Microsoft skips patch for PowerPoint add-on
Fixes eight flaws in Windows and Office, but passes on patching Producer 2003
Computerworld - Microsoft fixed eight flaws in Windows and Office today, but passed on patching one Windows component because it cannot be automatically updated.
The eight bugs patched today were far from the near-record 26 that Microsoft fixed last month when it delivered 13 security updates. Both of today's bulletins were ranked "important," the second-highest rating in Microsoft's four-step severity scoring system, even though the company acknowledged that the eight vulnerabilities could be used to completely compromise a Windows PC.
Although security experts recommended that users deploy the Office fix first, several argued today that the Windows update was more interesting because Microsoft declined to patch one of the two pieces of involved software.
MS10-016 fixes a single flaw in Windows Movie Maker, a consumer-grade video editor bundled with Windows Vista, and available as a separate download for users of Windows XP and Windows 7. Hackers could exploit the bug and hijack the PC by duping users into opening a malicious Movie Maker project file, which uses the ".mswmm" file extension.
While Microsoft patched Movie Maker, it passed over Producer 2003, a downloadable add-on for PowerPoint 2002 and PowerPoint 2003 that allows those presentation makers to play .mswmm files.
Jerry Bryant, a senior manager for the Microsoft Security Response Center (MSRC), and the group's usual spokesman, explained why the company didn't patch Producer 2003. "Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time, but Producer 2003 does not offer a means for automatic update," he said in an entry on the MSRC blog today.
Security researchers took stabs at why Microsoft didn't patch Producer 2003.
"Someone made a strategic decision," said Andrew Storms, director of security operations at nCircle Network Security. "Maybe because not enough people use the product to warrant a full release cycle."
Sheldon Malm, the senior director of security strategy at Rapid7, had a different explanation. "They generally just don't ignore a vulnerability, so I think it's likely that the vulnerability and the patch touched other pieces of code," said Malm, who added that if that was indeed the case, Microsoft would want to spend more time testing before it issued a fix -- especially since it involves PowerPoint, a widely-used program in businesses. "There's the possibility that they will release a patch later," he said. "It may depend on whether there's a public outcry."
"On the Internet, one person has a very loud voice," agreed Storms, referring to the chance that users of Producer 2003 will sound off about the lack of a patch.
Microsoft's Bryant didn't say one way or the other whether a patch was definitely not in the cards. "We continue to investigate Producer 2003," he said on the MSRC blog.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
- CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
- This paper explores the concept of content-aware IAM, describes the integrated architecture for this new approach, and highlights the benefits that this approach...
- Google: Security for Google Apps Messaging & Collaboration
- Content provided by Google
Find out about how Google creates a security-based platform for Google Apps, covering topics like information security, physical security, and... - An Interactive Guide: Bring Your Own Device
- BYOD presents significant security and management challenges to IT departments who want to take advantage of the trend, but still protect corporate assets....
- Fundamental Principles of Network Security
- This paper covers the fundamentals of secure networking systems, including firewalls, network topology and secure protocols. Best practices are also given that introduce... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts