As expected, Microsoft issued its final epitaph for Windows XP today, pushing out four security bulletins for 11 vulnerabilities, including the last updates for the oft-maligned, thirteen-year-old operating system.
Despite it being XP’s last gasp from a security standpoint, it’s actually a relatively light batch of Patch Tuesday updates this month. Two of the bulletins are branded critical and the other two important, but all of them can lead to remote code execution in their respective software, including recent versions of Word and some versions of Internet Explorer, if left unpatched.
The first critical patch (MS14-017) fixes a zero day first discovered last month in Microsoft Word. The patch fixes three vulnerabilities in total, chief among them the RTF memory corruption vulnerability that’s been discussed in depth over the past month. That bug could open the program up to remote code execution and let an attacker gain administrative rights if a specially crafted RTF file is either opened or previewed in Word or Outlook. Microsoft first warned about the vulnerability – first in an advisory last month, then in a Fix-It – after it discovered limited targeted attacks that used it for a vector in the wild. The exploit for the zero day, rather complex in nature, includes ASLR bypass, ROP techniques and shellcode with multiple mechanisms designed to circumvent analysis. In addition to the memory corruption bug, the patch also fixes two additional vulnerabilities; a file format converter vulnerability in Office and a stack overflow vulnerability in Word.
The Word issue is the only bug being patched today that’s actively being exploited, so naturally experts are calling it the biggest priority of the four for service administrators.
“This continues a trend we’ve seen of Office-based exploits being successfully used in targeted attacks over the past few years,” Marc Maiffret, the CTO of BeyondTrust said Tuesday. “Deploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.”
The second critical patch (MS14-018) also fixes a memory corruption bug, six of them to be exact, in most versions (6-9, 11) of Internet Explorer. Much like the Word vulnerability if a user were to stumble upon a malicious webpage an attacker could exploit the bug to execute code on the computer in the context of its current user. This vulnerability is one of two that affect components on XP, including IE 6 for those still running XP’s Service Pack 3 and its Professional x64 Edition Service Pack 2.
A previously disclosed file handling vulnerability (MS14-019) was also fixed by today’s updates that could have allowed remote code execution in Windows. If left unpatched an attacker could trick a user to run a specially crafted .bat or .cmd file and gain command. While still important it’s safe to say this vulnerability may be the least dangerous of today’s patches as a user would have to be tempted to execute a batch file on a malicious network share. Still, this is the second issue that could affect users running some outdated versions of XP.
The last patch (MS14-020) addresses a hole that could open a machine up to remote code execution if someone were to open a specially crafted Microsoft Publisher file.
While it may seem minor, Ross Barrett, Senior Manager of Security Engineering at Rapid7, is encouraging any firms that use the software on their system to prioritize the patch.
“I expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents,” Barrett said of the vulnerability on Tuesday.
On top of the two bulletins that affect XP, both the Publisher issue and the Word issue figure into two bulletins that also affect Microsoft Word 2003, the final four updates for both XP and Office 2003.
If somehow you missed it, Microsoft is ending support for XP, Internet Explorer 6 and Office 2003 today, meaning this month’s patches mark the last time the company will issue security updates for these products. While it’s only a scant four bulletins, this makes April’s Patch Tuesday an essential one for those who rely on the outdated platforms and apps.
It’s assumed many admins are in the process of migrating off of XP – but it’s likely they’ll continue to have their hands full, not just with today’s updates, but also recent updates from Google, Mozilla, Apple and other companies following last month’s Pwn2Own competition.
It’s widely expected that a subset of attackers will ramp up exploits targeting XP after today and potentially examine patches for modern Windows 7 and 8 systems and adapt them to now no-longer supported XP machines.