Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Microsoft releases final fixes for Windows XP, Office 2003

Microsoft's latest Patch Tuesday update also marks the end of support for two widely used products, Windows XP and Office 2003.

The tech giant has long advised users to update to newer versions of the software, particularly those running Windows XP, but on Tuesday, customers were officially notified of final fixes for the platforms via a security bulletin.

In total, 11 remote code execution (RCE) vulnerabilities in Microsoft Office and Windows were addressed with four patches.

The highest priority bulletin, MS14-017, rectified three bugs in Office, including a zero-day vulnerability in Word 2010 that had already been exploited in limited, targeted attacks against users. The flaw could be exploited when a user opened a malicious rich text format (RTF) file, or previewed or opened a malicious RTF email message in Outlook while using Word as the email viewer.

The other patch ranked “critical” by the company was MS14-018, which resolved six RCE bugs in Internet Explorer.

The remaining two bulletins, MS14-019 and MS14-020, were ranked “important,” and fixed vulnerabilities in the file handling component of Windows and in Microsoft Publisher.

On Tuesday, Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing, rallied users via a company blog to join him in “wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives.”

But for many, the software will retain longevity, particularly the 12-year-old XP operating system.

IT research and advisory firm Gartner, for instance, estimates that 20 to 25 percent of enterprise systems will still run XP past its ending support phase.

On Tuesday, Christopher Pogue, director at security firm Trustwave, told SCMagazine.com in an interview that most organizations running the operating system may not realize they face additional attacks by running the unpatched software – if they are even aware, in the first place, that they are running XP.

“Honestly, most organizations may not even know it, if your core competency is not IT,” Pogue said. “If you are selling food [for instance], you just want a system that functions and you may not be aware that it's got an underlying [operating] system on it.”

He added that enterprises should also take the transition in stride, as patch management is only a part of thwarting attacks.

“I think the big [point] to understand is that the sky isn't falling,” Pogue said of XP's sunset, later adding that security needs to be "holistic," as part of a defense in depth strategy.

On Tuesday, Wolfgang Kandek, CTO at vulnerability management and network security firm Qualys, told SCMagazine.com that anyone still running XP is running a much higher risk of getting attacked, but that users continuing to rely on the software could minimize threats by limiting their activity, such as browsing the internet or using email while on the system.

In a Monday blog post Kandek also advised that XP users implement Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as added defense.

“It monitors activity, identifies irregular behavior and aborts suspicious programs,” he wrote. “It's worked against all 0-days I've seen this year, and has prevented exploitation of vulnerabilities. It's not widely publicized, but has very nice capabilities.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.