March 11, 2010, 6:34 PM — Is there a worse IT job in the world than being a Microsoft security fixer-upper? First, you have to deal with the fact that Windows itself is insecure by design. That's bad enough. But, then when you do get something right, like this week's Patch Tuesday pack of patches, you're hit on the same day with a new and major Internet Explorer zero day security hole!
First, the good news. The big news in this latest lot of patches is that several significant security holes in Excel were fixed. Having been in offices where Excel spreadsheets flew back and forth over e-mails faster than cars passing someone going 55MPH on the interstate this is a good thing. Sneaking malware into documents and spreadsheets isn't as common as it once was, but it's still common enough that making Excel a wee bit more secure counts as a must upgrade in my book.
Then, on the moderately bad news side, Microsoft elected not to fix a bug in an add-on to PowerPoint. The specific problem was in Producer 2003, a PowerPoint 2002 and PowerPoint 2003 add-on that allows them to play .mswmm (Windows Movie Maker Project) movies and animations.
Jerry Bryant, a senior manager for the MSRC (Microsoft Security Response Center) explained that Producer 2003 wasn't fixed because, "Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update."
So what is the answer if you're one of the few people using Producer 2003? I quote Mr. Bryant, "uninstall the application." That will go over well. "Or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security." What the 'fix it' does is essentially remove Producer 2003's functionality so I guess you might as well uninstall the app. Or, what I suspect Microsoft really wants you to do: upgrade to a newer version of Microsoft Office with its bigger, better, and more expensive copy of PowerPoint. Ka-ching!
But, I can't get too ticked off at Microsoft wanting you to move off a seven-year old program. Microsoft's business is all about getting you to move off old programs to new programs every three years or so whether you need the new one or not. It's kind of buying a new car except there's no wear and tear on software. No, the real problem, which has me a little annoyed, even as I feel sorry for Microsoft security developers is that there's yet another IE security hole.
Really! I'm not making this up. This latest and greatest IE security hole can be used to hijack IE 6 and 7. IE 8, I'm happy to say, isn't vulnerable to this one.
The bad news keeps coming though because this isn't just some theoretical security hole that might be used. Hackers are already using this IE flaw to bust into Windows computers. And, the good news just keeps coming because now any script kiddie can pick up the exploit code to start running attacks.
When will it be fixed? We don't know. Microsoft isn't saying. If they wait until the next Patch Tuesday, April 13, IE users can look forward to a month of being vulnerable to attacks. You can block it by disabling scripting in either browser. To turn scripting off in IE 6 follow the instructions in this Microsoft document.
In IE 7 go to the Tools menu and pick Internet Options. Then, Click the Security tab and follow that by clicking on Custom Level. Scroll down to the scripting section of the list and then click disable to scripting.
Better still, you could upgrade to IE 8. Or, the smartest move you could make is just to abandon all versions of IE, since they really do seem to get broken into every month or two now, and switch over to a more secure Web browser. Your pick of better browsers includes Chrome, Firefox, Opera, and Safari. Personally, I prefer Chrome and Firefox, but any of them, and I mean any of them, are better than any version of IE.