Microsoft patches Office, SharePoint and Windows, leaves XP behind

Microsoft patches Office, SharePoint and Windows, leaves XP behind

Summary: Several vulnerabilities for Windows, some critical, which certainly affect Windows XP, not patched there. Office 2003 also unpatched for less-severe bugs. Three new zero-day vulnerabilities are revealed.


Microsoft issued eight security updates today addressing a total of 14 vulnerabilities in Windows, Office and SharePoint Server. Three are already being exploited in the wild.

This is the first Patch Tuesday since the end of support for Windows XP and Office 2003. Even though Microsoft provided an update one week ago for all Windows versions, including Windows XP, this time they followed through on policy and did not release updates for Windows XP even though one of the updates patched today is critical and likely affects Windows XP.

Less well-known is that Microsoft Office 2003 also exited its support period in April. There are two updates to Microsoft Office, but none for Office 2003 which appears to be affected by at least one of the non-critical vulnerabilities fixed in the updates to later versions.

Even less well-known is that Microsoft SharePoint Portal Server 2003 also entered its end of support period last month. Three critical vulnerabilities in SharePoint Server versions 2007, 2010 and 2013, Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK were patched today, but no patches were issued for the 2003 product.

Three of the vulnerabilities below disclosed today are being exploited in the wild. A fourth had already been publicly disclosed. The most severe, MS14-029, almost certainly affects Windows XP, is being exploited in the wild, and is not patched on Windows XP.

  • MS14-029: Security Update for Internet Explorer (2962482) — This is the most critical of today's critical updates. All supported versions of Internet Explorer on all supported versions of Windows (this no longer includes Windows XP) are vulnerable to two memory corruption vulnerabilities which could result in remote code execution. Microsoft says they are aware of limited attacks that attempt to exploit one of the vulnerabilities in Internet Explorer.

  • MS14-022: — All supported versions of SharePoint Server, including 2007, 2010 and 2013, as well as Office Web Apps, SharePoint Designer and SharePoint Server 2013 Client Components SDK are vulnerable to a critical remote code execution vulnerability. A second cross-site scripting (XSS) vulnerability affects only SharePoint Server 2013, Office Web Apps 2013 and the SharePoint Server 2013 Client Components SDK. A final critical remote code execution vulnerability ("Web Applications Page Content Vulnerability") affects only Office Web Apps 2010. Microsoft considers it unlikely that functioning exploit code will be written for this last vulnerability. There is no way of knowing which, if any of these might have affected SharePoint 2003.

  • MS14-024: Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033) — A vulnerability in the MSCOMCTL common controls library could allow a malicious web site to bypass ASLR (Address Space Layout Randomization). Microsoft says they are "...aware of limited, targeted attacks that attempt to exploit this vulnerability." The library comes with Microsoft Office and all shipping versions are listed as vulnerable, but it is likely to be exploited through Internet Explorer. Note: Office 2003 may well be vulnerable to this bug, but it is not listed as being updated.

  • MS14-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037) — The proofing tools in Microsoft Office 2007 and 2010 and in some editions of 2013, including the RT versions, are vulnerable to a bug in the way Office checks Chinese grammar, specifically in how it loads a particular DLL. By putting a malicious DLL with a particular name in a particular network directory, an attacker could get users to load attack code. A second vulnerability, affecting certain versions of Office 2013, could allow the operator of a malicious site to obtain access tokens from Office which could be used for the user elsewhere. Microsoft considers it unlikely that functioning exploit code will be written for this last vulnerability.

  • MS14-025: Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486) — A privilege escalation vulnerability exists in the way that Active Directory distributes passwords that are configured using Group Policy preferences. An authenticated attacker who successfully exploited the vulnerability could decrypt the passwords and use them to elevate privileges on the domain. According to Microsoft, this vulnerability was already publicly disclosed.

  • MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) — Nearly every version of Windows is vulnerable to an elevation of privilege vulnerability in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.

  • MS14-027:  — All versions of Windows are vulnerable to an elevation of privilege vulnerability when the Windows Shell improperly handles file associations. A successful attacker could run code in the LocalSystem context. Microsoft says they are aware of limited attacks that attempt to exploit this vulnerability.

  • MS14-028: Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488) — Server versions of Windows are vulnerable to two denial of service vulnerabilities in the way Windows handles iSCSI packets. But Microsoft says that neither is likely to result in functioning exploit code.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft Patches

    does this ever end?????
    • I hope not

      People are not perfect so software is not perfect. If it ends we are all screwed.

      Sadly, no, it will never end. I purchased a Windows 8 PC in mid-February and so far have had 81 updates, 55 right out of the box. This is unacceptable!
      • it's unacceptable Microsoft is improving their product at no cost to you?

        Seems kind of a foolish position to take if you ask me.
        • You know what he means

          The number of updates needed to keep the machine functioning properly and not fall victim to hackers is excessive. Imagine if your car was recalled 55 times in three months.
          • Is it excessive?

            Data please.
          • seriously inapt analogy

            A recall is a serious inconvenience. A software update happens automatically. (And, as we've learned recently, a lot of car companies don't recall enough.)
          • "Recalls"

            "Imagine if your car was recalled 55 times in three months."
            Since Microsoft is used on about 80% of computers - you would have to find applicable flaws on 80% of cars built world-wide in the last 20 years to have a respectable complaint!
          • "You know what he means" is nonsense

            People should say what they mean and mean what they say. What he means is "I hate MS and everything about it, so I'll bitch and moan about it whenever I can, regardless of the value or validity of my complaints".

