Microsoft Fat Tuesday Patch Rather Slim

In a break from the ordinary, this month's Microsoft Patch Tuesday features relatively few fixes for the software giant's many products. There are just three security bulletins for the month of March, covering about four distinct security flaws in various software.

The lull is somewhat unexpected after several months of record-breaking patch releases by Microsoft. By comparison, February had a total of twelve security bulletins, three of which were marked "critical", the company's highest threat warning.

One 'Critical' Security Bulletin Issued for March

This month, just one of the three security bulletins have been deemed critical (MS11-015). It addresses a flaw in Microsoft DirectShow but also a vulnerability in both Windows Media Player and Windows Media Center. Security firm Symantec warns that ignoring this patch release could allow for remote code execution, giving a hacker and malware goons access to a user's PC. (Source: pcmag.com)

That said, security bulletin MS11-015 is not particularly easy to exploit, even for an advanced hacker. "To exploit this issue, a user has to open a malicious file, so [it's likely] some social engineering would need to be employed," noted Symantec's Joshua Talbot.

Still, Talbot says Microsoft's fix is important. "... Because DVR-MS files are media files used by common Windows applications, it's not hard to imagine a scenario where an attacker spreads a malicious file purporting to be a video clip related to some popular current event." (Source: informationweek.com)

Experts: Expect Big Fixes in April

So, why the light patch cycle? Security expert Roel Schouwenberg believes that Microsoft has likely skipped a few important security issues for this month's release, including an XSS (cross site scripting) flaw and a recently discovered vulnerability in the Windows Browser protocol. It's also likely much of the company's attention was on Windows 7 Service Pack 1, which was released on February 22nd, 2011.

According to Andrew Storms, nCircle's director of security, oversights like this should mean April will be a rather heavy month for Microsoft fixes. There's also the upcoming Pwn2Own hacking contest to consider, which usually reveals gaps in various Microsoft products.