Microsoft Patches 4 Vulnerabilities in Windows and Office

It’s quite a slow month for Microsoft, patch-wise, with the company releasing just three security bulletins for a total of four vulnerabilities in Windows and Office.

Just one of the March 2011 security bulletins is considered Critical, with the reaming two carrying rating of Important, revealed Angela Gunn, senior response communications manager, Trustworthy Computing, Microsoft.

Obviously, the software giant recommends that customers prioritize the deployment of the updates designed to resolve the issues which carry the largest security risk, provided through MS11-015.

This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1,” Gunn explained.

“Due to the nature of the affected software, this bulletin carries a Critical-level severity rating for all affected client systems, but only an Important-level rating for Windows Server 2008 R2 for x64. Other versions of Windows Server - 2003, 2008 and 2008 R2 - are unaffected.

“For both the Critical- and Important-level vulnerabilities, an attacker would have to convince a user to open a maliciously crafted file for an attack to work.”

The remaining two security bulletins are connected in that the updates are designed to patch the DLL-preloading vulnerability detailed in Security Advisory 2269637.

Gunn underlined that the Redmond company had not come across exploits against DLL-preloading issues in the wild.

“MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010,” she explained.

“MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.”

A video featuring Jerry Bryant, Group Manager, Response Communications, Trustworthy Computing focused on teh March 2011 security bulletins is available here.