Contrary to what we expected last week, the Microsoft March Security announcements have a little surprise in it.
The standard bulletins cover Windows Movie Maker/Producer and Office:
- MS10-016 – possible code execution in Windows Movie Maker – ranked important: an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit. Windows XP and Vista ship with vulnerable versions. While Windows 7 does not ship with a vulnerable version, a user could have downloaded and installed the 2.6 version, which is affected. The bulletin does not provide a patch for the also affected Windows Producer, a little used multimedia add-on to Powerpoint.
- MS10-017 – possible code execution in Microsoft Excel – ranked important as well. This bulletin covers 7 vulnerabilities, all of them file format based. All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server.
But Microsoft also released advisory KB981374 which describes a 0-day vulnerability reported to Microsoft only recently. At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.
No major updates on advisory KB981169, also for Internet Explorer, which requires the target to press F1 to launch the attack and can best be avoided by user education.