So this is it, the last hurrah for the once beloved XP, the last kick at the can for patching up the old boat. Sure, by today's standards it's a leaky, indefensible, liability, but… hey, do you even remember Windows 98? Or (*gasp*) ME? At least we can all finally put IE 6 to rest, once and for all, the final excuse for corporate life-support has been pulled… except for legacy apps built so poorly that they depend on IE 6 and are “too costly” to replace.
As everyone should know by now, there are a good number of known, severe issues still present in Windows XP. In some cases Microsoft has been sitting on these responsibly disclosed cases for a number of years, this is officially their last chance to patch them for a solid 27% of the Windows users out there in the world. Keep those poor folks from getting pwned by the credit card gremlins, right? So here it is, it's going to be a hell storm Patch Tuesday, security teams around the world will go days without sleep, patching these … four issues? Wait, what? Only 4?
Now, let's not forget, that Office 2003 is also EOL come April 8, and this PT does not neglect either of it's orphaned products. 2 apply to XP (among other Windows OSes), and 2 apply to a component of Office 2003. Technically the critical issue affecting XP is an IE issue (MS14-018), affecting versions 6-9 & 11 but somehow skipping 10.
The top story in these advisories is actually the Word issue, MS14-017. One of the issues addressed by this fix is under active exploitation in the wild and has already been temporarily addressed in security advisory 2953095. The 2953095 fix is a complete, but heavy handed fix and Microsoft is advising that it can be removed safely before or after installing the MS14-017 patch in order to restore full rich text format functionality. None of the other advisories feature attacks under active exploitation.
MS14-019 is definitely the lowest priority, in that a user would have to be enticed into executing a batch file on a malicious network share. Exploitation of this vulnerability is two steps of misdirection removed from reality. Nothing to ignore, but not a top tier, urgent concern.
There it is folks, another relatively light Patch Tuesday, 2 critical affecting all supported versions of Word and most versions of Internet Explorer (patch these first). Prioritize the Publisher issue, if you have it in your environment, because I expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents.
Is it just me, or does it seem like responsible disclosure of Windows XP vulnerabilities would allow for the public disclosure of any known vulnerabilities at this point? I'm *not* advocating for that, but I'm typically conservative on this issue. I can see how others, with a more militant stance might take a different approach here. And what about POSReady 2009? It's still XP SP3 under the covers. Says XP when it boots up. Runs on a metric tonne of ATMs and cash registers… It's still supported for another 4 years (XP on life support). How will Microsoft handle it when they release patches for that?
Along with coverage for April Patch Tuesday, we also released authenticated and unauthenticated checks for Heartbleed (CVE-2014-0160 - that link takes you to the relevant XKCD cartoon, since at this time, NIST hasn't gotten around to updating the official CVE entry). The authenticated checks are for Ubuntu, RHEL, CentOS, AMI, & SUSE linux. The unauthenticated checks are platform agnostic. You need latest (5.9.2) content and product updates to have all that coverage. More on Heartbleed coverage in an upcoming post.