Microsoft is to address eight vulnerabilities on its monthly Patch Tuesday, with no critical flaws expected to be addressed.
The vulnerabilities are in Windows and Microsoft Office and are remote code execution problems. Jerry Bryant, senior security communications manager at Microsoft, recommended that customers review the advance notification web page and prepare to deploy these bulletins as soon as possible.
He said: “To provide additional guidance for deployment prioritisation, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.”
Wolfgang Kandek, CTO at Qualys, said: “After the massive February update Microsoft will only release two bulletins next week. The first bulletin is for the Windows operating system affecting the only desktop platforms XP, Vista and Windows 7. The second bulletin is for Microsoft Office and applies to all versions on Windows (Office XP, 2003 and 2007) and Mac OS X (Office 2004 and 2008), plus SharePoint and the Excel Viewer.
“The lower criticality ratings allow IT administrators more time to address these March bulletins. It is likely that the Office vulnerabilities should be handled first, as file format vulnerabilities in general have been on the rise in the last year and end-users frequently trust open office format files such as Excel due to their business oriented, serious nature.”
Alan Bentley, vice president international at Lumension, said: “From what we've seen, it doesn't appear that the bulletins released will address all of the issues that are in the wild and use a specialty file. Despite being a light month, these bulletins are another reminder of the importance of endpoint security as traditional gateway defences would in all likelihood miss an exploit.”
Patch Tuesday will follow a release of an update earlier this week to address an issue in VBScript. Kandek commented that this covered ‘a clever attack through Internet Explorer' that requires the end-user to press F1 in a pop-up box, as detailed on Tuesday this week.
Kandek said: “It requires the end-user to press F1 in a pop-up box, so the main defence is make your users aware of the existence of the flaw and instruct them to get in touch with IT should this happen.”
Bryant claimed that there are no known attacks in this instance, but he encouraged customers to review the advisory and apply the suggested workarounds where possible.
Bentley said: “Although this issue won't be addressed by next week's monthly patches, a workaround will be provided by Microsoft. Of note, Microsoft has said they don't think it's a big issue, but only time will tell.
“This exploit is another reminder of the importance of maintaining updated endpoint security, as traditional gateway defences would in all likelihood miss an exploit such as this, which can be activated simply by having a user open a specially crafted file.”
Finally, Bryant confirmed that Microsoft is to end support for legacy operating systems in the coming months. He said that Windows XP Service Pack 2 will no longer be supported after 13th July, and on the same date extended support for Windows 2000 will finish.
Windows Vista RTM will no longer be supported after 13th April, although service pack one will still be supported until the 12th July 2011, but he recommended customers update to service pack two or Windows 7.
“Customers will soon have to start updating these operating systems, including Windows XP service pack two, and are being encouraged to upgrade to service pack three or to Windows 7 as soon as possible,” said Bentley.