After a busy February with 13 security bulletins, Microsoft is easing off the patching throttle a bit this month.  Microsoft released two new security bulletins addressing 8 vulnerabilities, all not publically known at this time.  It is not uncommon for Microsoft to have a large patch month followed by a relatively light patch month.

As the bulletins affect client Windows operating systems and Microsoft Office, your servers should be spared from this month’s patching cycle unless you have SharePoint Server 2007 installed.  As expected, Microsoft is not planning to release a bulletin for their recently released security advisory (981169).  Microsoft will need time to investigate, implement and test the fix for this known vulnerability.

It is important to note that MS10-016 affects Microsoft Producer 2003.  However, Microsoft is not providing a patch for this product.  They are suggesting administrators remove the affected component on their machines.  Microsoft not providing patches for known software vulnerabilities has become more common over the past 12 months.  This is a great example of why administrators should take time each month and research the information associated with each bulletin.  Simply blindly pushing out patches does not necessarily make your network secure. 

MS10-017 should be addressed first on your network.  Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars.  Opening a malicious Excel document could lead to remote code execution.

Last month, there were issues identified with security bulletin MS10-015.  This bulletin caused blue screen on systems that were recently patched.  Microsoft researched the issue and found a rootkit was the cause of the blue screen.  This is a perfect example of why companies should have a solid patching process that includes testing each bulletin before deploying it to their network.

Microsoft also announced a new security advisory in 981374.  This security advisory affects Internet Explorer versions 6 and 7.  Microsoft has been receiving limited reports of targeted attacks on the browser.  Although there is not a patch available for this issue, administrators should keep an eye on this advisory for more information.

Lastly, Microsoft re-released MS09-033.  They added Microsoft Virtual Server 2005 to the list of affected products.  If you have already patched the previous affected products, there is no action that is needed on those.  Be on the lookout for MS09-033 missing on some systems though.

Happy Patching!

- Jason Miller