Microsoft announced Thursday that it plans to release four bulletins next week as part of the year’s first batch of Patch Tuesday security updates, none of which are rated critical.
Despite the relatively light load, the patches do address a zero-day vulnerability in Windows XP and Windows Server 2003 made public in early November. Hackers were actively exploiting the flaw in the ND Proxy driver that manages Microsoft’s Telephony API on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.
In addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle’s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.
The Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.
“It’s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,” said Russ Ernst, a director of product management at Lumension. “If you’re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.”
According to a post on Microsoft’s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue – which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel – back in December.
“We have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,” Childs said.
Microsoft has used the zero-day vulnerability as a prime opportunity to urge Windows users to migrate off XP. The company previously announced its plans to effectively end support for the operating system on April 8.
The first bulletin will address a remote code execution in Microsoft’s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft’s enterprise resource planning software, Dynamics AX.
Per usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.