March Microsoft Patches Released

Microsoft has released the expected 2 patches today to address 8 Remote Code Execution vulnerabilities. 
Microsoft also released 2 additional Security Advisories.  


Movie Maker and Producer Buffer Overflow Vulnerability CVE-2010-0265
MS10-017 Microsoft Office Excel Record Memory Corruption Vulnerability CVE-2010-0257
Microsoft Office Excel Sheet Object Type Confusion Vulnerability CVE-2010-0258
Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability CVE-2010-0260
Microsoft Office Excel MDXSET Record Heap Overflow Vulnerability CVE-2010-0261
Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability CVE-2010-0262
Microsoft Office Excel XLSX File Parsing Code Execution Vulnerability CVE-2010-0263
Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability CVE-2010-0264


A single, privately reported vulnerability in Movie Maker and Producer 2003.  The specific issue is in the way these programs parse their related native project files. The current patch applies only to Movie Maker.   Producer is not being patched at this time.  Microsoft has provided a Fix it for Producer to remove the file associations in  KB975561.    There are no known exploits available for this vulnerability at this time. 


MS10-017, contains fixes for 7 privately reported vulnerabilities, with a few interesting items of note.  The first is that 4 of the CVEs are for Excel 2007 only, and 1 specifically names the new XLSX file format as the exploitation target.  This is the first time that I recall seeing the handling of XLSX files being patched.  These file formats have been in use for over 3 years, indicating that Microsoft’s secure development efforts are paying off.  The other item of interest is that SharePoint Server 2007 is affected via Excel Services, which ships with SharePoint 2007 Enterprise and SharePoint 2007 for Internet Sites.  There are no known exploits available for these vulnerabilities at this time.Microsoft Security Bulletin Summary for March 2010

As I always recommend with Remote Code Execution patches, apply all of the relevant ones as soon as possible after testing.

In addition to the 2 bulletins released this month, there is a new and an updated security advisory that are worth mentioning.

New Advisories

The updated advisory (973811) indicates that a new version of the update is available allowing for IIS to be opted-in to Extended Protection for Authentication.  Extended Protection for Authentication provides additional protections against credential forwarding as an added defense in depth measure.

The new security advisory (981374) reports a 0-day in Internet Explorer 6 and 7.  Other versions of IE are not affected.  Microsoft provides several workarounds in the advisory, including setting an ACL on the iepeers.dll file. This vulnerability is being exploited in targeted attacks in the wild. 
More Details:  Microsoft Internet Explorer CVE-2010-0806 Remote Code Execution Vulnerability

Symantec has raised their ThreatCon Alert Level to 2 as a result of this new threat.