As Microsoft introduced a light load of eight fixes for two vulnerabilities on its March Patch Tuesday, security commentators have unsurprisingly referenced what was not covered.
Joshua Talbot, security intelligence manager at Symantec Security Response, commented that since the launch of Windows 7 last year, Microsoft has seemed to downgrade file-based vulnerabilities, and the issues covered are less so for Windows 7.
"My concern is that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems," said Talbot.
He also commented that Microsoft did not patch the win32hlp Internet Explorer vulnerability made public just over a week ago, and it had seen proof-of-concept exploit code for this vulnerability, but not attacks using it in the wild.
Wolfgang Kandek, CTO of Qualys, commented that contrary to what was expected last week, the Microsoft March security announcements have a little surprise in it - an advisory (KB981374) which describes a zero-day vulnerability only recently reported to Microsoft.
Kandek said: "At the moment only a limited number of targeted attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason to update to this latest version of IE. There are not a lot of details available on the vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory."
Andrew Storms, director of security operations at nCircle, also commented on this patch, saying that for the second time in three months, Microsoft has issued a warning about a new IE zero-day bug.
He said: "Like the IE zero-day bug from January that got a lot of press because of its involvement in the Aurora exploit that hit Google, this bug will get some mitigation assistance from ASLR and DEP. There's no doubt that this new bug will be fodder for the on-going security discussion that is a key part of the browser wars. "
Moving on to the 'important' patches, Jason Miller, data and security team leader at Shavlik Technologies, claimed that it is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.
He said: "After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month. Microsoft released two new security bulletins addressing eight vulnerabilities, all not publicly known at this time.
"As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month's patching cycle unless you have SharePoint Server 2007 installed. As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (981169). Microsoft will need time to investigate, implement and test the fix for this known vulnerability."
Speaking on the Office patch, Storms said: "Unfortunately, today was the first patch for the newer, safer Office 2007 file format. File format attacks continue to be a favourite attack vector for earlier versions of Office, especially 2003. Since releasing Office 2007 three years ago, Microsoft hasn't had to patch a single bug in this file format, something I'm sure they are pretty proud of. IT security teams everywhere will be keeping their fingers crossed hoping that this isn't the beginning of a new streak of vulnerabilities in Office."
For the MS10-016 issue, Microsoft suggested administrators remove the affected component on their machines. Miller said: "This is a great example of why administrators should take time each month and research the information associated with each bulletin. Simply blindly pushing out patches does not necessarily make your network secure."
Kandek commented: "MS10-016 addresses possible code execution in Windows Movie Maker, an attacker can send a malicious file to the target. When the file gets opened, remote code execution is possible. The exploitability index is high, meaning that the file format vulnerability is relatively easy to exploit."
For the MS10-017 issue, which addresses possible code execution in Microsoft Excel and covers seven vulnerabilities, Kandek said: "All versions of Office are affected, including Mac Office 2004 and 2008. An attacker needs to trick the target to open a specially crafted Excel document, which will allow the attacker to take control of the target system. Exploitability is high for the majority of vulnerabilities listed, so we suggest to put this patch on a fast installation schedule. Attack vectors include also Excel viewer and SharePoint server."
Miller claimed that this should be the first patch on a network, as opening a malicious Excel document could lead to remote code execution.
Finally, Microsoft issued security bulletin MS10-015 that caused a blue screen on systems that were recently patched. Miller said: "Microsoft researched the issue and found a rootkit was the cause of the blue screen. This is a perfect example of why companies should have a solid patching process that includes testing each bulletin before deploying it to their network."
Alan Bentley, vice president international at Lumension, said: "Today's bulletins may require a restart and have an impact on operations, one in Microsoft Office and one in Microsoft Windows. These two vulnerabilities both involve a user downloading a specially crafted file, and are yet another reminder of the importance of endpoint security, and the need to shift focus from the gateway to the endpoint."