Microsoft Patches Flaws But Still Works On IE Fix

Microsoft has begun 2011 with a relatively light Patch Tuesday update that contains two security bulletins to fix three Windows vulnerabilities.

Only one of the bulletins is rated “critical.” That bulletin, MS11-002, covers two vulnerabilities affecting Microsoft Data Access Components.

The first of the bugs exists in the way MDAC (Microsoft Data Access Components) validates third-party API usage. The second is due to the way MDAC validates memory allocation.

Critical Fix

According to Microsoft, both vulnerabilities could be exploited via a specially crafted web page to allow an attacker to remotely execute code.

“The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server,” blogged Carlene Chmaj, senior security response communications manager for Trustworthy Computing at Microsoft. “It involves the Microsoft Data Access Components (MDAC). This has an Exploitability Index rating of 1, and because there is a web-based attack vector, this is at the top of our deployment priority list.”

The second bulletin, rated “important,” addresses a publicly disclosed vulnerability in Windows Backup Manager that could allow remote code execution if a user opens a legitimate Windows Backup Manager file located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the malicious library file, Microsoft warned.

“The vulnerability in the Backup Manager DLL that was also patched has exploit code publicly available, but we haven’t seen any attacks attempt to use it in the wild,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “Because an exploit would require a user to take some fairly uncommon steps – such as opening up a Windows backup or ‘.wbcat’ file from an SMB or WebDAV server – it’s less appealing as an attack vector than other vulnerabilities out there that require much less of the user.”

Patching Question Marks

Last week, some security researchers asked why Microsoft was not releasing patches for some of the other vulnerabilities that have been in the public eye of late, including an Internet Explorer bug the company warned about in December that is due to the creation of uninitialised memory during a CSS (Cascading Style Sheets) function within the browser. While the company did not issue a fix, Microsoft has added a workaround to help users deal with the bug.

“This month, we are revising Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability, Chmaj wrote. “This workaround only applies to systems that have the MS10-090 update for Internet Explorer installed. The vulnerability discussed in the advisory occurs when an attacker creates a malicious CSS file that points to itself and provides it to Internet Explorer. This action corrupts memory and could be exploited.”

“Customers should be mindful that there are several zero-day vulnerabilities in the wild such as a flaw in the Graphics Rendering Engine (CVE-2010-3970)… and a bug found by Michal Zalewski in mshtml.dll,” noted Josh Abraham, security researcher at Rapid7. “The Graphics Rendering Engine vulnerability and CSS Import Rule Processing Use-After-Free vulnerability both have mitigations that Microsoft has provided. Customers should implement these mitigations until a patch has been released.”