The XPocalypse is almost upon us: Tomorrow, April 8, is the last time Microsoft will issue security updates for the 13-year-old Windows XP. This month's Patch Tuesday will have a total of four security updates, Microsoft says, which will also include the final updates for Microsoft Office 2003 and a patch for Microsoft Office for Mac 2011.
Two of the four updates are rated "critical," which is Microsoft's highest security threat rating. One concerns Microsoft Office 2003, 2007, 2010 (32-bit and 64-bit editions) and 2013; the other affects all supported versions of Internet Explorer except IE 10, running on all currently supported Windows operating systems (XP, Server 2003, Vista, Server 2008, 7, 8, 8.1, RT and RT 8.1). The other two updates, rated "important," also concern these operating systems and Microsoft Publisher 2003 and 2007.
All four patches have to do with remote code execution, or an attacker's ability to hijack a computer over a network connection and run software without the legitimate user's involvement.
Microsoft is saving the full details for tomorrow after the updates are pushed out, but in a blog post, the company's Dustin Childs confirmed that one critical Microsoft Office flaw being patched is the recently-discovered zero-day exploit — a malware attack for which no patch existed at the time of discovery — concerning the way Microsoft Word handles RTF (rich text format) files.
Attackers exploiting this vulnerability have created malicious RTF files that, if opened on a target's computer via Microsoft Word or Microsoft Outlook, give the attacker the same administrator rights as the user who opened it (yet another reason why you shouldn't use your computer's administrative account for everyday use).
This attack could work on any version of Microsoft Word, but Microsoft said in its blog post that it has found "limited attacks" only on Word 2010. Others have reported that the RTF zero-day exploit can also work through Microsoft Outlook, which by default uses Word to preview RTF files.
The other critical patch, concerning Internet Explorer, patches another hole through which attackers could conduct a remote-code-execution attack. Every version of Internet Explorer (6, 7, 8, 9 and 11) is getting this patch except for IE 10, which for some reason doesn't seem to be affected.
Of the two patches marked "important," one only affects Microsoft Publisher 2003 and 2007. The other apparently affects every supported Microsoft operating system, from Windows XP to Windows 8.1, but the report offers few more details about it.
To make sure you receive all crucial Microsoft software updates, go into your Windows Start menu, click "All Programs," then click "Windows Update." In the resulting pop-up window, select "Change settings" and then select "Install updates automatically."
If you're running Microsoft Office for Mac 2011, open up Microsoft Office for Mac 2011 and select "Check for updates" on the Help menu.
We'll have a post-mortem on Windows XP's final Patch Tuesday after the full updates are pushed through tomorrow.