Skip to main content

XPocalypse Dispatch: Windows XP Gets Its Final Updates

The first Tuesday of each month is Microsoft's "Patch Tuesday," when the company releases security patches and upgrades for its software and operating systems. But today (Apr. 8) is a Patch Tuesday among Patch Tuesdays: it's the last time Microsoft will release updates for the aged, but still widely used, Windows XP operating system, as well as Microsoft Office 2003 and Internet Explorer 6.

Some security experts call today the "XPocalypse" and warn that XP operating systems will soon be hit with a barrage of attacks and exploits. Whether or not that's the case, the security updates in today's Patch Tuesday address more than just Windows XP. All Microsoft users will want to upgrade their systems and applications accordingly.

MORE: Survive the XPocalypse: 10 Tips to Keep Running Windows XP Safely

The first bulletin, called MS14-017, deals with three vulnerabilities, one publicly disclosed and the other two privately, in Microsoft Word 2003, 2007, 2010, 2013, Microsoft Office for Mac 2011, Microsoft Word Viewer and Microsoft Office Compatibility Pack, as well as Microsoft Office Web Apps 2010 and 2013. It is rated "critical" (Microsoft's highest security rating) because attackers could use it to remotely execute malicious code, taking control of some or all of an infected computer's functions through the Internet.

The publicly disclosed vulnerability concerns infected Rich Text Format (RTF) documents. Opening an infected RTF file in one of the affected applications grants the file's creator the same privileges as the account from which the file was opened. Depending on how you've configured Windows user accounts, that means attackers could install and execute other malicious programs on your computer.

The second bulletin, MS14-18, is also rated "critical," and contains six patches that fix vulnerabilities in Internet Explorer 6, 7, 8, 9 and 11 (IE 10 is unaffected) running on all supported versions of Windows: XP, Server 2003, Vista, Server 2008, 7, Server 2012, RT, RT 8.1, 8 and 8.1. This is the last update for Internet Explorer 6 on any system.

If Internet Explorer users viewed a webpage that contained malicious code designed to exploit these vulnerabilities -- a drive-by download -- attackers could gain the same user rights as the current user. (This is why you shouldn't use administrator accounts for day-to-day activities such as Web browsing.)

Even though Microsoft will continue to support IE 7 and 8, it will no longer support any versions of IE on XP. If you must continue to use Windows XP, switch to a different browser, such as Google Chrome, Mozilla Firefox, Opera or WhiteHat Aviator, all of which will continue to support XP for at least another year.

The last two bulletins, MS14-19 and MS14-20, are rated "serious" instead of "critical," but also have to do with remote code execution.

MS14-19 has to do with the file-handling component in all supported versions of Windows. To exploit this bug, attackers would have to trick Windows users into visiting a given network location such as a website, and then downloading and running specially crafted .bat and .cmd files designed for this specific vulnerability. 

That's not an easy feat, which is why the bulletin got a lower security rating than the first two, but if the criminals were successful, they would also be able to get the user rights that would let them remotely execute code, such as downloading and installing more malware.

The final bulletin, MS14-20, patches a vulnerability in Microsoft Publisher 2003 and 2007. Similar to MS14-17, the bug is exploited by creating a specially crafted file and then tricking someone into opening that file in the affected versions of Publisher. Like the other bulletins, if successfully executed, this type of exploit would then give the malicious file's creator the same user rights as the account from which the file was opened. 

In addition to the full documentation of each bulletin, Microsoft's Dustin C. Childs also wrote a blog post marking the passing of XP and Office 2003.

"Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives," he wrote, even throwing in a T.S. Eliot quotation for extra pithiness.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

  • skit75
    Just finished patching our machines. I'm thinking about putting our remaining XP machines on a subnet with only local DNS'ing so they can reach shares without reaching the WAN. They have a lifetime, expensive inventory control software license on them for access to an application server. It is hard to find a tinfoil hat around here.
  • justin25love
    Interesting, but Bitcoin is just the tip of the iceberg in the crypto-currency world.