Microsoft will ship two security updates on Tuesday to patch eight vulnerabilities in Windows and Office.
In its monthly advance notification, Microsoft spelled out next week's two-update Patch Tuesday, a far cry from February's massive roll-out of 13 security bulletins that fixed 26 flaws.
The downturn was not unexpected. "This is indicative of the on and off cycle that Microsoft uses," said Andrew Storms, director of security operations at nCircle Network Security. "Last month was more OS related, this month they're patching some applications."
March traditionally is a slow patch month for Microsoft, Storms noted, just as February has historically been big. In March 2009, for example, Microsoft issued three bulletins, while in March 2008, it delivered four.
Both bulletins will be labelled as 'important', Microsoft's second-highest severity rating in its four-step scoring system. The vulnerabilities in those two updates, however, allow attackers to insert malicious code onto unpatched PCs, a fact that at first glance may seem contrary to Microsoft's less-than-critical ranking.
"When Microsoft rates something 'important' but also says the vulnerability allows for remote code execution, that usuallly means there's some default state that would mitigate attacks for all users," said Storms. That state, he continued, could be a default setting that protects users, or the fact that the vulnerability is contained in a component that's not loaded by default.
The first bulletin will address one or more vulnerabilities in Windows XP, Vista and Windows 7, and affects the most recent service packs for XP and Vista, SP3 and SP2, respectively. Both 32- and 64-bit editions of all three operating systems harbor the bugs, according to the terse description in Microsoft's notice.
The second will tackle one or more bugs in Excel 2002, Excel 2003 and Excel 2007 on Windows; Excel 2004 and Excel 2008 on the Mac; and other Excel- and file-conversion-related pieces of the Office suites. Storms pointed out that the patch will even repair the version of Excel in Office 2007 SP2. "It's the latest and greatest that's being patched," said Storms, adding that clues in the notice point toward a file format problem, most likely one in the file converter tool bundled with Office.
"What's going on?" Storms asked rhetorically. "The newer file format in 2007 is supposed to be safer."
Both updates deal with bugs that can be exploited only if users are tricked into opening a malicious file, Jerry Bryant, a senior manager with the Microsoft Security Research Center (MSRC), said in an entry on the centre's blog. "There are no network-based attack vectors," Bryant promised.
Neither of the bulletins match up with the outstanding security advisories that Microsoft has issued but not yet patched, including one harking back to November 2009. At the time, Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.
Newer advisories, such as one last month about a bug in Internet Explorer and another issued on Monday about a flaw in VBScript, are also not on the patch list for next week, said Storms. The VBScript bug, which can be exploited via internet Explorer, prompted Microsoft to issue an unusual warning: Don't press the F1 key.
The lack of a patch yet for the SMB bug led Storms to speculate that Microsoft has run into problems creating and testing a fix, or has found more bugs during its investigation. "Maybe they found other issues that they wanted to clean up at the same time," he said.
Also missing this month is an update from Adobe, which has taken to releasing its quarterly patches for Reader and Acrobat on Microsoft's Patch Tuesday. The next scheduled Adobe updates are due on 13.
The MSRC's Bryant reminded users that several editions of Windows are nearing forced support retirement, including Vista RTM (April 13), Windows XP SP2 (July 13) and Windows 2000 (July 13), and urged people still running those to upgrade.