Microsoft skips patch for PowerPoint add-on

Fixes eight flaws in Windows and Office, but passes on patching Producer 2003

Microsoft fixed eight flaws in Windows and Office today, but passed on patching one Windows component because it cannot be automatically updated.

The eight bugs patched today were far from the near-record 26 that Microsoft fixed last month when it delivered 13 security updates. Both of today's bulletins were ranked "important," the second-highest rating in Microsoft's four-step severity scoring system, even though the company acknowledged that the eight vulnerabilities could be used to completely compromise a Windows PC.

Although security experts recommended that users deploy the Office fix first, several argued today that the Windows update was more interesting because Microsoft declined to patch one of the two pieces of involved software.

MS10-016 fixes a single flaw in Windows Movie Maker, a consumer-grade video editor bundled with Windows Vista, and available as a separate download for users of Windows XP and Windows 7 . Hackers could exploit the bug and hijack the PC by duping users into opening a malicious Movie Maker project file, which uses the ".mswmm" file extension.

While Microsoft patched Movie Maker, it passed over Producer 2003, a downloadable add-on for PowerPoint 2002 and PowerPoint 2003 that allows those presentation makers to play .mswmm files.

Jerry Bryant, a senior manager for the Microsoft Security Response Center (MSRC), and the group's usual spokesman, explained why the company didn't patch Producer 2003. "Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time, but Producer 2003 does not offer a means for automatic update," he said in an entry on the MSRC blog today.

Security researchers took stabs at why Microsoft didn't patch Producer 2003.

"Someone made a strategic decision," said Andrew Storms, director of security operations at nCircle Network Security. "Maybe because not enough people use the product to warrant a full release cycle."

Sheldon Malm, the senior director of security strategy at Rapid7, had a different explanation. "They generally just don't ignore a vulnerability , so I think it's likely that the vulnerability and the patch touched other pieces of code," said Malm, who added that if that was indeed the case, Microsoft would want to spend more time testing before it issued a fix -- especially since it involves PowerPoint, a widely-used program in businesses. "There's the possibility that they will release a patch later," he said. "It may depend on whether there's a public outcry."

"On the Internet, one person has a very loud voice," agreed Storms, referring to the chance that users of Producer 2003 will sound off about the lack of a patch.

Microsoft's Bryant didn't say one way or the other whether a patch was definitely not in the cards. "We continue to investigate Producer 2003," he said on the MSRC blog.

In the meantime, users can break the link between the .mswmm file format and Producer 2003 by running the "Fix it" tool that Microsoft has made available on its support site. After running the tool, the PowerPoint add-on will no longer automatically launch Movie Maker project files.

This is not the first time that Microsoft has declined to patch known vulnerabilities. Last December, for example, Microsoft disabled a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities. In September 2009, the company said that fixing a flaw in Windows 2000 Server SP4's implementation of TCP/IP was not feasible because it would have required too much reworking of the operating system.

The Office update, MS10-017 , fixes seven flaws in Microsoft Office on both Windows and the Mac, and is the first to patch a bug in an Open Office XML (OOXML) file format, the format introduced with Office 2007 and that is also the native format for the upcoming Office 2010.

"Today marks the first day that Microsoft confirmed a vulnerability in the [Office] 2007 file format," said Storms.

Storms, Malm and Jason Miller, a data and security team leader with patch management vendor Shavlik Technologies, all agreed that MS10-017 should be addressed first. "Excel is very, very common on corporate networks," noted Miller.

"Excel is the one to get patched quickly," added Malm, who confirmed Storms' take that the update included the first fix for a flaw in an OOXML format.

The seven Excel vulnerabilities involve every supported edition of Office on both Windows and the Mac, including Office XP, Office 2003 and Office 2007 on Windows, and Office 2004 and Office 2008 on Mac OS X. One of the seven bugs also affects SharePoint Server 2007.

As expected, Microsoft did not patch any of the outstanding security advisories, including one from November 2009 that involves SMB (Server Message Block), and another issued last week in which Microsoft urged users to ignore a prompt to press the F1 key .

However, Microsoft did release another security advisory today that warned users of Internet Explorer 6 (IE6) and IE7 of a critical vulnerability which hackers are already using to attack PCs.

This month's security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon