Microsoft releases 11 patches, six critical
Of the 17 – each of which can allow an attacker to take over a PC – six are client-side flaws. Four bugs impact Microsoft Office; two affect Internet Explorer (IE).
The release impacted a high number of Microsoft applications, including Active Directory, Active Directory Application Mode (ADAM), Internet Information Services (IIS), Visual Basic and Works.
However, what Microsoft didn't patch caught the eye of Jonathan Bitle, director of technical account management at Qualys.
"Microsoft has confirmed that a zero-day vulnerability is leveraging a weakness in Excel but they didn't release a patch for that issue," he told SCMagazineUS.com. "If they stick with the current patch cycle [and fix it on March 11], it will have been exploited for nearly two months."
Meanwhile, users should quickly apply bulletin MS08-010, which affects IE versions 6 and 7 across several versions of the Windows operating system, including Vista, Don Leatham, director of solutions and strategy at Lumension Security, told SCMagazineUS.com. This vulnerability impacts IE's HTML interpreter, a program “at the core of what a browser does," Leatham said.
"So anyone browsing outside the firewall could be vulnerable to exploits," he said. "It's very important that this one be looked at closely," he said.
Craig Schmugar, threat researcher at McAfee Avert Labs, said the patches “underline the need to be aware when opening files and the risk of surfing the web unprotected.”
"Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply opens a file or visits a malicious or compromised website - favorite attack methods among cybercriminals,” he said.
However, Eric Schultze, chief technology officer at Shavlik Technologies, a patch-management vendor, said he would be concerned with the server-side bugs.
In the case of a client-side attack, "I would have to wait for someone to visit a website or open a document, so it's more difficult to target an attack against a company if I have to wait,” he said.
Schultze also noted that Microsoft didn't patch a previously announced vulnerability in VBScript/JScript.
"I'm guessing that they didn't like the results of some last-minute testing so they decided to hold it back to get it right," he said.
Microsoft was slated to release a dozen fixes, according to last week's advance notification advisory.