Tyler Reguly, security research manager says:
“Today is like any other patch Tuesday - the prudent advice is to patch Word and IE as soon as possible. The Microsoft Security and Defense blog states that the limited distribution of Publisher will act as a natural limiter, preventing wide spread exploitation. I wonder if the introduction of the new Office 365 Home Premium subscription, which will give home users access to Publisher on every system, could potentially change that line of thinking going forward? Given the announcement of Heartbleed, you have to assume that the ‘standardized’ nature of today's Microsoft patches will move them to the back of the minds of IT Security teams as they scramble to patch vulnerable OpenSSL implementations. This makes sense when you look at the criticality of the vulnerabilities, but we need to ensure that Microsoft isn't forgotten.”Craig Young, security researcher says:
“The final patch Tuesday for Windows XP and Office 2003 is light on security content with just 11 unique CVEs addressed across 4 bulletins.
The top priority for most administrators will be to apply MS14-017 to fix CVE-2014-1761, the Word vulnerability, because it’s currently being exploited in the wild.
As always, the Internet Explorer fix, MS14-018 should also be treated with high priority because attackers have become very adept at quickly creating IE exploits by reversing patches.
Microsoft has blocked off a potential attack vector with MS14-019 which could allow context-dependent attackers to execute attacker-controlled code within poorly implemented programs. Similar to DLL preloading, this attack vector relies on a process loading executable code from an untrusted path.
May 13, 2014 will be a more interesting date than April 8 by far because it will be the first patch Tuesday that will provide attackers with the opportunity to reverse engineer Windows 7 security content and use it to identify vulnerabilities in Windows XP.
It’s already been open season on XP for some time --Windows XP and Office 2003 have been attacked in the wild with zero-day exploits repeatedly over the years. XP is already an easy target for exploit developers and Microsoft’s decision to stop releasing security fixes doesn’t really change that.”
Lamar Bailey, director of security research writes:
“The April MS patch Tuesday is very light this month and will be completely over shadowed by the EOL of Windows XP.
MS14-017, the Word vulnerability, is the most likely to be exploited and malware samples have started showing up already so patch this as soon as possible -- and don’t forget all the laptops used by remote employees.
The monthly IE patch MS14-018 should also be treated as high priority while MS14-020 (Publisher) and MS14-019 (Windows File Handling) can be patched as time permits.”