Microsoft has fixed eight flaws in Windows and Office, but opted against patching one Windows component because it cannot be automatically updated.
The eight bugs patched yesterday were far from the near-record 26 that Microsoft fixed last month when it delivered 13 security updates. Both of the bulletins were ranked 'important', the second-highest rating in Microsoft's four-step severity scoring system, even though the company acknowledged that the eight vulnerabilities could be used to completely compromise a Windows PC.
Although security experts recommended that users deploy the Office fix first, several argued that the Windows update was more interesting because Microsoft declined to patch one of the two pieces of involved software.
MS10-016 fixes a single flaw in Windows Movie Maker, a consumer-grade video editor bundled with Windows Vista, and available as a separate download for users of Windows XP and Windows 7. Hackers could exploit the bug and hijack the PC by duping users into opening a malicious Movie Maker project file, which uses the '.mswmm' file extension.
While Microsoft patched Movie Maker, it passed over Producer 2003, a downloadable add-on for PowerPoint 2002 and PowerPoint 2003 that allows those presentation makers to play .mswmm files.
Jerry Bryant, a senior manager for the Microsoft Security Response Center (MSRC), explained why the company didn't patch Producer 2003. "Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time, but Producer 2003 does not offer a means for automatic update," he said in an entry on the MSRC blog today.
This is not the first time that Microsoft has declined to patch known vulnerabilities. Last December, for example, Microsoft disabled a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities. In September 2009, the company said that fixing a flaw in Windows 2000 Server SP4's implementation of TCP/IP was not feasible because it would have required too much reworking of the operating system.
The Office update, MS10-017, fixes seven flaws in Microsoft Office on both Windows and the Mac, and is the first to patch a bug in an Open Office XML (OOXML) file format, the format introduced with Office 2007 and that is also the native format for the upcoming Office 2010.
This month's security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.