March 08, 2011, 4:32 PM — Microsoft today shipped three security updates that patched four vulnerabilities in Windows and Office.
And, as expected, Microsoft did not release patches for Internet Explorer (IE) to bolster the browser's chances of surviving Pwn2Own, the hacking contest that begins tomorrow.
Even the company called today's Patch Tuesday an easy ride for customers. "It's a light month," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), the team responsible for investigating, patching and issuing fixes.
Microsoft has fallen into the practice of shipping fewer patches during odd-numbered months. In January, for example, it patched just three vulnerabilities, while last month it fixed 22 flaws .
Only one of the three updates -- Microsoft calls them "bulletins" -- was rated "critical," the company's top-level threat ranking. The other two were labeled "important," the second-most dire warning.
The MS11-015 bulletin was the single critical update.
"That's the one we would worry about most," said Wolfgang Kandek, CTO of Qualys.
The update patches a pair of vulnerabilities, including one in the Windows Media Center and Windows Media Player components found in almost all versions of Windows. The flaw resides in Digital Video Recording (DVR-MS) files, which are created by the Stream Buffer Engine (SBE) and stored with the ".dvr-ms" file extension.
"This is a browse and own vulnerability," said Bryant, talking about the kind of bug attackers could exploit simply by convincing users to visit a malicious site.
"It's a drive-by bug," echoed Andrew Storms, director of security operations at nCircle Security. "There are two exploit methods, the first in an IFRAME, which would be a typical drive-by. The other is as an e-mail attachment, which it appears that users would have to actually open, not just preview [in their e-mail client]."
All client editions of Windows, including Windows XP, Vista and Windows 7, are vulnerable until patched. The sole exception: Windows XP Home Edition, which does not support the flawed codec, said Angela Gunn, a senior communications response manager with MSRC.