Microsoft's final patches for Windows XP that come out tomorrow focus on critical problems with older versions of Internet Explorer that can result in malicious code being run remotely on victim machines.
Internet Explorer 6, 7 and 8 that operate within Windows XP are all being patched in the April Microsoft Security Bulletins, as are vulnerabilities in Windows XP itself that are ranked as important but not critical.
Internet Explorer patches are a routine piece of every month's bulletins, says Russ Ernst, director product management at Lumension. "The second bulletin is the now-expected cumulative update for Internet Explorer," he says. "It's also rated critical and of course key for the many IE users out there."
Other than the historical XP significance of the bulletins this month, they are otherwise unremarkable. There are just four of them, two critical and two rated important. The difference between them is that the important ones require action by the victim such as clicking on a link while the critical ones don't.
The second critical bulletin affects all versions of Office and addresses vulnerabilities and active attacks identified last week in an advisory from Microsoft that offered up a workaround until this permanent fix was ready. "This is a critical vulnerability that could allow remote code execution if a user opens a RTF file in Word 2010 or in Outlook while using Word as the email viewer," Ernst says.