The company is only patching four vulnerabilities tomorrow, compared with 22 in February. The patches are contained in three bulletins, one rated as critical and two rated as important. The critical updates affect the operating systems Windows XP, Visa, and Windows 7.
“One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue, which was left un-patched in last month's patch cycle,” commented Amol Sarwate, manager of Qualys’ Vulnerability Research Lab. “The other important update patches the little known Office Groove 2007 software”, he added.
By not patching the IE flaw, Microsoft is putting itself at a disadvantage for the upcoming Pwn2Own browser hacking contest being held at CanSecWest in Vancouver this week. Perhaps some early luck of the Irish will help Microsoft beat the other browsers at the contest: Google’s Chrome, Mozilla’s Firefox, and Apple’s Safari.
While short, this month’s Patch Tuesday is “very serious”, noted Paul Henry, security and forensic analyst at Lumension. “All patches address issues that could provide for remote code execution, and this will be top of mind for IT flaw remediation specialists”, he observed.
Microsoft “cleaned up a lot of loose ends” with the release of Windows 7 and Windows Server 2008 R2 Service Pack 1, “leaving little to address” in the first Patch Tuesday following the SP1 release, Henry said.