Tomorrow’s Patch Tuesday is the biggest of 2014 with eight bulletins. Two critical patches deal with remote-code execution in Internet Explorer 7 and newer, and SharePoint and Office Online - previously known as Office Web Apps. The remaining six are all labelled "important". Bulletins 3 and 8 address a remote-code execution flaw and a security feature bypass vulnerability in Microsoft Office 2007 and newer. Bulletins 4 to 7 are applicable to Windows Vista and newer and Windows Server 2003 and newer, with 4 to 6 addressing elevation of privilege flaws, while 7 fixes a denial-of-service vulnerability.
This is the biggest batch of updates seen this year so far, but each of the eight bulletins only address a few flaws so it is probably not a big deal. What is interesting about this batch of patches is that this is the first which does not fix any holes for Windows XP, indicating that Microsoft really is sticking to its guns over the death of the aged OS. Some had thought that Redmond would blink and be forced to issue updates for its software meaning that they would be justified in keeping the ancient software going.
Microsoft issued an out-of-band patch for a different critical IE exploit, including Windows XP in the update - leading to speculation the company may have make a full U-turn on its promise to stop supporting the elderly OS. Since XP is still on a third of the world’s machines it means that any vulnerabilities that are found between now and doomsday will be an open door for hackers.