Patch Tuesday for April 2014 - it's Goodbye, Farewell and Amen for Windows XP

Filed Under: Featured, Microsoft, Vulnerability, Windows

The date's been in our diaries since 2007.

But even with seven years to prepare for it, you'll be forgiven for approaching this month's Microsoft Patch Tuesday with a bit of a lump in your throat.

It's the last patch for Windows XP, after 13 years of service, as well as the end of the road for Office 2003 and Exchange 2003, which won't get updates again.

One burning question over the past two weeks is whether the recently-publicised Rich Text Format (RTF) zero-day in Microsoft Word would be patched.

That's a vulnerability that can theoretically be exploited on all versions of Word, even on the Mac, by using a booby-trapped RTF file that crashes Word and diverts control into executable code hidden inside the document file itself.

That's one of the worst sorts of security hole, known as an RCE.

RCE is short for Remote Code Execution, and it generally means that an attacker can send you what is supposed to be a harmless data file, yet use it as a secret delivery mechanism for an executable warhead.

The RTF zero-day is known as CVE-2014-1761, and can even affect you from Outlook.

If Outlook is configured to use Word to to render RTF files, previewing an RTF message could kick off an attack.

The good news is that Bulletin One of Microsoft's four patches for April 2014 will fix the RTF hole on all supported platforms, including Office 2003.

That detail was confirmed on the Microsoft Security Response Center blog a few days ago:

Click to jump to Microsoft's article...

The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.

Don't forget: if you're an Office for Mac user, the "all affected versions" mentioned above includes you, too.

The RTF patch, unsurprisingly, is rated Critical; so is Bulletin Two, Microsoft's customary Cumulative Internet Explorer update.

All versions of IE will be getting a patch to fix an RCE hole amongst other things, with the exception of IE 10. (No, we don't know why both IE 9 and IE 11 have the buggy code, but IE 10 doesn't.)

The two remaining bulletins are only rated Important, even though they are listed as RCE patches.

One is relevant only to users of Publisher 2003 and Publisher 2007, which we don't imagine are used by terribly many Naked Security readers.

The other patch applies to all versions of Windows, from XP3 to Windows 8.1, including Windows RT and Server Core installs.

We can't tell you exactly what type of bug this last Bulletin will fix, and we don't know why it isn't considered critical, but we're going to recommend that you install it immediately anyway, especially on Server Core systems.

The decision to deploy Server Core is usually a security-conscious choice, so fixing any known Remote Code Execution holes as quickly as you can is probably a good match for that attitude.

This will, of course, be the last time you'll be applying Microsoft patches to your XP systems.

So, if you are are going to be keeping any XP systems alive in the future, why not listen to our End of XP podcast, and take a look at our Eight Tips for improving your XP security situation?


(Audio player above not working for you? Download MP3 or listen on Soundcloud.)

, , , , , , , , , ,

You might like

14 Responses to Patch Tuesday for April 2014 - it's Goodbye, Farewell and Amen for Windows XP

  1. Rita · 208 days ago

    Goodbye XP, welcome Mint!!

  2. Shiny317 · 208 days ago

    I shall miss XP. Having XP for years I downgraded, oops mean upgraded to Win 7 Pro.. so yes I'll miss XP. Remember the days when you could put the theme to Windows Classic, move a desktop item and it 'didn't go invisible? Or what about when navigating and you only wanted to go up a folder level?.. ahh yes! the 'Up' button. Simple, efficient and franky bl**dy necessary. What about when you could set your view to icons or whatever you liked, hit apply to all folders and ALL meant ALL, not some types, excluding CD ROM which always goes back to it's own view. Remembering fondly the search facility that actually found things. Wow!, remember when you could drag a folder out of alignment with other folders and it stayed where you wanted it?

    Yes I have Agent Ransack, classic shell, classic ie, classic start menu etc installed, but it's a shame you have to have 3rd party software to get a computer to work how it always did. Sure XP had it's faults as all OS's do, but as for working with it, it damn blows any of the subsequent fashion accessory versions of Windows away. Windows has become eye candy. Gone are the good days of XP which actually worked exactly how I wanted it to. Oh and the Compatibility Mode...hmmm doesn't work with drivers. Had to buy a new flatbed scanner and Pacific Image slide/neg scanner which aren't cheap. It's not just having to upgrade the OS but all the peripherals that hurts. Even my wallet bled from that.

