With its monthly security update, Microsoft has released four patches that address six bugs in its products, including a zero-day flaw in XP and Server 2003.
The company published is Patch Tuesday bulletin summary on its TechNet blog, where it revealed that all four bulletins addressed vulnerabilities ranked “important.” The update, released Tuesday, marks the first in some time to be void of fixes for Internet Explorer, or patches for flaws deemed “critical” by Microsoft.
On Tuesday, Russ Ernst, director of product management at endpoint management and security firm Lumension, wrote on the company blog that attacks leveraging the zero-day had “only been seen used in conjunction with a vulnerability in Adobe Reader and Acrobat that was patched in May as part of Adobe Security Bulletin APSB 13-15.”
“This was typically exploited by an attacker sending your user a spear phishing email with a bad Adobe link,” Ernst wrote. “Once clicked, that attacker could then gain administrator access to the machine. Keeping your Adobe applications fully patched will mitigate this vulnerability, but it's important to apply MS14-002 as a defense in depth.”
For users still running XP, which will reach end of support in April, this bulletin should take precedence, Ernst said.
The January security update also includes a patch (MS14-001) for three memory corruption vulnerabilities in Microsoft Word, which exist in the way that Office parses specially crafted files.
In addition, the remaining two patches, MS14-003 and MS14-004, respectively fix an elevation of privilege vulnerability in Windows kernel-mode drives and a bug in Microsoft Dynamics AX, which could allow denial-of-service attacks upon exploitation.
Microsoft Dynamics AX is enterprise software that supports operational and administrative planning, such as accounting, supply chain and other business tasks.