2010 03 10

Patches Highlight Problems in Maintaining Older Software

Microsoft on Tuesday released two security bulletins to fix eight bugs in its Windows and Microsoft Office software. Both bulletins are rated important, but analysts said many of the vulnerabilities could potentially be more severe if exploited. Joshua Talbot, security intelligence manager at Symantec Security Response, is concerned that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems. "Since Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities," Talbot said. "In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7." A Patch Roller Coaster Andrew Storms, director of Security operations for nCircle, said IT security teams have been on a Microsoft roller coaster so far in 2010 in regards to bulletins. He pointed to January, which produced two bulletins, including the out-of-band emergency release for Internet Explorer. That was followed by a monster patch of 13 bulletins in February. March will go down in history as a light Patch Tuesday with only two important bulletins. "Unfortunately, this was the first patch for the newer, safer Office 2007 file format. File-format attacks continue to be a favorite attack vector for earlier versions of Office, especially 2003," Storms said. "Since releasing Office 2007 three years ago, Microsoft hasn't had to patch a single bug in this file format, something I'm sure they are pretty proud of. IT security teams everywhere will be keeping their fingers crossed, hoping that this isn't the beginning of a new streak of vulnerabilities in Office." For the second time in three months, Microsoft has also issued a warning about a new IE zero-day bug. Like the IE zero-day bug from January that got a lot of...