News

Microsoft to fix critical Windows flaw in light patching month

SearchSecurity.com Staff

Microsoft will release one critical and two important security bulletins, next week, as part of its all-important Patch Tuesday ritual.

The newest bulletins will patch flaws in Microsoft's Windows and Office products, according to the company's Advance Notification,

Requires Free Membership to View

issued Thursday.

The first bulletin contains mostly fixes labeled "critical" that span the tech giant's currently supported operating system line from Windows XP service pack 3 to Windows Vista service packs one and two to the newly released Windows 7 service pack 1.

The bulletin will likely address the MHTML information disclosure issue which was left un-patched in last month's patch cycle, said Amol Sarwate, manager of the vulnerability research lab at Qualys Inc. in a satement issued by the vendor. Proof-of-concept code targeting the MHTML zero-day flaw was issued in January. Microsoft said a victim can be infected by clicking on a malicious link on a website that leads to a HTML document. The technique injects malicious JavaScript onto the victim's browser, giving the attacker the ability to "spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

Only flaws labeled "Important" assail the Windows Server lineup this time around. The security update affects Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. In addition the update affects all currently supported versions of Windows.

Bulletin three affects Microsoft Office and is a single "important" fix to Microsoft Groove service pack 2, a Microsoft Sharepoint shared workspace Office suite application.

March is typically a "lighter month" in the alternating cycle of Microsoft's Patch Tuesday. Last month the company issued 12 bulletins, fixing 22 flaws across its product line. This month they are issuing only three bulletins, which patch only four vulnerabilities.

Microsoft broke its patch cycle a few weeks ago to address a flaw in its Malware Protection Engine.

In addition, a fix is expected for the Microsoft Malicious Software Removal Tool (MSRT); however, the company did not list that specifically in its Advanced Notice.

~Ryan Cloutier, Contributor