April’s Patch Tuesday Preview has just come out and we are having another light Patch Tuesday with only four bulletins: MS14-017 to MS14-020. This low total number is very atypical, and at least 30% under the numbers for last year — in April of 2013 we were at 36 bulletins and in 2012 we had 20 bulletins. At the same time there is no shortage of vulnerabilities as we have seen at last month’s CanSecWest, where literally all software packages (Java excepted) fell to security researchers who received cash prizes between $75,000 and $100,000.
But back to this month. Four bulletins, two rated critical and two rated important, but all of them enable “Remote Code Execution”, which is something that attackers are ultimately after. Bulletin #1 addresses the current 0-day vulnerability (KB2953095) in Microsoft Word and is applicable to all versions of Word starting with 2003 to the latest 2013, and includes Mac OS X as well. By the way, Office 2003 together with Windows XP are going to be end-of-life after this Patch Tuesday and will stop receiving security updates. The end of life for XP has received plenty of coverage already, but this vulnerability is a good reminder not to focus only on Windows XP, and that this Office version also deserves attention.
Bulletin #2 is a new version of Internet Explorer, applicable to all versions of IE starting with IE6 on XP to IE11 on Windows 8.1 and RT. The only version not affected is IE10 under Windows 7 and I expect it to contain the fixes for the vulnerabilities disclosed at PWN2OWN at CanSecWest.
Bulletin #3 and Bulletin #4 are the both rated “important,” but Bulletin #3 is the more urgent one. It affects all versions of Windows and can be used to gain Remote Code Execution. Bulletin #4 addresses a problem in Publisher 2003 and 2007, which is a software package that we do not see widely installed.