Microsoft Issues March Patch, New IE Advisory

As expected, Microsoft today released two "important" patches in its March security update.

The two security bulletins address Windows and Office holes that could have remote code execution (RCE) implications. The March patch describes eight vulnerabilities that had not been previously disclosed.

While Microsoft describes the two fixes as important, not everyone agrees. Joshua Talbot, security intelligence manager at Symantec Security Response, said that since the inception of Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities.

"In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7," said Talbot. "My concern is that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems."

The first fix is not likely to be high on the priority list of enterprise IT pros. It deals with a privately disclosed bug in Windows Movie Maker and Microsoft Producer 2003. A user would have to open a malicious Movie Maker or Producer project to trigger the weaknesses in those applications.

Redmond stressed that Windows Live Movie Maker, which sits on Vista and Windows 7, is not affected by the vulnerability. Nevertheless, Vista and Windows 7 are covered in the patch via Windows Movie Maker 2.6 and 6.0, which are used with these operating systems.

The second important fix touches on Microsoft Office, particularly the Excel spreadsheet program. Microsoft said this fix is designed to patch "seven privately reported vulnerabilities in Microsoft Office Excel," which could result in RCE exploits should a user open a corrupt Excel file.

This second important fix is also important for SharePoint users, according to Sheldon Malm, senior director of security strategy at Rapid7. Malm said he expects to see a "decent amount of exploit traffic on the Excel/Office/SharePoint issue" especially because Excel services are part of the SharePoint Server 2007 default configuration.

The Excel fix is for systems running Microsoft Office XP, Office 2003, 2007 Office and Office for Mac 2004 and 2008 versions.

Both patches may require a restart. Meanwhile, IT pros can check out Microsoft's nonsecurity updates in this Knowledge Base article.

Microsoft also announced a new security advisory on March 9 touching Internet Explorer versions 6 and 7. The advisory was released to disclose the possibility of RCE attacks via a flaw in the browsers. Jason Miller, data and security team leader at Shavlik Technologies, explained that Microsoft has been receiving limited reports of targeted attacks so far.

This latest advisory may be a prelude signaling to more to come for Internet Explorer, according to Miller, as well as Andrew Storms, director of security operations at nCircle. For the second time in three months, Microsoft has issued a warning about a new IE zero-day bug.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • students using digital devices, surrounded by abstract AI motifs and soft geometric design

    Ed Tech Startup Kira Launches AI-Native Learning Platform

    A new K-12 learning platform aims to bring personalized education to every student. Kira, one of the latest ed tech ventures from Andrew Ng, former director of Stanford's AI Lab and co-founder of Coursera and DeepLearning.AI, "integrates artificial intelligence directly into every educational workflow — from lesson planning and instruction to grading, intervention, and reporting," according to a news announcement.

  • toolbox featuring a circuit-like AI symbol and containing a screwdriver, wrench, and hammer

    Microsoft Launches AI Tools for Educators

    Microsoft has introduced a variety of AI tools aimed at helping educators develop personalized learning experiences for their students, create content more efficiently, and increase student engagement.

  • laptop displaying a red padlock icon sits on a wooden desk with a digital network interface background

    Reports Point to Domain Controllers as Prime Ransomware Targets

    A recent report from Microsoft reinforces warns of the critical role Active Directory (AD) domain controllers play in large-scale ransomware attacks, aligning with U.S. government advisories on the persistent threat of AD compromise.

  • Two hands shaking in the center with subtle technology icons, graphs, binary code, and a padlock in the dark blue background

    Two Areas for K-12 Schools to Assess for When to Work with a Managed Services Provider

    The complexity of today’s IT network infrastructure and increased cybersecurity risk are quickly moving beyond many school districts’ ability to manage on their own. But a new technology model, a partnership with a managed services provider, offers a way forward for schools to overcome these challenges.