Final Windows XP-Office 2003 Patch Tuesday a light one

Microsoft has released the Advance Notification for next week's Patch Tuesday for April 2014, the final one for Windows XP and Office 2003. After next Tuesday, neither product will receive updates of any kind, including security updates, for general release.

There will be a total of four updates released for all products, two for Windows and two for Office. Only one of the updates for each product is rated critical, although we don't yet know the number of vulnerabilities addressed for any of the products or their exact nature. All four updates are for remote code execution vulnerabilities.

The one critical Windows vulnerability is in fact a critical update that affects nearly all versions of Internet Explorer on all Windows platforms. Most unusually, it does not affect Internet Explorer 10, although it does affect IE 11 (along with IE 6, 7, 8 and 9). The other Windows vulnerability affects all versions of Windows, including XP, and is rated Important on all of them.

The one critical Office vulnerability affects all versions of Office and is rated critical for all of them. This includes the Office Web Apps 2010 and 2013, as well as the Word Automation services of SharePoint Server 2010 and 2013. This would seem to indicate that the vulnerability is part of Microsoft Word.

[UPDATE: It's possible that the critical Word vulnerability to be fixed is the recently-disclosed bug in the handling of RTF files.]

[UPDATE 2: Microsoft has confirmed that the Word update does address the RTF issue, which is being exploited in the wild. It will be the first update on Tuesday and therefore MS14-017.]

Microsoft will also release a new version of the Malicious Software Removal Tool and an undisclosed number of non-security updates.