Microsoft announced plans today to release four security bulletins as part of next week’s Patch Tuesday update, including one aimed at a critical vulnerability in Microsoft Word.
According to Microsoft, the Word vulnerability has been observed being exploited in attacks against Word 2010 users and can be leveraged to remotely execute code if the user opens a specially-crafted RTF file or previews that file in Microsoft Outlook using Word as the email viewer.
“The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010.”
The update will fix all affected versions, according to Childs.
The other ‘critical’ update will address Microsoft Windows and Internet Explorer. The remaining two bulletins have been classified as ‘important’ and are aimed at issues in Windows and Microsoft Office.
Tuesday’s patches will offer the last security updates for Windows XP and Office 2003, which both face end-of-life on April 8.
“Once support ends, computers still on Windows XP will become a very juicy target for Internet criminals and attackers,” blogged Patrick Thomas, security consultant Neohapsis.
“For those who really don’t want to or can’t upgrade, the situation isn’t pretty,” he continued. “Your computer will continue to work as it always has, but the security of your system and your data is entirely in your hands. These systems have been low-hanging fruit for attackers for a long time, but after April 8th they will have a giant neon bull’s-eye on them.”
“If pushing patches for these new vulnerabilities while working a migration plan for XP and Office 2003 users weren’t enough, administrators are still dealing with the fallout from the recent Pwn2Own competition, which revealed vulnerabilities in all of the major browsers and in Adobe’s Flash Player plug-in,” explained Russ Ernst, director product management at Lumension. “With security updates coming from so many sources this month, IT will be challenged to effectively prioritize their roll outs. The best thing to do is to maintain your patch process, and consider consolidating to a single allowed browser as part of your migration plan to the latest OS.”
Related: New Microsoft Word Zero-Day Used in Targeted Attacks
