1. General Information
On Tuesday 9 March, 2010, Microsoft released its periodic security bulletin for March with 2 patches for 8 vulnerabilities in Windows Movie Maker and Microsoft Office Excel. Simultaneously, the company also warned of a critical zero-day vulnerability in Internet Explorer.
|
ID
|
Affected Software
|
Severity
|
|
MS10-016
|
Windows Movie Maker
|
Critical
|
|
MS10-017
|
Microsoft Office Excel
|
Critical
|
2. Technical details
Windows Movie Maker is a video edit tool available in Windows operating system. A hole found in "IsValidWMToolsStream()" function may lead to buffer overflow error while processing malformed project files (.mswmm). By seducing users to open a specially crafted .mswmm file, the attacker may execute arbitrary code on their computers.
A series of vulnerabilities in processing records of Microsoft Office Excel, a popular office application have been patched. These holes are rated critical because the hacker, if successfully exploiting them, could execute arbitrary code on users? computers.
Besides the two patches, Microsoft also warned of a zero-day vulnerability in Internet Explorer (IE) that has already been exploited among the Internet community. This hole was found in library file iepeers.dll file in IE 6 and 7. It is rated critical since it allows remote attacks and malicious code execution.
3. Solution
Most of these holes are found in widely used softwares and rated critical. Thus, Bkis recommends users to update new patches by one of the following ways:
1. Click ?Start?, ?All Programs? and choose ?Windows Update?, and the system will automatically download and install security updates.
2. Access website Microsoft Update to manually download and install security updates for your computer.
As for the zero-day vulnerability in IE, users are recommended to set IE?s security at the highest level and take caution not to access unknown websites and regularly update security patches from Microsoft.
Analyst: Le Manh Tung