Two bulletins from Microsoft on its first Patch Tuesday of 2011 but Internet Explorer zero-day remains uncovered

News by Dan Raywood

Microsoft released two bulletins addressing three vulnerabilities on its first Patch Tuesday of 2011 yesterday.

Microsoft released two bulletins addressing three vulnerabilities on its first Patch Tuesday of 2011 yesterday.

As revealed by SC Magazine last week, the first bulletin (MS11-001) is rated as ‘important' and addresses a vulnerability in Windows Backup Manager, while the second (MS11-002) is rated as ‘critical' and addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated critical for Windows XP, Vista and Windows 7 and the second rated important for all supported versions of Windows Server.

Carlene Chmaj, senior security response communications manager at Microsoft, said that it is not aware of any proof of concept code or of any active attacks seeking to exploit these vulnerabilities.

Looking firstly at MS11-002, Jason Miller, data team manager at Shavlik Technologies, said: “This advisory was originally released on 23rd August 2010 and we have seen multiple patches released for this issue. During the December 2010 Patch Tuesday, Microsoft released five bulletins addressing this issue with various components of the Windows operating system.

“MS11-001 fixes a DLL preloading issue in the Windows Backup Manager component in Windows Vista. With this vulnerability, opening a legitimate Windows Backup Catalog file in the same directory as a malicious DLL file can lead to remote code execution.

Wolfgang Kandek, CTO at Qualys, said: “MS11-001 provides a patch for a DLL preloading issue in the Windows Backup Tool. While DLL preloading is an old systemic issue in Windows and many other operating systems, it gained new attention in August of last year, when many vulnerable applications were identified.

“Given the scope of the DLL preloading vulnerabilities we highly recommend implementing the workaround that Microsoft describes in Security Advisory 2269637 and KB2264107, which neutralises the most common attack vectors on the operating system level.”

Joshua Talbot, security intelligence manager at Symantec Security Response, said: “The vulnerability in the Backup Manager DLL that was also patched has exploit code publicly available, but we haven't seen any attacks attempt to use it in the wild.

“Because an exploit would require a user to take some fairly uncommon steps, such as opening up a Windows backup or ‘.wbcat' file from an SMB or WebDAV server, it is less appealing as an attack vector than other vulnerabilities out there that require much less of the user.”

Looking at MS11-002, Miller said that this is the first bulletin that administrators should address as it affects Microsoft Data Access Components (MDAC) on all supported operating systems and addresses two vulnerabilities.

He said: “The first vulnerability cannot be exploited through Microsoft software. The vulnerability may be exploited through third party software if a user browses to a malicious website. The second vulnerability addressed by this bulletin can be exploited through Internet Explorer if an attacker can gain remote code execution if they are able to convince a user to visit a malicious website containing specially crafted ADO structures using the Internet Explorer browser.”

Kandek said that this is the more important of the two bulletins as it covers a critically rated vulnerability in the MDAC OS component, affects all versions of the Windows operating system and can be triggered by browsing to a malicious website.

In conclusion on the patches released, Miller said: “There have been quite a few Security Advisories published by Microsoft in the past month.  Many people will be surprised to see the low number of bulletins released this month, this is due to a couple of factors. Microsoft is seeing a ‘limited number of attacks' on these vulnerabilities and if Microsoft receives reports of attacks on these vulnerabilities increasing substantially, they will accelerate the patch creation and testing process.

“Secondly, each bulletin/patch is a change in the code, if the code change is not given time to be properly tested, the patch could have adverse effects. In this scenario, the vulnerability is fixed, but normal functionality could be adversely affected.”

However the main conversation topic this month has been on the zero-day flaw in Internet Explorer and when a patch is likely to be released.

Paul Henry, forensic and security analyst at Lumension, said: “All in all, today's light patch load is nothing to get excited about. It remains to be seen whether or not Microsoft will provide out-of-band patches for the zero-day issues that are poised to wreak havoc in enterprise environments or if we will have to play ‘hurry up and wait' until Patch Tuesday in February.”

Chmaj said that Microsoft had revised Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability. However this workaround only applies to systems that have the MS10-090 update for Internet Explorer installed.

“The vulnerability discussed in the advisory occurs when an attacker creates a malicious CSS file that points to itself and provides it to Internet Explorer. This action corrupts memory and could be exploited. Customers are encouraged to review the new workaround and assess it for their particular environment,” she said.

Andrew Storms, director of security operations at nCircle, said: “Instead of talking about the number of bulletins being patched today, everyone's mind is on the five vulnerabilities that are not being patched. Microsoft always delivers clear concise communications in advance of the patch, so no one should be surprised that none of the five vulnerabilities are on this month's patch list.

“The most severe of the outstanding vulnerabilities, the recursive style sheet load bug in IE, was just made public in late December. That means there is no way Microsoft could deliver a January patch, unless they knew about the bug well before it went public.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews