News Stay informed about the latest enterprise technology news and product updates.

Windows Server 2012 R2 updates come alongside light Patch Tuesday

An RTF exploit gets patched for Microsoft Office in this month's Patch Tuesday update. Plus, Microsoft updates server and client OSes.

Though this month's Patch Tuesday is light, it marks the final Patch release for Windows XP and other Microsoft products, and includes important changes IT pros need to be aware of.

The latest batch of Patch Tuesday security updates includes four bulletins that address remote code execution vulnerabilities. Two are marked critical and two are marked important.

One critical update addresses three vulnerabilities in multiple versions of Microsoft Office, Office Services and Office Web Apps, which could be exploited if end users preview or open malicious files using Office.

It was an easily exploitable vulnerability, which just meant crafting a believable RTF file and sending it to an unsuspecting victim, said Wolfgang Kandek, chief technology officer of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.

Last month, Microsoft released a Fixit tool to disable reading RTF files to prevent the vulnerability from being exploited. In order to get that functionality back, the user would have to disable the Fixit.

However, since RTF files aren't used as widely as other document types, there is another option.

"Keep the Fixit in place," said Kandek. "That would be a good hardening guideline."

The other critical update addresses six vulnerabilities in multiple versions of Internet Explorer, which could be exploited if end users open malicious webpages using IE.

The important bulletins address a vulnerability in all supported versions of Windows and a vulnerability in Office. The Windows vulnerability could be exploited if end users run malicious .cmd or .bat files in trusted or semi-trusted network locations. The Office vulnerability could be exploited if end users open malicious files in supported versions of Microsoft Publisher 2003 and Microsoft Publisher 2007.

A full list detailing the Patch Tuesday security updates can be found here.

Windows Server 2012 R2 and Windows 8.1 receive updates

Microsoft also delivered a cumulative update for Windows RT 8.1 and all versions of Windows 8.1 and Windows Server 2012 R2. It includes previous updates as well as improvements for IE 11 compatibility with Enterprise Mode for IE (EMIE), usability, hardware support, an Active Directory fix for Office 365 and mobile device management. Microsoft said the update should work upon deployment without additional testing.

End-of-life hits multiple products

This Patch Tuesday cycle marks the end-of-life for a number of Microsoft products, including Windows XP, Office 2003 and Exchange Server 2003. This is the last month the company will provide support for these products, although it will continue to offer anti-malware updates for Windows XP through 2015.

All of the patches in this month's update affect either Windows XP or Office 2003. In fact, Kandek noted, if Microsoft hadn't delivered a patch for the RTF vulnerability this month, it would have never gotten a patch.

There are steps to take to mitigate vulnerabilities from running unsupported operating systems, but if enterprises are spending time and money to work around problems, it may make sense to move to a newer operating system, Kandek said. 

Dig Deeper on Windows Server troubleshooting

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The critical d day vulnerability already the object of targeted attacks opens the door to remote code execution nasties if a user opens a RTF file in Word 2010 or in Outlook while using Word as the email viewer.The cross-platform update means all versions of Word will need patching, starting with 2003 to the latest 2013 edition, as well as Office for Mac installs The other critical fix will offer updates for Internet Explorer on everything from IE6 on XP to IE11 on Windows 8.1 and RT. The only version not affected is IE10 under Windows 7,