Windows Server admins can plan on a lighter month of security updates to apply from the latest Patch Tuesday cycle.
Microsoft released five updates for this month's Patch Tuesday. Two of the updates are critical and three are important. Both critical updates address remote code execution vulnerabilities.
One of the critical security updates addresses 18 vulnerabilities in Internet Explorer (IE), which could be exploited if end users view malicious websites in IE. The update is critical for IE versions 6 through 11 in affected Windows clients. A single vulnerability for a zero-day exploit that was given a February out-of-band fix is included in thus cumulative update for wider distribution.
This is the second month in a row with a large number of critical updates for IE vulnerabilities. In February, Microsoft delivered a super-sized patch to fix 24 critical vulnerabilities in IE.
The second critical security update addresses a vulnerability in Microsoft DirectShow that could be exploited if an end user opens a malicious image file. This update affects most versions of Windows clients and Windows servers.
Despite the critical vulnerability, it is much more difficult to exploit than browsers, said Wolfgang Kandek, chief technology officer of Qualys, Inc., based in Redwood Shores, Calif.
The important security updates in this Patch Tuesday cycle address elevation of privilege and security bypass feature vulnerabilities. One important update addresses an elevation of privilege vulnerability in Windows kernel-mode drivers.
The other two important security updates address security bypass feature vulnerabilities in Security Account Manager Remote (SAMR) protocol and Microsoft Silverlight. The SAMR protocol vulnerability could be exploited if attackers attempt to match passwords to usernames multiple times.
The vulnerability would allow attackers to bypass the expected lock-out mechanism to break into an account, Kandek said.
The Silverlight vulnerability could also be exploited if end users click on malicious links in emails, instant messages or banner advertisements.
The complete list of updates and affected software can be found here.
Windows XP, Office 2003 end-of-life looms
The end-of-life dates for Windows XP and Office 2003 are nearing. April 2014 will be the last month in which Microsoft provides security updates for those products.
All five of March's bulletins include Windows XP, and you will “only see patches in Vista or above" beginning in May, Kandek said.
"At least some of them, I'm guessing a majority of them, will apply to XP," because of the shared codebase that wasn't rewritten later, he said.
This potentially opens the window for an attacker to look at vulnerabilities within Windows Vista and check if the vulnerability is present in Windows XP, said Kandek.
There are things you can do to secure the operating system in the meantime. Kandek suggests using a browser that will continue to be supported (Google Chrome and Mozilla Firefox are both expected to continue receiving security updates).
But there is still inherent risk to running it on a network: malware extends its reach through neighboring machines and a lot of malware goes undetected by antimalware software, said Kandek.