Microsoft: One Critical Patch for March
Security admins have less work to do in March than is often the case with Microsoft patch release events.
Microsoft released three patches for March's Patch Tuesday drop, but only one of the three is actually rated "critical" the highest ranking on Microsoft's severity rating scale. The other two are rated "important," which is a step below critical.
Two of the patches affect Windows, while the third affects Office.
Microsoft (NASDAQ: MSFT) notified security professionals last Thursday that it would ship the three patches on Tuesday, a relatively light workload this time around compared to several recent patch releases that had a dozen or more patches for administrators to deal with.
"The low number of bulletins being released was expected as this is typically a light security bulletin release month for Microsoft," Jason Miller, data team manager at security researcher Shavlik Technologies, said in an email to InternetNews.com.
Some of the slow down in releases of new bug patches may also have something to do with Microsoft's release of Windows 7 Service Pack 1 (SP1) last month.
The most serious of March's vulnerabilities fixed this time is a zero-day hole in the way that Windows client systems load DirectShow dynamic link libraries (DLL).
DirectShow handles audio and video streaming in Windows, such as DVD playback or high-quality video capture. The patch is rated critical for all Windows client systems, though only important for Windows Server 2008 Release 2 (R2).
"Due to the nature of the affected software, this bulletin carries a critical-level severity rating for all affected client systems, but only an important-level rating for Windows Server 2008 R2 for x64. Other versions of Windows Server -- 2003, 2008 and 2008 R2 -- are unaffected," Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, said in a post to the Microsoft Security Response Center blog.
According to the security bulletin that accompanies the patch, an attacker could trick a user into clicking on a normal Windows Media Player file -- for instance, an MPG file, thereby triggering a second booby-trapped DLL file. Email attacks are also possible, and in both cases, the result could mean complete compromise of the user's computer.
Microsoft said in its bulletin that proof of concept code is already available on the Web. However, the company said it is not aware of any active exploits so far.
A second patch also fixes a problem with Windows, but is only rated important. The problem resides in a technology used to let a user access another computer from his or her computer remotely -- for example, a support tech.
The hole affects the Remote Desktop Connection clients on most supported versions of Windows and Windows Server. Not affected are Windows 7 (32-bit and 64-bit) SP1, and Windows Server R2 x64.
Meantime, the third patch, which is also rated important, impacts Microsoft's OfficeGroove client for collaboration.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.