News

Microsoft Issues March Patch, New IE Advisory

As expected, Microsoft today released two "important" patches in its March security update.

The two security bulletins address Windows and Office holes that could have remote code execution (RCE) implications. The March patch describes eight vulnerabilities that had not been previously disclosed.

While Microsoft describes the two fixes as important, not everyone agrees. Joshua Talbot, security intelligence manager at Symantec Security Response, said that since the inception of Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities.

"In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7," said Talbot. "My concern is that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems."

The first fix is not likely to be high on the priority list of enterprise IT pros. It deals with a privately disclosed bug in Windows Movie Maker and Microsoft Producer 2003. A user would have to open a malicious Movie Maker or Producer project to trigger the weaknesses in those applications.

Redmond stressed that Windows Live Movie Maker, which sits on Vista and Windows 7, is not affected by the vulnerability. Nevertheless, Vista and Windows 7 are covered in the patch via Windows Movie Maker 2.6 and 6.0, which are used with these operating systems.

The second important fix touches on Microsoft Office, particularly the Excel spreadsheet program. Microsoft said this fix is designed to patch "seven privately reported vulnerabilities in Microsoft Office Excel," which could result in RCE exploits should a user open a corrupt Excel file.

This second important fix is also important for SharePoint users, according to Sheldon Malm, senior director of security strategy at Rapid7. Malm said he expects to see a "decent amount of exploit traffic on the Excel/Office/SharePoint issue" especially because Excel services are part of the SharePoint Server 2007 default configuration.

The Excel fix is for systems running Microsoft Office XP, Office 2003, 2007 Office and Office for Mac 2004 and 2008 versions.

Both patches may require a restart. Meanwhile, IT pros can check out Microsoft's nonsecurity updates in this Knowledge Base article.

Microsoft also announced a new security advisory on March 9 touching Internet Explorer versions 6 and 7. The advisory was released to disclose the possibility of RCE attacks via a flaw in the browsers. Jason Miller, data and security team leader at Shavlik Technologies, explained that Microsoft has been receiving limited reports of targeted attacks so far.

This latest advisory may be a prelude signaling to more to come for Internet Explorer, according to Miller, as well as Andrew Storms, director of security operations at nCircle. For the second time in three months, Microsoft has issued a warning about a new IE zero-day bug.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft-OpenAI Deal's Cloud Terms Spark Another EU Antitrust Probe

    Competition watchdogs in Europe have begun an inquiry into whether the Microsoft-OpenAI partnership has been structured in such a way as to stifle competition.

  • Newspapers stacked against the wall

    News Publisher Accuses Microsoft, OpenAI of Copyright 'Exploitation'

    Microsoft and OpenAI have been sued by the nonprofit publisher of Mother Jones, the latest volley in the ongoing fight between generative AI firms and the news industry.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Copilot Gets Own Category in Microsoft's 2024 Partner of the Year Awards

    The results of this year's Microsoft Partner of the Year awards were announced this week with two new categories that signal exactly what Microsoft thinks its partners should be prioritizing.