Microsoft issues final Windows XP, Office 2003 patches

Microsoft issues final Windows XP, Office 2003 patches

Summary: Microsoft Windows, Internet Explorer, Word and Publisher are patched, some products for the last time.

SHARE:
43

Today Microsoft released four security updates for Windows and Microsoft Office. These will be the last publicly-released updates for Windows XP and Office 2003.

A total of 11 vulnerabilities were addressed by these updates, including seven for Windows XP and four for Office 2003.

Separately, Microsoft released fixes for Internet Explorer 10 and 11 to address vulnerabilities fixed by Adobe in the Flash Player bundled in the Metro versions of IE.

Among the vulnerabilities patched is a critical error in the handling of RTF files by all versions of Microsoft Word. Microsoft says that "limited, targeted" attacks using this vulnerability have been observed in the wild.

The specific updates are:

  • MS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) — Three vulnerabilities in Microsoft Word and Word-related Office products like the Office Web Apps. One of these is the aforementioned RTF vulnerability, the only critical vulnerability of the three, and it affects all versions of all affected products. The other two vulnerabilities have much more limited scope: One affects the Word 2007 and 2010 File Format Conversion Utility. The other is a stack overflow in Word 2003.
  • MS14-018: Cumulative Security Update for Internet Explorer (2950467) — This update fixes six vulnerabilities in Internet Explorer. All versions of IE on all platforms are affected except for IE 10. Neither IE 10 nor IE 11 are affected by five of the six vulnerabilities and IE 11 is the only version affected by the other one. All affected IE versions are affected by at least one critical vulnerability.
  • MS14-019: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229) — A non-critical vulnerability affects file handling in all versions of Windows. An attacker could trick users to run .bat or .cmd files from untrusted locations without a warning. This vulnerability was already publicly disclosed.
  • MS14-020: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145) — Publisher 2003 and 2007 are vulnerable to a remote code execution attack by opening a specially-crafted file.

 Microsoft judges that functioning exploit code is likely for 10 of the 11 vulnerabilities, the exception being the Office File Converter vulnerability, where they judge exploit code to be unlikely.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • Microsoft issues final Windows XP, Office 2003 patches

    Its good to see that Microsoft Windows are continuing to stay on top of the holes in their software. Now that the Microsoft Windows XP operating system is EOL there has never been a better time to upgrade to Microsoft Windows 8.1.

    Thought I'd save you the trouble Loverock!

    (sarcasm flag well and truly raised!)
    The Central Scrutinizer
    • 8.1 does not address the real problem

      With 8.1 you are still in the same boat as XP. So upgrading all your ATM machines to 8.1 will not solve the end-of-life problem. Microsoft inability to support their own software when the hardware is still running perfectly well is inexcusable for a software giant. Microsoft has severe quality issues with their software. Linux has be churning for more than 20 years now. The best that Microsoft can do was XP with them being able to support it for 13 years. According to the Linux foundation, they will be able to support Linux forever. Forever is a long time but compared with Microsoft's talk of only supporting their own OSes for 7 years now. Imagine now with ATMs having to deploy thousands of ATM machines every 7 years!
      Tim Jordan
      • Which version of Linux has been churning for 20 years?

        nt
        ye
      • Nobody supports PC software as long as Microsoft

        "Linux" is not a product any more than "Windows" is. If you look at any individual distro you'll see that they stop providing updates after some time, and that time is much shorter than Microsoft's lifecycle for a version of Windows (10, 12 in the case of XP).
        Name anybody who has a longer support lifecycle. The fact is that XP is *not* performing perfectly well. Its architecture prevents it from being adequately secured. The upgrades necessary to meet current security requirements are available in later versions, but not in XP.
        larry@...
        • RatHat and Suse supports PC software as longer than Microsoft

          Red Hat Enterprise Linux - 13 years
          https://access.redhat.com/site/support/policy/updates/errata/

          SUSE Linux Enterprise - 13 years
          https://www.suse.com/support/policy.html

          And for the record XP was only supported for 12 years because Vista was such a flop when released that they were forced to extend XP
          timothyja
          • Not 13 years

            RHEL extended support do not offer any security updates. With SUSE you have to pay extra for them. That being said, they do provide 10 years which match MS.
            yuhong2
          • Why are you comparing server software with desktop software?

            nt
            ye
          • There are other examples, some of them desktop

            I remember that Irix support (SGI workstations, which were not necessarily servers) lasted a comparable, if not longer, length of time.
            Mac_PC_FenceSitter
          • That support was not free.

            Likewise you're still comparing completely different classes of systems. You paid dearly for support. You're also missing an obvious one: Solaris. Solaris 10 was released in 2005 and is not slated to end support until 2021. That's roughly 16 years of support. But that's not free support. I have to pay to obtain security patches for Solaris 10.
            ye
          • And what of it?

