March Microsoft Patch Tuesday Roundup

Blog Post created by rapid7-admin on Mar 10, 2010

Originally Posted by Sheldon Malm



Time once again for this month's summary of the latest Microsoft Security updates … 

2 advisories, with 8 vulnerabilities covered. This is the lightest March update since Microsoft skipped March altogether back in 2007. 

Here’s the breakdown: 

MS10-016: Rated Important.  Potential Remote Code Execution in Windows Movie Maker, covering 1 vulnerability: CVE-2010-0265 (Buffer Overflow in Movie Maker and Producer). A few things to note about this one ... 

First, Microsoft chose not to patch the exposure in Producer 2003.  Apparently the decision is based on the application's limited distribution and the fact that automatic updates are not available for Producer.  Given the use of Producer with PowerPoint, this one could be a cost benefit analysis by Microsoft in that there might be additional code to check which isn't justified by limited distribution.  If there is no outcry from the community, this one will remain unpatched; if some noise is generated, expect to see more activity from Microsoft in response.  Who knows ... perhaps we'll see some creativity from the threat community within malicious online PowerPoint presentations. 

Second, user interaction is required for this one.  Microsoft rates it as Exploit Index: 1; Deployment Priority: 2. 

Third, this one is easy to overlook as few people will view Movie Maker as business critical technology.  With the rapidly growing use of rich media online (punctuated by Cisco's CRS-3 announcement today), this one could come back to bite people in the behind a year from now.  If it happens, you heard it here first. 

MS10-017: Rated Important. Potential Remote Code Execution in Excel, Excel Viewer, Office for Mac, Office Compatibility Pack, and the Excel Services (which are in the default configuration for SharePoint Server 2007), covering 7 vulnerabilities: CVE-2010-0257 (Record Memory Corruption), CVE-2010-0258 (Sheet Object Type Confusion), CVE-2010-0260 (MDXTUPLE Record Heap Overflow), CVE-2010-0261 (MDXSET Record Heap Overflow), CVE-2010-0262 (FNGROUPNAME Record Uninitialized Memory), CVE-2010-0263 (XLSX File Parsing), and CVE-2010-0264 (DbOrParamQry Record Parsing). This one replaces MS09-067 from November of last year along with MS09-021 from June of last year on SharePoint.  Microsoft rates it as Exploit Index: 1; Deployment Priority: 2. 

Clearly the highest priority this month, test the update and roll it out in relatively short order.  Excel is everywhere in the enterprise and you're advised to not overlook Excel Services running on SharePoint Server 2007. 

MS09-033 was re-released today, as Virtual Server 2005 was added to the affected products list.  If you're running Virtual Server 2005, be sure to pull this one into your remediation activities as well - after Excel and before Movie Maker. 

After last month's monster update, this is a light one.  Advice is to patch Excel first and if you're running Movie Maker, schedule the update in short order.  If you're running Producer, Microsoft provides assistance to disable file type association so a malicious file would have to be opened manually rather than launching the app from a careless click. 

As with every month, NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release. 

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts. 

NeXpose Community Edition is available for immediate download at no cost here:


We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release. 

As always, Happy patching!!