Microsoft Issues March Patch, New IE Advisory

As expected, Microsoft today released two "important" patches in its March security update.

The two security bulletins address Windows and Office holes that could have remote code execution (RCE) implications. The March patch describes eight vulnerabilities that had not been previously disclosed.

While Microsoft describes the two fixes as important, not everyone agrees. Joshua Talbot, security intelligence manager at Symantec Security Response, said that since the inception of Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities.

"In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7," said Talbot. "My concern is that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems."

The first fix is not likely to be high on the priority list of enterprise IT pros. It deals with a privately disclosed bug in Windows Movie Maker and Microsoft Producer 2003. A user would have to open a malicious Movie Maker or Producer project to trigger the weaknesses in those applications.

Redmond stressed that Windows Live Movie Maker, which sits on Vista and Windows 7, is not affected by the vulnerability. Nevertheless, Vista and Windows 7 are covered in the patch via Windows Movie Maker 2.6 and 6.0, which are used with these operating systems.

The second important fix touches on Microsoft Office, particularly the Excel spreadsheet program. Microsoft said this fix is designed to patch "seven privately reported vulnerabilities in Microsoft Office Excel," which could result in RCE exploits should a user open a corrupt Excel file.

This second important fix is also important for SharePoint users, according to Sheldon Malm, senior director of security strategy at Rapid7. Malm said he expects to see a "decent amount of exploit traffic on the Excel/Office/SharePoint issue" especially because Excel services are part of the SharePoint Server 2007 default configuration.

The Excel fix is for systems running Microsoft Office XP, Office 2003, 2007 Office and Office for Mac 2004 and 2008 versions.

Both patches may require a restart. Meanwhile, IT pros can check out Microsoft's nonsecurity updates in this Knowledge Base article.

Microsoft also announced a new security advisory on March 9 touching Internet Explorer versions 6 and 7. The advisory was released to disclose the possibility of RCE attacks via a flaw in the browsers. Jason Miller, data and security team leader at Shavlik Technologies, explained that Microsoft has been receiving limited reports of targeted attacks so far.

This latest advisory may be a prelude signaling to more to come for Internet Explorer, according to Miller, as well as Andrew Storms, director of security operations at nCircle. For the second time in three months, Microsoft has issued a warning about a new IE zero-day bug.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • open laptop on a child-sized desk in a colorful elementary school classroom with holographic AI icons rising from the screen

    4 Ways Schools Are Using Google AI Tools for Teaching, Learning, and Administration

    In a recent blog post, Google shared an array of education customer stories, showcasing ways schools and districts are using AI tools like Gemini and NotebookLM to transform both learning and administrative tasks.

  • abstract pattern of cybersecurity, ai and cloud imagery

    Report Identifies Malicious Use of AI in Cloud-Based Cyber Threats

    A recent report from OpenAI identifies the misuse of artificial intelligence in cybercrime, social engineering, and influence operations, particularly those targeting or operating through cloud infrastructure. In "Disrupting Malicious Uses of AI: June 2025," the company outlines how threat actors are weaponizing large language models for malicious ends — and how OpenAI is pushing back.

  • horizontal stack of U.S. dollar bills breaking in half

    ED Abruptly Cancels ESSER Funding Extensions

    The Department of Education has moved to close the door on COVID relief funding for schools, declaring that "extending deadlines for COVID-related grants, which are in fact taxpayer funds, years after the COVID pandemic ended is not consistent with the Department’s priorities and thus not a worthwhile exercise of its discretion."

  • laptop displaying AI-powered educational content

    Kira Introduces AI-Generated Lesson Tool

    AI company Kira has announced a new AI-powered lesson generation tool that it says delivers complete, standards-aligned lessons that are personalized to each student.