Expert Guidance for New Microsoft Security Bulletins
As predicted last week in the Microsoft Security Bulletin Advance Notification for March 2010, Microsoft released two new security bulletins today for the March 2010 Patch Tuesday. The two security bulletins bring the total number of security bulletins for 2010 up to 17.
Gerhard Eschelbeck, chief technology officer and senior vice president of Webroot, explained via email that "Microsoft is [releasing] two security bulletins with corresponding patches affecting all supported version of its operating systems , as well as Office suites."
Eschelbeck added "Both are rated as "Important", meaning they deserve attention. Even though this is significantly lighter compared to last month, these vulnerabilities could be exploited by opening a malicious document causing potential loss of confidential information. Users and IT organizations are encouraged to review these bulletins today, and plan for prompt rollout based on their priorities and environment."
Qualys CTO Wolfgang Kandek provides some additional detail for both security bulletins in his Patch Tuesday blog post. Kandek describes MS10-016, a security bulletin related to flaws in Microsoft's Windows Movie Maker. "When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions."
Kandek also notes that the patch from Microsoft does not address the same vulnerability, which is also present in Windows Producer, a multimedia add-on for PowerPoint.
For MS10-017, Kandek provides this insight: "All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest putting this patch on a fast installation schedule. Attack vectors also include Excel viewer and SharePoint server."
In an email from nCircle, director of security Andrew Storms said "Unfortunately, today was the first patch for the newer, safer Office 2007 file format. File format attacks continue to be a favorite attack vector for earlier versions of Office, especially 2003. Since releasing Office 2007 three years ago, Microsoft hasn't had to patch a single bug in this file format, something I'm sure they are pretty proud of. IT security teams everywhere will be keeping their fingers crossed hoping that this isn't the beginning of a new streak of vulnerabilities in Office."
Both Storms, and his nCircle peer, lead research engineer Tyler Reguly, noted that Microsoft did not patch a recently announced zero-day bug in Internet Explorer (IE). According to the Microsoft Security Advisory, Internet Explorer 8 is not impacted by the flaw.
"In a way, I feel bad for Microsoft having to maintain older versions of their browser," said Reguly. "While I believe browser security is the user's responsibility (practice safe browsing and such), and I'm not in the 'IE6 must die' fan club, I can't imagine maintaining browser software as old as IE6. Can you imagine the overhead if Mozilla still had to maintain the initial release of Firefox?"
Symantec's Joshua Talbot, security intelligence manager for Symantec Security Response, clarified the Internet Explorer issue in an e-mail. "We've seen proof-of-concept exploit code for this vulnerability, but haven't seen any attacks using it in the wild."
Talbot concluded "A unique user interaction is required to make the IE vulnerability work, but an attacker could engineer an exploit that would entice a user to carry out the action. For example, causing a pop-up window to appear repeatedly until the user hits the necessary key to make it stop, which would subsequently also cause the machine to become infected."
It seems fair to assume that a patch for this IE vulnerability will be on the top of the list for April's Patch Tuesday. For now, review the security bulletins and the security advisory from Microsoft for more details. Apply the appropriate patches, and implement any necessary mitigations to protect against the IE flaw.