Microsoft Rolls Out Light Security Update for March
Microsoft's March security update arrived today, just as forecast, with one "critical" item and two "important" fixes for IT pros to consider.
The update is designed to plug four vulnerabilities in total. All of the security bulletins in this month's update address remote code execution exploits, which is the most common risk associated with Windows systems and applications.
In months like this one with thin patch counts, the chatter among security mavens tends to be more about what Microsoft didn't include than what was patched. One item of note in that regard is a critical MHTML flaw in Windows/Internet Explorer. Microsoft released a workaround for the flaw in security advisory 2501696 that was announced in late January. However, after over a month's time, Microsoft apparently doesn't see the flaw as sufficiently alarming to issue a patch just yet.
"Truthfully, it's disturbing that a known critical vulnerability has been left unpatched for such an extended period of time," said Chris Greamo, vice president of research for Invincea Labs.
Greamo added that despite the lack of perceived threats around the unpatched issue, the fact that it hasn't been patched after such time only furthers the idea that the IT security industry is caught in a cycle that is "reactive instead of proactive, one that relies on the bad guys to call attention to holes and vulnerabilities that exist in software we use on a daily basis."
One of Invincea Labs' blog posts recently referred to this patch lag as a "security insanity cycle," criticizing Microsoft and other software vendors for maintaining it.
Critical and Important Items
The first and only critical item is a patch for DirectShow Windows Media Player and Windows Media Center. It covers Windows XP, Windows Vista, Windows 7 and Windows Server 2008.
Both of the important items address flaws in Microsoft's dynamic-link library (DLL) system. Exploiting the flaws might require some work on the part of a hacker, according to Joshua Talbot, security intelligence manager at Symantec Security Response.
"As for the DLL issues, Microsoft has been working to address these for some time now," Talbot said. "These are fairly easy to exploit, but because an attack would require a user to take some fairly uncommon steps -- such as opening up malicious files from SMB or WebDAV servers -- they're less likely to pose a serious threat."
The first important bulletin touches every supported Windows operating system. This patch, according to Microsoft, resolves a publicly disclosed vulnerability in Windows Remote Desktop Client.
The second important patch is a rare direct-to-application patch affecting Microsoft Groove 2007. Groove, which has now been integrated as SharePoint Workspace, is an application for project management and workflow collaboration. Microsoft indicated that a specially crafted library file would have to be present for an attack to be successful. Additionally, Microsoft said that the risk of an exploit is reduced if users have their Groove accounts configured with fewer user rights.
Andrew Storms, director of security at nCircle, said that the lull in high-profile patch news for this month is actually a good thing right now. However, a barrage of unresolved issues lurks around the corner.
"April will probably bring a shower of patches as part of Microsoft's seasonal high-low months," Storms said. "Plus CanSec West's Pwn2own hacking contest is also scheduled for later this week and that traditionally unearths some interesting Internet Explorer and Windows 7 phone security bugs."
Meanwhile all three fixes in the March security update may require a restart. Nonsecurity releases for Windows Server Update Services, Microsoft Update and Windows Update can be found in this Knowledge Base article.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.