March 09, 2010, 9:13 PM — Following a heavy patch month in February, Microsoft Tuesday announced a lighter load of security bulletins for its users, but security experts say the potential impact is considerable if vulnerabilities aren't addressed.
"Even though it is a slower month, it is still important to remember that these bulletins should be researched because next time it could be highly publicized vulnerabilities with IE," says Jason Miller, data and security team leader at Shavlik Technologies in St. Paul, Minn.
Microsoft released two security bulletins to address eight vulnerabilities in Windows and Microsoft Office, one specifically that impacts Excel, which security experts say could affect many businesses considering how frequently the application is used. The bulletins will impact fewer machines, almost avoiding all servers unless SharePoint Server 2007 is installed, because they affect client Windows operating systems and Microsoft Office. Yet with Excel being commonplace in most companies, systems will need to be addressed.
"MS10-017 should be addressed first on your network," Miller says. "Microsoft Excel is big in business and most people are going to want to take a look at this. If you download this or get it through an e-mail, it could cause remote code execution, meaning an attacker would be able to take control of your system."
According to Paul Henry, security and forensic analyst for Lumension, MS10-017 resolves "seven privately reported vulnerabilities in Microsoft Office Excel." Henry adds that an experienced hacker could gain the same rights as the local user, but "users whose accounts are configured to have fewer user rights on the system could be less impacted than users who are operating with administrative user rights."
The second bulletin, MS10-016, involves Microsoft Producer 2003, which is not as commonly used as Excel. The vulnerability could also enable remote code execution, but it should be noted, Miller says, that Microsoft is not providing a patch for this vulnerability and is instead recommending the component be uninstalled.
"Microsoft not providing patches for known software vulnerabilities has become more common over the patch 12 months. This is a great example of why administrators should take time each month and research the information associated with each bulletin. Simply blindly pushing out patches does not necessarily make your network secure," Miller says.