Windows 7 is not affected in the default configuration

Mar 10, 2010 15:02 GMT  ·  By

It’s a slow month for Microsoft, as far as patch releases go, a situation which could be disrupted only if the company decides to release an out-of-band patch for the Internet Explorer 0-day confirmed on March 9th. Just two security bulletins were released yesterday by the Redmond company, designed to resolve security issues in affecting Windows and Office products. Both bulletins carry a rating of Important, meaning that risk for customers are somewhat mitigated by the difficulty of building successful attacks, on top of additional factors. However, Jerry Bryant, senior security communications manager lead, Microsoft, stresses that customers should not hesitate to deploy the patches as soon as possible.

MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension,” Bryant explained.

Microsoft Producer 2003 is also affected by the same vulnerability as Windows Movie Maker, however, it hasn’t received a patch. Bryant notes that not only is the distribution of Producer 2003 limited, but also that the software cannot be updated automatically. Microsoft is currently working to resolve the issue at Windows components-level and meanwhile has made a Microsoft Fix It available to break the association between the project file type and the application.

MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel Viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited,” Bryant added.

Customers should be aware of the fact that Microsoft has re-released MS09-033, and that Virtual Server 2005 is now featured on the affected products list. MS09-033 dates back to mid-2009 and patches a vulnerability in Virtual PC and Virtual Server.

“Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected,” Bryant said.

Get Microsoft Silverlight