It’s the last Microsoft Update Tuesday before the end-of-life of both Windows XP and Office 2003 and Microsoft is patching two vulnerabilities that also impact XP and two that also impact Office 2003 this month. All-in-all it’s a relatively light month this time around with only four bulletins covering eleven CVEs.
The first bulletin this month, MS14-017, deals with Word and covers three CVEs. One fix is for a 0-day vulnerability, CVE-2014-1761, that Microsoft previously addressed in advisory 2953095 and a “Fix it” that disables support for RTF completely in Word. The vulnerability results from an incorrect “listoverridecount” value in an “overridetable” structure in the RTF file. This value is not properly checked by Word and setting it to an invalid value causes a type confusion bug, which can be exploited by an attacker to gain remote code execution. The vulnerabilities addressed in this bulletin also cover Word 2003.
The requisite Internet Explorer bulletin, MS14-018, only covers six CVEs this month. As usual most of the issues are the result of use-after-free vulnerabilities. This time, none of the vulnerabilities that are being patched were publicly known. Given that IE runs on XP as well, this is one of the two bulletins that covers XP.
MS14-019 fixes a vulnerability (CVE-2014-0315) in the way that Windows handles files that can result in remote code execution. This is the second bulletin that also covers XP.
The final bulletin this month is MS14-020 and deals with Publisher, where a maliciously crafted file can result in remote code execution due to an arbitrary pointer dereference (CVE-2014-1759). As with the Word bulletin, this one also covers 2003.
Rules SID 24974-24975, 30497-30502, 30508-30509 address these vulnerabilities.