Web Security

Microsoft Issues March Patch, New IE Advisory

• By Jabulani Leffall
• 03/09/10

As expected, Microsoft today released two "important" patches in its March security update.

The two security bulletins address Windows and Office holes that could have remote code execution (RCE) implications. The March patch describes eight vulnerabilities that had not been previously disclosed.

While Microsoft describes the two fixes as important, not everyone agrees. Joshua Talbot, security intelligence manager at Symantec Security Response, said that since the inception of Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities.

"In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7," said Talbot. "My concern is that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems."

The first fix is not likely to be high on the priority list of enterprise IT pros. It deals with a privately disclosed bug in Windows Movie Maker and Microsoft Producer 2003. A user would have to open a malicious Movie Maker or Producer project to trigger the weaknesses in those applications.

Redmond stressed that Windows Live Movie Maker, which sits on Vista and Windows 7, is not affected by the vulnerability. Nevertheless, Vista and Windows 7 are covered in the patch via Windows Movie Maker 2.6 and 6.0, which are used with these operating systems.

The second important fix touches on Microsoft Office, particularly the Excel spreadsheet program. Microsoft said this fix is designed to patch "seven privately reported vulnerabilities in Microsoft Office Excel," which could result in RCE exploits should a user open a corrupt Excel file.

This second important fix is also important for SharePoint users, according to Sheldon Malm, senior director of security strategy at Rapid7. Malm said he expects to see a "decent amount of exploit traffic on the Excel/Office/SharePoint issue" especially because Excel services are part of the SharePoint Server 2007 default configuration.

The Excel fix is for systems running Microsoft Office XP, Office 2003, 2007 Office and Office for Mac 2004 and 2008 versions.

Both patches may require a restart. Meanwhile, IT pros can check out Microsoft's nonsecurity updates in this Knowledge Base article.

Microsoft also announced a new security advisory on March 9 touching Internet Explorer versions 6 and 7. The advisory was released to disclose the possibility of RCE attacks via a flaw in the browsers. Jason Miller, data and security team leader at Shavlik Technologies, explained that Microsoft has been receiving limited reports of targeted attacks so far.

This latest advisory may be a prelude signaling to more to come for Internet Explorer, according to Miller, as well as Andrew Storms, director of security operations at nCircle. For the second time in three months, Microsoft has issued a warning about a new IE zero-day bug.