April 2014 Patch Tuesday Fixes Microsoft Word Zero-Day
This month’s Patch Tuesday is primarily notable for two reasons. It addresses the recent zero-day vulnerability for Microsoft Word and it also marks the last Patch Tuesday for Windows XP and Microsoft Office 2003. All in all, April Patch Tuesday is relatively light, with only two ‘critical’ and two ‘important’ updates.
One ‘critical’ update is a patch (MS14-017) addressing the recent zero-day affecting Microsoft Word and Office web applications. If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages. This vulnerability was first reported by Microsoft in a Security Advisory, which also contained a fixit tool. According to an advance notification from the company, users must disable the tool after the security update has been applied.
This month’s release also includes a ‘critical’ cumulative security update for Internet Explorer. This will address six vulnerabilities for the application. If exploited, these could allow remote code execution if a user visits a specially crafted webpage. MS14-019 fixes a vulnerability of Microsoft Windows that will allow remote code execution if a user runs a specially crafted .BAT or .CMD file. A vulnerability in Microsoft Office is addressed by MS14-020. The vulnerability may allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher.
As mentioned earlier, this is also the last Patch Tuesday for Windows XP. After 13 years of service, Microsoft will not provide updates for the popular OS version. Users who rely on the platform may find their computers at increased risk as any vulnerability will not be patched anymore. Discussions about the Windows XP end-of-support may be found in our blog entries, “Managing Windows XP’s Risks in a Post-Support World” and “Windows XP Support Ending – Now What?” We encourage users to upgrade to later versions of Windows to ensure that computers remain protected.
Though not as heavily publicized as Windows XP, Microsoft Office 2003 has also reached its end-of-support—or to be more precise, its extended end-of-support. Office 2003 users will no longer receive any extended period for updates and fixes. Like Windows XP users, Office 2003 users are encouraged to updater to later versions to continue to receive updates. However, users may also opt to go for open source applications like LibreOffice (for Windows and Linux) and NeoOffice (for Mac OS X).
Microsoft has also released a security advisory containing updates for Adobe Flash Player in Internet Explorer. This update addresses vulnerabilities in Adobe Flash Player for Internet Explorer versions 10 and 11.
We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.