Microsoft today said it will deliver just four security updates next week, none of them marked "critical," to quash vulnerabilities in Windows, Word, SharePoint Server and Dynamics AX, an enterprise-grade release-planning offering from the company's Dynamics suite.

One of the updates will patch Windows XP and Windows Server 2003 to stymie attacks that Microsoft acknowledged in November when it issued a security advisory. Just hours earlier, security firm FireEye had publicized the attacks, which researchers said combined exploits of the Windows elevation-of-privilege flaw with another that leveraged a more serious bug in older versions of Adobe Reader.

"Bulletin 2 should be at the top of the list," said Andrew Storms, director of DevOps at CloudPassage, in an interview Thursday, referring to the update that will patch XP and Server 2003. "It's related to a known zero-day, and we've already seen an advisory from Microsoft. That might change next week when we see the details of the other bulletins, of course."

Others, including Russ Ernst, director of product management at Lumension, also recommended that people who still rely on XP or Server 2003 deploy Bulletin 2 first.

Microsoft will ship its final security updates for XP on April 8, a date it's tried to hammer home as it urges customers to dump the aged operating system. Many, however, have procrastinated or simply refused to leave behind the 13-year-old XP. According to the latest statistics from analytics firm Net Applications, XP will still power around one-fourth of the world's personal computers at the end of April, leaving millions of machines adrift without fixes for flaws.

The other three bulletins -- like Bulletin 2, marked "important" -- will address vulnerabilities in Word 2003 through Word 2013, SharePoint Server 2010 and 2013, and multiple versions of Dynamics AX, Microsoft said in its monthly pre-Patch Tuesday advance notification.

Computerworld