            Your inapt analogy is merely an apologetic for the run-of-the-mill hate-speech that plagues IT newsletter readers.

            If you don't like MS Windows or MS Office, don't use it (there are plenty of acceptable -- to diverse groups of computer users -- alternatives) and don't bitch about it: your complaints are born of bias, not analysis.

            In case you hadn't noticed, software is nothing like an automobile. Maybe you should see an optometrist or an ophthalmologist about your visualization problems.

            MS didn't hire the cybercriminals who attack their software; people do what they want to do, so blame human nature. OTOH, because MS's behavior has been less than exemplary since its inception (but, hey, it's a for-profit business, which means that it, as a corporate person, cares primarily about the bottom line and its stockholders and can't be expected to behave any differently from most other corporate persons and the sometimes (often?) sleazy biologically and legally human persons who run them. Think Apple, Blackwater, Enron, and Halliburton, just for starters) it deserves to be attacked for its past stupidities if it hasn't corrected them. And stop imagining impossible scenarios from Edward Hicks's "Peaceable Kingdom" paintings. Life always has been, is now, and always will be dystopian.

            Sherlock Homes would invite you to examine the evidence and conclude, as he would, that MS, despite its myriad flaws, has been and still is doing lots things right or it would not still be the most important provider of enterprise software in the world.

            I have lots of issues with MS, but I have lots more with everyone else. Winston Churchill is credited with saying: "It has been said that democracy is the worst form of government except all the others that have been tried".
            Much the same can be said about MS Windows and MS Office. There are and always have been better OSes and office suites, but they just don't cut it "at the end of the day". Staying power is a laudable trait.

            So go use your Linux machine and Open Office clone and speak not for anyone but yourself. If you think that we who use and prefer MS software to the other stuff out there don't know all about its weaknesses and unattractive qualities, you are very much mistaken. We don't need to be preached at by sanctimonious missionaries for the litany of "true and best" IT religions.
        • Ye...

          First of all, no one asked you! I'm tired of your trolling. Second of all, it is not free -- my time is worth more to me than installing these unending updates. Microsoft should be required to refund everyone's money until they get their software out of beta.
          • I don't care if you asked or not. You posted in a public forum.

            "! I'm tired of your trolling. "

            Sorry, but it is you who are trolling.

            " time is worth more to me than installing these unending updates."

            It can't be worth that much given the crap you felt the need to post.

            "Microsoft should be required to refund everyone's money until they get their software out of beta."

            I see. So Microsoft is the only one who patches their software. Everyone else released 100% bug free software.
          • Rodo1, you're wrong - you DID ask him.

            Why else do we post here, if not for questions, discussions, and opinions, and rebuttals? (Did you think you would post, and all would automatically agree?)

            If your time is so valuable to you, why not have the system update itself while you sleep? Works well for many others here.

            Though I'm with ye on this one, I think you just wanted to troll....
          • Microsoft

            You fanboys just hate when somebody offends the great Microsoft. Windows is a forever patched up piece of bloated junk.
          • So then....

            ...the constant updates to my Linux install I use daily, rather that Windows, also means it's a "patched up piece of bloated junk".

   the entire time I've been using Windows, updates have caused an issue one time. It seems like every time I let my Linux install update itself with more than 4 or 5 updates, I find myself not booting to a GUI, but instead, a terminal prompt where I have to waste a large amount of time 'fixing' everything the updates just hosed......mostly video and audio driver issues.

            (Also, I don't think you even know who you are replying to.)
          • Rod00 = Troll

            The troll calls someone else a troll -- it fits.

            Regarding your so-called valuable time, if you have your computer set up correctly, the updates are hardly noticeable. Perhaps you should familiarize yourself with the Windows Update settings before going off on a meaningless rant. (Hint: the one you want is "Install updates automatically (recommended)").
          • NameRedacted

            Look, you dunce, I've probably been using Windows about 20 years longer than you have and don't need your advice on how to set up anything on it. Ye made the asinine statement that they were doing "product improvements" when what they are doing is repairing a defective product. There's a big difference.
          • Nothing asinine about it.

            I said they were improving their product by releasing fixes for it. Nothing uncommon about that. If you can name one OS which doesn't receive patches you may have a point. Until such time you're trolling.
          • All software has patches

            OSX gets fewer, but larger ones, Linux gets many more (smaller) ones).
            Michael Alan Goff
          • Nope

            Linux does not get many more. The updates for Linux include not only updates to the OS but also all installed apps. This is quite different.
          • Yes they do

            The fact is that a normal person, who doesn't install anything new, will continue to get more frequent updates than if they used Windows. When I said more, though, it was because your average Linux distribution will count every tiny program as another update. Whereas Microsoft updates IE and it also fixes the problem in Explorer.exe (as Trident renders both), a Linux user has to update their browser, the thing that renders the file manager. Oh, and let's not forget that the log in system sometimes gets updated. I could go on.

            Also, for RHM, I meant most updates are smaller in MB size than what you're getting on Windows. So instead of 10 updates at a varying 10-100mb size or whatever, you'll get some that are MB, some that are KB, and so forth.
            Michael Alan Goff