16:24 CET, 10th March 2010 By Carsten Eiram.
Microsoft only issued two security bulletins and an advisory, but the Microsoft Tuesday release was far from uneventful and boring.
The whole release started off in a rushed manner as a security site, which claims that it "follows a responsible disclosure policy", leaked technical details from the security bulletins hours ahead of time. This stunt forced others to publish information earlier than expected instead of waiting for the usual coordinated disclosure time.
It's very unfortunate when events like these occur as it could easily ruin the good relationships that have been created between researchers and software vendors like Microsoft where the parties are sharing information with each other more readily. We hope this occurrence won't cause Microsoft or other software vendors to have second thoughts and, hopefully, Microsoft will take proper measures to prevent such a leak from occurring again in the future.
One of the security bulletins, MS10-016, fixed a single vulnerability in Movie Maker - an application bundled with most versions of Windows to, as the application name suggests, create movies. The application apparently lost its virginity with the release of this security bulletin as it seems like it's the first vulnerability reported in it. The vulnerability is a logic error as it erroneously copies data into the wrong buffer when reading in data from a project file, causing a buffer overflow.
The other security bulletin, MS10-017, addressed a number of vulnerabilities in various versions of Microsoft Office Excel. Interestingly, Microsoft Office Excel 2007 is the application affected by most of the reported vulnerabilities (5 out of 7). The vulnerabilities are caused by various types of errors that allow execution of arbitrary code. Only two vulnerabilities received a rating of "2" in Microsoft's exploitability index; all other vulnerabilities were rated "1" (i.e. consistent exploit code likely).
To finish off the release, was a security advisory for a new 0-day vulnerability in Internet Explorer 6 and 7 that Microsoft states is currently being exploited in targeted attacks.
An interesting monthly release...
Chief Security Specialist