Patch Tuesday: March 2011 Edition
Microsoft’s February Patch Tuesday was very critical with 12 updates fixing 22 vulnerabilities, out of which three are 0-day vulnerabilities. The bulletins address issues in Windows, Internet Explorer, Office, Visual Studio and IIS. March in comparison with last month is fairly quiet month for Patch Tuesday patches. This month’s Patch Tuesday will have just three bulletins going out, two for Windows operating system and one for Groove 2007 users. These three bulletins are going to patch a total of four vulnerabilities.
Out of the two bulletins for Windows, one bulletin rated critical; the Groove bulletin and the other Windows bulletin rated as important. All three bulletins “may” need a restart after installation.
As ever, Microsoft has issued no information about which publicly disclosed vulnerabilities–if any–will be included in the patches. The critical rated bulletin will fix a flaw in Windows XP, Vista and Windows 7 systems. The second bulletin, rated important, will fix a flaw in all supported versions of Windows, including Server products. The third bulletin affects Microsoft Groove 2007 SP2 product. All three bulletins marked as Remote Code Execution exploits. However, confirmation of this is not possible until the patches are released next week.
Microsoft seems to have missed to patch Internet Explorer ahead of next week’s Pwn2Own hacker contest. It’s not yet clear whether Microsoft has failed to patch the MHTML vulnerability before the Pwn2Own hacker contest, which kicks off next week in Vancouver, Canada. The Register reports that both IE browser rivals Mozilla and Google patched Firefox and Chrome earlier this week in preparation of the event. The MHTML vulnerability affects Windows XP, Vista, Windows 7 and all supported Windows Server releases. The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance.
|1||Critical||Remote Code Execution||Windows XP/Vista/7/2008 R2|
|2||Important||Remote Code Execution||Windows XP/2003/Vista/2008/7/2008 R2|
|3||Important||Remote Code Execution||Microsoft Groove 2007|
The bulletins will be released on Tuesday at 10:00am PST. Microsoft will as usual host a webcast to address customer questions on the security bulletins on March 9, 2011, at 11:00 AM Pacific Time (US & Canada). You can get more information at Microsoft Security Bulletin.