In-Depth

Microsoft's March Security Update is Light

Contains only three fixes.

As expected, Microsoft's March security update was "light" -- containing only one "critical" item and two "important" fixes.

The update protects against four vulnerabilities -- all of which are remote code execution exploits, the most common risk associated with Windows systems and applications.

In months with thin patch counts, security professionals tend to be more concerned about what Microsoft didn't include than what was patched. A critical MHTML flaw in Windows/Internet Explorer still has no official fix. Microsoft released a workaround for the flaw in security advisory 2501696 the company announced in late January. However, Microsoft apparently still doesn't see the flaw as sufficiently alarming to issue a patch.

"Truthfully, it's disturbing that a known critical vulnerability has been left unpatched for such an extended period of time," said Chris Greamo, vice president of research for Invincea Labs.

Greamo added that despite the lack of perceived threats around the unpatched issue, the fact that it hasn't been patched after such time only furthers the idea that the IT security industry is caught in a cycle that is "reactive instead of proactive, one that relies on the bad guys to call attention to holes and vulnerabilities that exist in software we use on a daily basis."

One of Invincea Labs' blog posts recently referred to this patch lag as a "security insanity cycle," criticizing Microsoft and other software vendors for maintaining it.

Critical and Important Items

The first and only critical item is a patch for DirectShow Windows Media Player and Windows Media Center. It covers Windows XP, Windows Vista, Windows 7, and Windows Server 2008.

Both of the important items address flaws in Microsoft's dynamic-link library (DLL) system. Exploiting the flaws might require some work on the part of a hacker, according to Joshua Talbot, security intelligence manager at Symantec Security Response.

"As for the DLL issues, Microsoft has been working to address these for some time now," Talbot said. "These are fairly easy to exploit, but because an attack would require a user to take some fairly uncommon steps -- such as opening up malicious files from SMB or WebDAV servers -- they're less likely to pose a serious threat."

The first bulletin rated "important" touches every supported Windows operating system. Microsoft says this patch resolves a publicly disclosed vulnerability in Windows Remote Desktop Client.

The second "important" patch is a rare direct-to-application patch affecting Microsoft Groove 2007. Groove, which has now been integrated as SharePoint Workspace, is an application for project management and workflow collaboration. Microsoft indicated that a specially crafted library file would have to be present for an attack to be successful. Additionally, Microsoft said that the risk of an exploit is reduced if users have their Groove accounts configured with fewer user rights.

Andrew Storms, director of security at nCircle, said that the lull in high-profile patch news for this month is actually a good thing right now. However, a barrage of unresolved issues lurks around the corner.

"April will probably bring a shower of patches as part of Microsoft's seasonal high-low months," Storms said. "Plus CanSec West's Pwn2own hacking contest is also scheduled for later this week and that traditionally unearths some interesting Internet Explorer and Windows 7 phone security bugs."

Meanwhile all three fixes in the March security update may require a restart. Nonsecurity releases for Windows Server Update Services, Microsoft Update and Windows Update can be found in this Knowledge Base article.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Must Read Articles