In just five days, Microsoft will send off two critical and two important rated security bulletins in what will be the very last Patch Tuesday release providing support for the Redmond, Washington computer company’s ancient and always-vulnerable XP operating system.
The critically rated bulletins will address remote code execution vulnerabilities in Microsoft Office, Office Services, and Office Web Apps as well as bugs in Windows and Internet explorer. The important rated bulletins will close off holes in Windows and Office.
Of course, the first bulletin will resolve a Microsoft Word zero day. The company issued a special security advisory and produced a Fix-it solution after it spotted targeted attacks exploiting the zero day in the wild late last month. The patch warrants highest priority despite the fact that observed attacks required hackers to perform a complicated chain of exploits.
“This is a critical vulnerability that could allow remote code execution if a user opens a RTF file in Word 2010 or in Outlook while using Word as the email viewer,” explained Russ Ernst, director product management at Lumension, in an email interview. “Known to be under active attack, a hacker using this vulnerability could gain user rights.”
The second bulletin, Ernst explained, is a cumulative update for Internet Explorer, which is also critically rated and of high priority for the many IE users on the Web.
“If pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren’t enough,” Ernst continued, “administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in.”
Wolfgang Kandek from Qualys noted in an Interview with Threatpost that this light month of patches is in-step with what has been a light overall year for patches. Thus far, Microsoft has issued just 20 bulletins compared to 36 last year and 28 in 2012.
“That number is lower than where we’re at normally, and I don’t know why,” Kandek admited. “I think people are submitting fewer vulnerabilities to Microsoft; that’s the only explanation I can come up with at the moment. There’s no reason we’re seeing fewer vulnerabilities and I don’t think there’s less research going on. There is no shortage of people who look for bugs, maybe there is a shortage of people who do it for free.”
Kandek’s observation regarding less bug submission is simultaneously sensible and puzzling. On the one hand, Microsoft has been consistently sweetening the pot for security researchers that disclose bugs for the last year or so. On the other hand, exploit brokers like Vupen and other hacking teams are cashing in at hacking contest like Pwn2Own – where the payouts are bigger than ever – rather than submitting directly to Microsoft.