Microsoft today said it will deliver just four security updates next week, none of them marked "critical," to quash vulnerabilities in Windows, Word, SharePoint Server and Dynamics AX, an enterprise-grade release-planning offering from the company's Dynamics suite.
One of the updates will patch Windows XP and Windows Server 2003 to stymie attacks that Microsoft acknowledged in November when it issued a security advisory. Just hours earlier, security firm FireEye had publicized the attacks, which researchers said combined exploits of the Windows elevation-of-privilege flaw with another that leveraged a more serious bug in older versions of Adobe Reader.
"Bulletin 2 should be at the top of the list," said Andrew Storms, director of DevOps at CloudPassage, in an interview Thursday, referring to the update that will patch XP and Server 2003. "It's related to a known zero-day, and we've already seen an advisory from Microsoft. That might change next week when we see the details of the other bulletins, of course."
Others, including Russ Ernst, director of product management at Lumension, also recommended that people who still rely on XP or Server 2003 deploy Bulletin 2 first.
Microsoft will ship its final security updates for XP on April 8, a date it's tried to hammer home as it urges customers to dump the aged operating system. Many, however, have procrastinated or simply refused to leave behind the 13-year-old XP. According to the latest statistics from analytics firm Net Applications, XP will still power around one-fourth of the world's personal computers at the end of April, leaving millions of machines adrift without fixes for flaws.
The other three bulletins -- like Bulletin 2, marked "important" -- will address vulnerabilities in Word 2003 through Word 2013, SharePoint Server 2010 and 2013, and multiple versions of Dynamics AX, Microsoft said in its monthly pre-Patch Tuesday advance notification.
"I recommend patching Bulletin 1 as soon as possible," said Tommy Chin, a technical support engineer with CORE Security, in an email Thursday.
Microsoft identified Bulletin 1, which will patch Word and SharePoint Server, as the only one of the quartet labeled "remote code execution," which indicated that attackers could exploit it to compromise a PC or server, then plant malware on the system.
Among the versions of Word to be patched by Bulletin 1 was Word 2003, part of the Office 2003 suite, which is also slated for retirement April 8.
But the low update count for January was almost as much news to Storms as the planned fixes. "There's no IE [Internet Explorer] update and no critical updates, so the term 'light month' is apropos," said Storms. "I look it as a kind of gift from Microsoft, a great time to catch up on patching."
In December, Microsoft delivered 11 security updates, pushing 2013 into a tie with 2010 for the record of most in one year. The company also patched its IE browser in each month of 2013.
Microsoft also called out several non-security updates it plans to ship next Tuesday, including eight restricted to Windows 8, Windows 8.1, Windows RT and Windows RT 8.1. But it did not list a firmware update for the Surface Pro 2 tablet that owners have been clamoring for since Dec. 10, when a flawed update caused a litany of power management problems.
The company's technical support representatives have told numerous customers that the firmware update fix will be released Jan. 14.
Microsoft will release next week's security updates on Jan. 14 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.