Microsoft issued three bulletins to fix four vulnerabilities in Microsoft Windows and Office on this month's Patch Tuesday.
One bulletin was rated critical and two rated important, as reported by SC Magazine last week.
Microsoft system centre knowledge engineer J.C. Hornbeck acknowledged that the two important patches both address DLL-preloading issues described in Security Advisory 2269637 and said that Microsoft will continue to address these issues as they are discovered. “However, it is important to note that we have not seen exploitation of these issues in the wild,” he said.
Joshua Talbot, security intelligence manager at Symantec Security Response, said that the lone critical issue this month MS11-015 that patches a DVR-MS vulnerability, will be somewhat trivial for attackers to exploit, as it also allows attackers to skip a few of the traditional steps needed to get malicious code to execute on a targeted computer.
He said: “This is because when processing DVR-MS files, Windows Media Player and Media Centre use data in these files themselves to determine what code in memory gets executed. This allows an attacker to jump directly to executing malicious code.
“To exploit this issue a user has to open a malicious file, so some social engineering would need to be employed. However, because DVR-MS files are media files used by common Windows applications, it's not hard to imagine a scenario where an attacker spreads a malicious file purporting to be a video clip related to some popular current event.”
Jason Miller, data team manager at Shavlik, said: “If a user views the malicious website and media file with a browser, the attacker could gain remote code execution. With this type of attack vector, this patch should be tested and deployed as soon as possible.”
Wolfgang Kandek, CTO of Qualys, said: “Microsoft normally rate these type of file format vulnerabilities as only 'important' because user interaction is required. However this particular flaw has a component that allows for an attack through a browser link and allows its exploitation in automated 'drive-by' fashion. We recommend patching this immediately.”
There were two patches rated as 'important': MS11-016 fixes a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin; while MS11-017 is also a DLL-preloading issue, in this instance a fix for Microsoft Windows Remote Client Desktop.
Miller said: “MS11-016 affects Office Groove, opening a malicious .vcg or .gta file on a network share that contains a malicious DLL that could result in remote code execution. MS11-017 affects the Windows Remote Desktop Protocol on the Windows operating system. Opening a malicious .rdp file on a network share that contains a malicious DLL could result in remote code execution.
“RDP file extensions could be common for administrators that have many servers they remotely connect to throughout the day. Saving a RDP file with the server information is very useful for administrators managing a network.”
Talbot said: “These are fairly easy to exploit, but because an attack would require a user to take some fairly uncommon steps, such as opening up malicious files from SMB or WebDAV servers, they are less likely to pose a serious threat.”
Regarding what was not fixed, Andrew Storms, director of security at nCircle, noted that there was not a fix for an MHTML bug that Microsoft issued an advisory for in late January.
He said: “While the March time frame was probably doable for a release, it's likely that Microsoft hasn't seen much in the way of attacks for this vulnerability, so they felt comfortable keeping the patch on a normal release cycle. Users concerned about this bug can apply the FixIt mitigation tool Microsoft released last month.”
Dave Marcus, director of security research and communications at McAfee Labs, said: “We haven't seen evidence that the impact of the MHTML vulnerability is any more significant than the other zero-day code execution vulnerabilities we've seen recently. This month's Patch Tuesday does not address this Internet Explorer zero-day, which could allow hackers to take advantage of this vulnerability.”