After February's flood of patches, Microsoft announced only two security bulletins this "Patch Tuesday." However, the bulletins affect users running Windows XP, Windows Vista, Windows 7, Office XP, Office 2003, Office 2007 and Sharepoint 2007. Both bulletins are "Important," and Microsoft has created security patches for all but one of the affected products.
The first bulletin, MS10-16, addresses a security vulnerability in Windows Movie Maker and Microsoft Producer 2003. Movie Makeris on Windows XP and Vista systems by default. The application is not included with Windows 7, but it is available as a separate download (which includes the vulnerability discussed in MS10-016).
Microsoft Producer 2003 is a separately downloadable app that can be installed on computers running PowerPoint 2002 and 2003. Microsoft Producer 2003 is not installed by default in any operating system or Office application.
If a user visits a website hosting a malicious Movie Maker file (.mswmm file extension) or Producer project file (.MSProducer, .MSProducerZ and .MSProducerBF file extensions) and clicks to open the file, the exploit would enable an attacker to run code on the user's computer. This code could take any action that the locally logged-on user could perform. Alternatively, the exploit could be launched by opening one of these files received via email or accessed over a network file share. Simply visiting a malicious website -- but not opening the file -- is not enough for an attacker to use this vulnerability.
Microsoft has created security patches for the Movie Maker flaw in Windows XP, Vista and Windows 7. Microsoft has not created a security update for Producer 2003, claiming that the product is in "limited distribution" and "does not offer a means for automatic update." This latter statement means there is no detection rule in Windows Update or Microsoft Update that would detect this product, so there is no way to automatically update it. Users running Producer 2003 should run a workaround from Microsoft that will disable the Producer 2003 application.
The second bulletin, MS10-017, affects users running any version of Microsoft Excel or Excel Viewer. Multiple security issues were identified in Excel that, if exploited, could allow an attacker to execute code on the victim's computer. As with the Movie Maker exploit scenario, a user must visit a malicious website and open a malformed Excel document in order to be affected. If the malicious Excel document is opened, the malware would run with the same permissions of the local user. Users who are logged on with a nonadministrative account stand a better chance of avoiding the exploit code.
Microsoft has assigned each bulletin a "1" on its Exploitability Index, which means the vulnerabilities can be reliably exploited. This rating also indicates that Microsoft expects to see exploit code released shortly for these issues. However, at the time of the bulletin release, Microsoft said it had not seen any evidence that these exploits were used in the wild or have affected any of its customers.
|ABOUT THE AUTHOR:|
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.