Microsoft Issues Security Bulletins For Vulnerabilities In Windows, Office

Microsoft has issued three security bulletins, one rated "critical" and two "important," for four vulnerabilities in the company's Windows XP, Vista and 7 operating systems and Office applications.

Bulletin MS11-015 addresses two vulnerabilities in Windows software, one publicly disclosed bug in the DirectShow multimedia framework and one privately reported glitch in Windows Media Player and Windows Media Center.

Those vulnerabilities, rated critical by Microsoft, could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording file. Microsoft said a user cannot be forced to open the file and that for an attack to be successful a user must be convinced to open it.

"Microsoft normally rates this type of file format vulnerabilities as only 'important' because user interaction is required. However this particular flaw has a component that allows for an attack through a browser link and allows its exploitation in automated 'drive-by' fashion. We recommend patching immediately for MS10-015," said Wolfgang Kandek, CTO at Qualys, a security software vendor, in an e-mail.

Sponsored post

Bulletin MS11-017, rated important, resolves a publicly disclosed vulnerability in Windows Remote Desktop Client. Microsoft said the problem could allow remote code execution if a user opens a legitimate Remote Desktop configuration file located in the same network folder as a specially crafted library file.

But for an attack to be successful a user must visit an untrusted remote file system location or "WebDAV share" and open a document from that location that is then loaded by a vulnerable application, Microsoft said.

Next: Warning On Office Groove Flaw

Bulletin MS11-016 also provides a security update for a publicly disclosed vulnerability in Microsoft Office Groove that could allow remote code execution if a user opens a legitimate Groove-related file located in the same network directory as a specially crafted library file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, Microsoft said.

Security experts noted that while the number of vulnerabilities Microsoft covered this month was much fewer than in some months –- 22 bulletins were issued in February's Patch Tuesday -- IT security managers should still pay close attention to today's announcements.

"This Patch Tuesday wasn’t very large, but it was serious," said Paul Henry, a security and forensic analyst at Lumension Security, a security application vendor. "Two of the patches we saw were in Windows, and the third in Office. All patches addressed issues providing for remote code execution, which is top-of-mind for IT flaw remediation specialists."

"If you’re using the Remote Desktop Client, MS11-017 should be your top priority followed by MS11-015 and finally MS11-016," Henry said in an e-mail. "Those not using Remote Desktop Client but regularly sending/receiving large media files should focus on MS11-015 first."

"Microsoft may have cleaned up a lot of loose ends with the release of Windows 7 and Windows Server 2008 R2 Service Pack 1 last month, leaving little to address this Patch Tuesday. That being said, the patches released today did not address the recently disclosed MHTML issues and we expect a resolution in April’s patch release," he said.

A summary of the vulnerabilities and links to the specific bulletins and updates can be found at Microsoft's TechNet Web site.