    R.I.P XP, you were the best workable version of Windows Microsoft ever made.. or will ever make. :'-(

    • Mang · 207 days ago

      You think that's bad?
      Try Vista or 8...
      Ew.

    • Anthony Trestana · 207 days ago

      Windows XP has that warm cozy familiarity of a local diner that you continue to frequent, knowing the menu by heart, but also knowing in the back of your mind that the place is way past its prime. Windows XP hardly marks the high water mark of user interfaces, but there is a certain inelegance and counter-intuitiveness to newer operating systems like Windows 7 and 8 and new versions of Office. They almost feel like the bad hybrid offspring of two completely opposing design philosophies: let's place as many options in front of the user as possible versus let's hide as much as possible from the user. The security is better however, which is reason alone to let go and move on.

      On a separate note regarding OS's, if we can now have self-driving cars... could some rocket scientists get together and fix the entire process of printing things off of a computer or device. It is by far the worst technology. It was bad in XP and it is still bad today.

  3. rakso75 · 207 days ago

    I wonder, is Windows XP really dead?:

    [see stories about UK all-of-government support deal for XP for £5,500,000 for one year]

    And quite similar story in other countries.

    To me it seems Microsoft is going to work for one year more (at least) in fixing security holes in Windows XP, more or less as it has done for the last 5 years (end of mainstream support), but this time it will charge companies, countries, organizations for that.

    So it will do the job once, and charge for it multiple times. And only those that pay will get the patches, the rest will be left in the dark.

    From a sales perspective it looks perfect, but somehow something does not look so right here...

    (not to mention the possible misuse of taxpayers money, for not having prepared in advance)

  4. James · 207 days ago

    Rest in peace Windows XP it's been good using Windows XP all these year Bye Bye.

  5. Dennis · 207 days ago

    I have a company owned laptop with XP that I use daily from a remote location. Obviously I cannot do any upgrades myself. My IT department tells me they will get to me when they can. What do I do in the meantime?

    • Paul Ducklin · 207 days ago

      Errr, tricky one. If they haven't quite got round to you after seven years of warning...you sort of imagine that shouting at them with just a month to go isn't going to help that much.

      Could you send them the "Eight Tips" and the podcast, and ask them if they could help you out with any of the tips in the meantime?

      Or would that just mark you as a stirrer?

  6. MikeP · 207 days ago

    Did you all also realise that users of Windows 7's XP Mode will not get any more support for this after the 8th April? It's not just 'XP - The OS' that dies from lack of support but also the ability to run legacy applications that don't run in W7 so need XP Mode. Just go to http://windows.microsoft.com/en-GB/windows7/products/features/windows-xp-mode and read the important note at the top.

    • Paul Ducklin · 207 days ago

      I think it's fair to see "XP" and "XP Mode" as two faces on the same die.

      If you've got legacy apps that still won't run on a version of Windows released about five years ago because the vendor (or your company, if they are in-house) hasn't got around to updating them yet...

      ...then what sort of security attention do you think that app will have had in the past five years?

      If the end of XP finally forces you to bin those apps that were written in and for a previous era in computer security, that might be the best thing that ever happened to you, security wise.

  7. Brian Read · 207 days ago

    I'm being hit with this as though it is an antidote to the XP end of life. Got any information?

    [link to UK government deal for more support and updates for XP for one year, 5.5m pounds]

    • Paul Ducklin · 207 days ago

      I think the easiest answers are:

      1. It's not an "antidote." It's a temporary bandage.

      2. It seems as though just upgrading to Windows 7 or 8 would be easier and cheaper, not least because you're going to have to do it anyway.

  8. Entering the Android world has been hard work for a 75 year old with short term memory and definitely will not be going to Win 8, just got used to Win7 on laptop, with XP on desktop where I can find all my photos in one place, not in various folders I forget the names of.
    Looks like I will be using XP as dumb terminal fed off the laptop or something my local shop suggests. :-(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog