Microsoft Issues March Patch, New IE Advisory

As expected, Microsoft today released two "important" patches in its March security update.

The two security bulletins address Windows and Office holes that could have remote code execution (RCE) implications. The March patch describes eight vulnerabilities that had not been previously disclosed.

While Microsoft describes the two fixes as important, not everyone agrees. Joshua Talbot, security intelligence manager at Symantec Security Response, said that since the inception of Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities.

"In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7," said Talbot. "My concern is that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems."

The first fix is not likely to be high on the priority list of enterprise IT pros. It deals with a privately disclosed bug in Windows Movie Maker and Microsoft Producer 2003. A user would have to open a malicious Movie Maker or Producer project to trigger the weaknesses in those applications.

Redmond stressed that Windows Live Movie Maker, which sits on Vista and Windows 7, is not affected by the vulnerability. Nevertheless, Vista and Windows 7 are covered in the patch via Windows Movie Maker 2.6 and 6.0, which are used with these operating systems.

The second important fix touches on Microsoft Office, particularly the Excel spreadsheet program. Microsoft said this fix is designed to patch "seven privately reported vulnerabilities in Microsoft Office Excel," which could result in RCE exploits should a user open a corrupt Excel file.

This second important fix is also important for SharePoint users, according to Sheldon Malm, senior director of security strategy at Rapid7. Malm said he expects to see a "decent amount of exploit traffic on the Excel/Office/SharePoint issue" especially because Excel services are part of the SharePoint Server 2007 default configuration.

The Excel fix is for systems running Microsoft Office XP, Office 2003, 2007 Office and Office for Mac 2004 and 2008 versions.

Both patches may require a restart. Meanwhile, IT pros can check out Microsoft's nonsecurity updates in this Knowledge Base article.

Microsoft also announced a new security advisory on March 9 touching Internet Explorer versions 6 and 7. The advisory was released to disclose the possibility of RCE attacks via a flaw in the browsers. Jason Miller, data and security team leader at Shavlik Technologies, explained that Microsoft has been receiving limited reports of targeted attacks so far.

This latest advisory may be a prelude signaling to more to come for Internet Explorer, according to Miller, as well as Andrew Storms, director of security operations at nCircle. For the second time in three months, Microsoft has issued a warning about a new IE zero-day bug.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • Microsoft Says System Center 2022 Will Arrive Early Next Year

    Microsoft is planning to release its new System Center product in the first quarter of 2022, with a private preview arriving within months.

  • Microsoft Talks Up Windows Server 2022's Azure Integrations

    Windows Server became available on Sept. 1; last week, Microsoft gave the product its official unveiling, focusing on all of the other products and services it will work with.

  • 2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.