Microsoft plans to push out three security bulletins next week, the most serious of which is meant to squash at least one remote code execution bug in Windows.
All three bulletins deal with security bugs in Windows, with the other two addressing what Microsoft characterized as “spoofing” issues. The remote code execution bulletin is rated “critical,” and affects Windows 2000, XP, Vista and Windows Server 2003 and 2008.
This month’s patch lineup does not include a fix for the zero-day vulnerability affecting Microsoft Office Excel that hackers have been targeting in recent weeks. Microsoft issued an advisory on the bug Feb. 24, warning the bug could allow a hacker to execute arbitrary code if a specially crafted Excel file attempts to access an invalid object.
So far, Microsoft has only reported seeing limited, targeted attacks leveraging the vulnerability. However, the company has publicized workarounds for users concerned about exploitation. For one, Microsoft advises customers to use MOICE (the Microsoft Office Isolated Conversion Environment) when opening files from unknown or untrusted sources. Users can also take advantage of Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted senders as well.
The spoofing issues addressed in the two bulletins slated for next week are rated “important.” One of those two bulletins covers Windows 2000, XP, Vista and Windows Server 2003 and 2008. The final bulletin, however, only impacts Windows 2000 and Windows Server 2003 and 2008.
The March patches would bring the number of Patch Tuesday bulletins this year to eight. The new bulletins will be available March 10.