Microsoft on Tuesday released two security bulletins to fix eight bugs in its Windows and Microsoft Office software. Both bulletins are rated important, but analysts said many of the vulnerabilities could potentially be more severe if exploited.

Joshua Talbot, security intelligence manager at Symantec Security Response, is concerned that in many enterprise environments, Windows XP is still common, and these vulnerabilities are more serious on XP and older systems.

"Since Windows 7, Microsoft has seemed to downgrade file-based vulnerabilities," Talbot said. "In the past, I think many of the vulnerabilities patched this month could have been rated critical, but with protections like DEP and ASLR, these types of vulnerabilities are less of an issue for Windows 7."

A Patch Roller Coaster

Andrew Storms, director of Security operations for nCircle, said IT security teams have been on a Microsoft roller coaster so far in 2010 in regards to bulletins. He pointed to January, which produced two bulletins, including the out-of-band emergency release for Internet Explorer. That was followed by a monster patch of 13 bulletins in February. March will go down in history as a light Patch Tuesday with only two important bulletins.

"Unfortunately, this was the first patch for the newer, safer Office 2007 file format. File-format attacks continue to be a favorite attack vector for earlier versions of Office, especially 2003," Storms said. "Since releasing Office 2007 three years ago, Microsoft hasn't had to patch a single bug in this file format, something I'm sure they are pretty proud of. IT security teams everywhere will be keeping their fingers crossed, hoping that this isn't the beginning of a new streak of vulnerabilities in Office."

For the second time in three months, Microsoft has also issued a warning about a new IE zero-day bug. Like the IE zero-day bug from January that got a lot of press because of its involvement in the Aurora exploit that hit Google, Storms said, this bug will get some mitigation assistance from ASLR and DEP. "The good news is that, at this time, IE8 is not affected," he noted. "There's no doubt that this new bug will be fodder for the ongoing security discussion that is a key part of the browser wars."

Pity for Microsoft

Tyler Reguly, lead security engineer at nCircle, said there's nothing overly interesting about March's Patch Tuesday, which offers patches affecting Excel 2007, SharePoint 2007, and MovieMaker, since everything requires user interaction. But he added that it's interesting to note that only Excel 2007 is affected by several of the vulnerabilities in MS10-017. Reguly said he's become so accustomed to seeing a full list of Office versions for most vulnerabilities that he was shocked to see "not applicable" next to Excel 2002 and 2003.

"Microsoft has also released a security advisory regarding a new zero-day in Internet Explorer. In a way, I feel bad for Microsoft having to maintain older versions of their browser," Reguly said. "While I believe browser security is the user's responsibility -- practice safe browsing and such -- and I'm not in the 'IE6 must die' fan club, I can't imagine maintaining browser software as old as IE6. Can you imagine the overhead if Mozilla still had to maintain the initial release of Firefox?"