Microsoft issues final Windows XP, Office 2003 patches

Summary:Microsoft Windows, Internet Explorer, Word and Publisher are patched, some products for the last time.

Today Microsoft released four security updates for Windows and Microsoft Office. These will be the last publicly-released updates for Windows XP and Office 2003.

A total of 11 vulnerabilities were addressed by these updates, including seven for Windows XP and four for Office 2003.

Separately, Microsoft released fixes for Internet Explorer 10 and 11 to address vulnerabilities fixed by Adobe in the Flash Player bundled in the Metro versions of IE.

Among the vulnerabilities patched is  a critical error in the handling of RTF files by all versions of Microsoft Word . Microsoft says that "limited, targeted" attacks using this vulnerability have been observed in the wild.

The specific updates are:

  • MS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) — Three vulnerabilities in Microsoft Word and Word-related Office products like the Office Web Apps. One of these is the aforementioned RTF vulnerability, the only critical vulnerability of the three, and it affects all versions of all affected products. The other two vulnerabilities have much more limited scope: One affects the Word 2007 and 2010 File Format Conversion Utility. The other is a stack overflow in Word 2003.
  • MS14-018: Cumulative Security Update for Internet Explorer (2950467) — This update fixes six vulnerabilities in Internet Explorer. All versions of IE on all platforms are affected except for IE 10. Neither IE 10 nor IE 11 are affected by five of the six vulnerabilities and IE 11 is the only version affected by the other one. All affected IE versions are affected by at least one critical vulnerability.
  • MS14-019: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229) — A non-critical vulnerability affects file handling in all versions of Windows. An attacker could trick users to run .bat or .cmd files from untrusted locations without a warning. This vulnerability was already publicly disclosed.
  • MS14-020: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145) — Publisher 2003 and 2007 are vulnerable to a remote code execution attack by opening a specially-crafted file.

 Microsoft judges that functioning exploit code is likely for 10 of the 11 vulnerabilities, the exception being the Office File Converter vulnerability, where they judge exploit code to be unlikely.

Topics: Security, Microsoft, Windows

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.