            The "12 years of support" thing is predicated on the notion that Windows is your best option if you want super long term support.

            While it is certainly your best option among common computer products (no general purpose competitor offers anything near as good), it does mean that for scientific and engineering workstations that need long term continuity, there are alternatives that are just as good, if not even a bit better.
            Mac_PC_FenceSitter
          • No, it is not predicated on the notion it is your best option.

            The claims I've read are along the lines of "forced obsolescence", "abandoning", and "inability to support". All leading to the conclusion Microsoft's support is sub par. No one is claiming it is the best. However in order to beat it one has to move on to enterprise level support agreements which cost $$$. If you're going to apply those use cases then you can't ignore Microsoft is still offering patches for Windows XP if, like those other offerings, you are willing to pay big $$$ for it.

            I have yet to see another general purpose OS, and no Solaris and IRIX aren't what I would consider general purpose, provide FREE security patches for 10 years.
            ye
        • Would you care to elaborate on that statement?

          "Its architecture prevents it from being adequately secured." I have never thought of this as a possibility, nor have I ever heard anyone say such a thing. If you extend that thought, it would mean that Microsoft built XP KNOWING it would be compromised, and did not care.
          chrome_slinky@...
          • Times change

            From what MS knew at the time, they touted XP as the most secure OS they had ever written. A year later, Bill Gates stopped all new projects and put the people to work fixing the security sieve called XP. But they couldn't make it completely secure without breaking things.

            They learnt from that experience and from new attack vectors over time to incorporate new methods of protection into Vista, 7 and 8. Each is progressively more secure than the previous version. But that also means each version is progressively less backwards compatible with poorly written software - one of the big reasons many companies can't migrate.

            The same is true of Linux or any other OS. Over time new techniques become available, which need to be integrated. Integrating them into the OS means some older applications stop working and need to be modified or re-written.
            wright_is
          • Your comment furthers the idea

            that they did not care. If the time chasing rainbows [trying to develop WinFS] had not been wasted, XP could have received a refresh, and no one would have had the unforgettable experience of the first release of Vista - it took another three years for it to become really usable.

            Also, I've read most of the releases that the guys who were Winternals have written, and though there were many changes noted, not many were for security. Most had to do with how multimedia and other complex things were handled, and what was done to tune the kernel to make it more efficient. In truth, Microsoft merely stole more and more of the things long before done in Unix, going so far as to hamfistedly copy the directory structure [as one example], making each release a little more like Unix.

            As I think about it, I would also say that Microsoft has not made many things ANY better, because we constantly see things being patched across ALL supported platforms, meaning they did not learn anything from the previous iterations - they simply repeated the same mistakes, and waited for them to be found.

            You can get very philosophical about this, and say that no software will ever be perfect, but, it seems that humans should be able to learn from previous mistakes, though it would be hard to prove it using software design by Microsoft as an example.
            chrome_slinky@...
          • I think it best you not talk about things you know nothing about.

            nt
            ye
      • And which...

        20 year old release is still being actively supported? They have all long since be EOLed and need to be upgraded.

        Case in point, a customer managed to find a retail copy of SUSE 6.4 (year 2000) this week to rebuild an old server, which can't be upgraded to a newer version.
        wright_is
  • Poor guys

    In a few months, they'll be lamenting the plight of all of these XP users that refuse to leave. XP ain't dead by a long shot!
    frankzentura
    • The problem with XP

      The problem with XP is that it is not like the previous versions of Windows. Windows XP is NT architecture and unlike Windows 98, its fairly reliable but now not very safe. I hope Windows XP users don't jump on the Chromebook bandwagon, there is a reason Chromebooks cost so cheap.
      Pollo Pazzo
      • Those that claim that they are dependent on Windows XP code that ...

        ... won't run under Windows 7 have no choice - they must stick with a Windows-based mitigation strategy. The longer they wait, the more it will cost them.

        The rest will spend a lot of time and money moving to Linux or MacOSX - and probably move back to Windows when they realize the scale of the learning curve (Linux) and/or the cost of upscale hardware.

        Those who just don't like change will not be able to stomach a paradigm shift to ChromeBooks or tablets.

        There are lots of choices for those that are bold - but the bold started their transition back in 2009, then they first learned of the deadline.
        M Wagner
        • Except

          Many can't stomach a paradigm shift to Windows 8.x. Sure, a knowledgeable person can make 8 behave like 7 if they choose. But not the average user.

          Security issues notwithstanding, 8 doesn't offer a lot to most desktop users running XP. Especially *apparent* improvements.
          mdsock@...