Though this month's Patch Tuesday is light, it marks the final Patch release for Windows XP and other Microsoft products, and includes important changes IT pros need to be aware of.
The latest batch of Patch Tuesday security updates includes four bulletins that address remote code execution vulnerabilities. Two are marked critical and two are marked important.
One critical update addresses three vulnerabilities in multiple versions of Microsoft Office, Office Services and Office Web Apps, which could be exploited if end users preview or open malicious files using Office.
It was an easily exploitable vulnerability, which just meant crafting a believable RTF file and sending it to an unsuspecting victim, said Wolfgang Kandek, chief technology officer of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.
Last month, Microsoft released a Fixit tool to disable reading RTF files to prevent the vulnerability from being exploited. In order to get that functionality back, the user would have to disable the Fixit.
However, since RTF files aren't used as widely as other document types, there is another option.
"Keep the Fixit in place," said Kandek. "That would be a good hardening guideline."
The other critical update addresses six vulnerabilities in multiple versions of Internet Explorer, which could be exploited if end users open malicious webpages using IE.
The important bulletins address a vulnerability in all supported versions of Windows and a vulnerability in Office. The Windows vulnerability could be exploited if end users run malicious .cmd or .bat files in trusted or semi-trusted network locations. The Office vulnerability could be exploited if end users open malicious files in supported versions of Microsoft Publisher 2003 and Microsoft Publisher 2007.
A full list detailing the Patch Tuesday security updates can be found here.
Windows Server 2012 R2 and Windows 8.1 receive updates
Microsoft also delivered a cumulative update for Windows RT 8.1 and all versions of Windows 8.1 and Windows Server 2012 R2. It includes previous updates as well as improvements for IE 11 compatibility with Enterprise Mode for IE (EMIE), usability, hardware support, an Active Directory fix for Office 365 and mobile device management. Microsoft said the update should work upon deployment without additional testing.
End-of-life hits multiple products
This Patch Tuesday cycle marks the end-of-life for a number of Microsoft products, including Windows XP, Office 2003 and Exchange Server 2003. This is the last month the company will provide support for these products, although it will continue to offer anti-malware updates for Windows XP through 2015.
All of the patches in this month's update affect either Windows XP or Office 2003. In fact, Kandek noted, if Microsoft hadn't delivered a patch for the RTF vulnerability this month, it would have never gotten a patch.
There are steps to take to mitigate vulnerabilities from running unsupported operating systems, but if enterprises are spending time and money to work around problems, it may make sense to move to a newer operating system, Kandek said.