest OS."