Microsoft has released their April pile of fixes for the never-ending list of security holes in their products, mostly Windows and Office. Some are interesting, but not for good reasons.
Thought: with all the hype and promises for Windows 10, there’s no mention of improved security. It would be nice to get a version of Windows that didn’t come with more security holes than proverbial cheese.
Microsoft Office 2007, 2010 and 2013 (all flavors, including Sharepoint) are patched for Remote Code Execution bugs that Microsoft rates as Important or Critical. In most cases, these updates will or have been pushed to your computer via Microsoft Update.
One peculiarity is the 2956138 patch which is only for some configurations of Office 2010 (32 or 64 Bit). However Microsoft hasn’t disclosed which configurations the patch applies to, so customers are supposed to rely on Microsoft Update to work correctly and not skip machines that need patching. Some better documentation and less secrecy would be good.
Another fix is for a security hole that’s been there for three years. The one was supposed to be plugged in 2010, now 3+ years later we discover that patch wasn’t enough and our computers have been vulnerable all this time. It wasn’t any old obscure problem. The March 2015 fix is for the infamous Stuxnet worm that was probably a joint US/Israel project to target Iran. HP’s Tipping Point blog has details. Long standing exploits like this do nothing to give Microsoft customers much confidence.
Two other patches are for problems that have made headlines and are therefore well known to hackers. The Superfish malware and the FREAK SSL vulnerability.
