Microsoft released two patches for eight security holes in its March “Patch Tuesday” drop, but also issued an advisory about a recently discovered flaw in Internet Explorer.
The workload for Patch Tuesday — so-called because on the second Tuesday of the month, Microsoft (NASDAQ: MSFT) issues the majority of patches for the month — was light in March. That contrasts with February when the company had a near record month.
The bugs fixed by the two patches are rated “important,” the second highest ranking on Microsoft’s four-tier severity rating scale.
One patch fixes seven separate vulnerabilities, all of them affecting the Excel spreadsheet program, including not only Windows versions, but also Excel 2004 and 2008 for Mac.
The other fixes a flaw in Windows Movie Maker, the video editing software that has been superseded by Windows Live Movie Maker. Windows XP and Vista are primarily affected, although some users of Windows 7 may have downloaded the older application.
“An attacker can send a malicious file to the target [and] when the file gets opened, remote code execution is possible,” Wolfgang Kandek, chief technology officer for security firm Qualys, said in an e-mailed statement.
In fact, March’s patch drop primarily concerns file format vulnerabilities.
“An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system,” Kandek added.
One bug that Microsoft did not fix this time around is a zero-day flaw in the way older versions of Windows handles help files and scripting — Microsoft sent out a Security Advisory regarding the hole last week.
According to Microsoft, the zero-day help file hole affects Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, as well as 64-bit versions of XP Professional SP2, and Windows Server 2003. More recent releases of Windows, including Vista, Windows Server 2008, and Windows 7, are not at risk, Microsoft said.
“In reviewing the details of the vulnerabilities, each involves a user downloading a specially crafted file, which is yet another reminder of the importance of endpoint security and our need to shift our focus from the gateway to the endpoint,” Paul Henry, security and forensic analyst at security firm Lumension, said in an e-mail. Zero-day hole warnings for IE 6 and 7
Microsoft also issued a new Security Advisory — this one regarding a zero-day hole in Internet Explorer (IE) 6 and 7. Other IE versions are not affected.
With the IE hole, Microsoft said it has already seen limited “targeted attacks” that use the vulnerability. It can be exploited by tricking the user into clicking on a poisoned link in an e-mail or Instant Messenger session or even simply viewing a booby-trapped Web page.
In order to protect themselves, IE6 and IE7 users should set their security to “High.” Alternately, they could upgrade to IE8, which is not impacted.
“Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE,” Kandek said.
Microsoft said is has not yet decided how it will fix the latest IE flaw or the help file issue, yet.