Microsoft Corp. issued their monthly security bulletins on Tuesday, with fixes for four known vulnerabilities in the company’s Windows operating system, Office suite and Remote Desktop Connection products.
The March patch release included three bulletins: MS11-015, 016 and 017. Only one, MS11-015, is rated critical – indicating a danger of the holes being used in remote attacks or to enable fast spreading worms. The other two bulletins are rated “important.”
MS11-015 fixes a publicly disclosed hole in the DirectShow product and one previously undisclosed vulnerability in Windows Media Player and Media Center. The vulnerabilities, if exploited, would have allowed attackers to use specially crafted Microsoft Digital Video Recording (.dvr-ms) files to run malicious code on a vulnerable Windows system. Microsoft rated it critical for affected versions of Windows XP, as well as all supported versions of Windows Vista and Windows 7. Windows Media Center TV Pack for Vista is also affected, the company said.
Both the MS11-016 and 017 patches address DLL preloading issues in Microsoft products – Microsoft Groove 2007 Service Pack 2, and Windows Remote Client Desktop. That issue, which affects a wide range of software from different vendors, was first disclosed in August 2010. In September, Microsoft released guidance on the impact of the DLL hijacking bug, and a Fix-It tool that allowed customers to ameliorate the impact of the hole.
The company did not issue a fix for a serious flaw in the way that Windows manages MHTML operations. As Threatpost reported last month, that hole affects all current versions of Windows and could allow an attacker to run code on vulnerable systems. In its bulletin, Microsoft issued a Security Advisory about the MHTML bug in January. In its March Patch release, the company said that it was “monitoring the threat landscape” and “working to provide a solution through our monthly security update release process,” suggesting that the company would not do an out-of-cycle security patch to plug the MHTML hole once a fix is available.
March’s batch of patches is smaller than the company’s February release, which comprised 12 separate bulletins containing fixes for 22 vulnerabilities across a range of products.