Microsoft Preps Final Security Patches for Windows XP

The XPocalypse is almost upon us: Tomorrow, April 8, is the last time Microsoft will issue security updates for the 13-year-old Windows XP. This month's Patch Tuesday will have a total of four security updates, Microsoft says, which will also include the final updates for Microsoft Office 2003 and a patch for Microsoft Office for Mac 2011.

Two of the four updates are rated "critical," which is Microsoft's highest security threat rating. One concerns Microsoft Office 2003, 2007, 2010 (32-bit and 64-bit editions) and 2013; the other affects all supported versions of Internet Explorer except IE 10, running on all currently supported Windows operating systems (XP, Server 2003, Vista, Server 2008, 7, 8, 8.1, RT and RT 8.1).  The other two updates, rated "important," also concern these operating systems and Microsoft Publisher 2003 and 2007. 

MORE: Best Desktop Antivirus Software 2014

All four patches have to do with remote code execution, or an attacker's ability to hijack a computer over a network connection and run software without the legitimate user's involvement.

Microsoft is saving the full details for tomorrow after the updates are pushed out, but in a blog post, the company's Dustin Childs confirmed that one critical Microsoft Office flaw being patched is the recently-discovered zero-day exploit — a malware attack for which no patch existed at the time of discovery — concerning the way Microsoft Word handles RTF (rich text format) files.

Attackers exploiting this vulnerability have created malicious RTF files that, if opened on a target's computer via Microsoft Word or Microsoft Outlook, give the attacker the same administrator rights as the user who opened it (yet another reason why you shouldn't use your computer's administrative account for everyday use).

This attack could work on any version of Microsoft Word, but Microsoft said in its blog post that it has found "limited attacks" only on Word 2010. Others have reported that the RTF zero-day exploit can also work through Microsoft Outlook, which by default uses Word to preview RTF files.

The other critical patch, concerning Internet Explorer, patches another hole through which attackers could conduct a remote-code-execution attack. Every version of Internet Explorer (6, 7, 8, 9 and 11) is getting this patch except for IE 10, which for some reason doesn't seem to be affected.

Of the two patches marked "important," one only affects Microsoft Publisher 2003 and 2007. The other apparently affects every supported Microsoft operating system, from Windows XP to Windows 8.1, but the report offers few more details about it.

To make sure you receive all crucial Microsoft software updates, go into your Windows Start menu, click "All Programs," then click "Windows Update." In the resulting pop-up window, select "Change settings" and then select "Install updates automatically."

If you're running Microsoft Office for Mac 2011, open up Microsoft Office for Mac 2011 and select "Check for updates" on the Help menu.

We'll have a post-mortem on Windows XP's final Patch Tuesday after the full updates are pushed through tomorrow.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
5 comments
Comment from the forums
    Your comment
  • knowom
    So all Microsoft security flaws being patched for XP at it's deadline have to do with Office/IE/Publisher none of which I use anyway nor plan to do so.
    0
  • signothorn
    I'd think if you use XP in a limited account, use Chrome with adblock plus, you should be able to run XP just fine for general use. I keep reading these "chicken little" articles, some even saying ATM's are at risk "from hackers in dark rooms" when they'd actually need a USB direct connection and I think it's a little paranoid and ridiculous.
    1
  • knowom
    Quote:
    I'd think if you use XP in a limited account, use Chrome with adblock plus, you should be able to run XP just fine for general use. I keep reading these "chicken little" articles, some even saying ATM's are at risk "from hackers in dark rooms" when they'd actually need a USB direct connection and I think it's a little paranoid and ridiculous.
    Yeah pretty much if someone has USB access to any OS it's going to be a lot more vulnerable in general potentially. I use Mozilla and adblock, but really any web browser that isn't IE will be much safer.
    1