Microsoft plans to patch 8 Windows, Office bugs next week
Thursday, March 4, 2010 17:16Microsoft today announced it will ship two security updates on Tuesday to patch eight vulnerabilities in Windows and Office.
In its monthly advance notification, Microsoft spelled out next week’s two-update Patch Tuesday, a far cry from February’s massive rollout of 13 security bulletins that fixed 26 flaws.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
The downturn was not unexpected. “This is indicative of the on and off cycle that Microsoft uses,” said Andrew Storms, director of security operations at nCircle Network Security. “Last month was more OS-related, this month they’re patching some applications.”
March traditionally is a slow patch month for Microsoft, Storms noted, just as February has historically been big. In March 2009, for example, Microsoft issued three bulletins, while in March 2008, it delivered four.
Both bulletins will be pegged as “important,” Microsoft’s second-highest severity rating in its four-step scoring system. The vulnerabilities in those two updates, however, allow attackers to insert malicious code onto unpatched PCs, a fact that at first glance may seem contrary to Microsoft’s less-than-critical ranking.
“When Microsoft rates something ‘important’ but also says the vulnerability allows for remote code execution, that usuallly means there’s some default state that would mitigate attacks for all users,” said Storms. That state, he continued, could be a default setting that protects users, or the fact that the vulnerability is contained in a component that’s not loaded by default.
The first bulletin will address one or more vulnerabilities in Windows XP, Vista and Windows 7, and affects the most recent service packs for XP and Vista, SP3 and SP2, respectively. Both 32- and 64-bit editions of all three operating systems harbor the bugs, according to the terse description in Microsoft’s notice.
The second will quash one or more bugs in Excel 2002, Excel 2003, and Excel 2007 on Windows; Excel 2004 and Excel 2008 on the Mac; and other Excel- and file-conversion-related pieces of the Office suites. Storms pointed out that the patch will even repair the version of Excel in Office 2007 SP2. “It’s the latest and greatest that’s being patched,” said Storms, adding that clues in the notice point toward a file format problem, most likely one in the file converter tool bundled with Office.
“What’s going on?” Storms asked rhetorically. “The newer file format in 2007 is supposed to be safer.”
Both updates deal with bugs that can be exploited only if users are tricked into opening a malicious file, Jerry Bryant, a senior manager with the Microsoft Security Research Center (MSRC), said in an entry on the center’s blog today. “There are no network-based attack vectors,” Bryant promised.
