January 2011 Patch Tuesday Overview
In the first Patch Tuesday of 2011, Microsoft has released 2 new security bulletins addressing 3 vulnerabilities.
The first bulletin administrators should address is MS11-002. This bulletin affects MDAC on all supported operating systems and addresses two vulnerabilities. The first vulnerability cannot be exploited through Microsoft software. The vulnerability may be exploited through third party software if a user browses to a malicious website. At the time of the bulletin release, Microsoft was not aware of any programs that are affected by this vulnerability. Microsoft is patching the vulnerability. This will prevent any third party programs from becoming an attack vector. The second vulnerability addressed by this bulletin can be exploited through Internet Explorer. An attacker can gain remote code execution if they are able to convince a user to visit a malicious website containing specially crafted ADO structures using the Internet Explorer browser.
The second bulletin, MS11-001, brings us back to the DLL preloading issue that was identified in Microsoft Security Advisory 2269637. This advisory was originally released on August 23, 2010 and we have seen multiple patches released for this issue. During the December 2010 patch Tuesday, Microsoft released 5 bulletins addressing this issue with various components of the Windows operating system. MS11-001 fixes a DLL preloading issue in the Windows Backup Manager component in Windows Vista. With this vulnerability, opening a legitimate Windows Backup Catalog file in the same directory as a malicious DLL file can lead to remote code execution.
There have been quite a few Security Advisories published by Microsoft in the past month. Many people will be surprised to see the low number of bulletins released this month. This is due to a couple of factors. First, Microsoft is seeing a 'limited number of attacks' on these vulnerabilities. If Microsoft receives reports of attacks on these vulnerabilities increasing substantially, they will accelerate the patch creation and testing process. Second, each bulletin/patch is a change in the code. If the code change is not given time to be properly tested, the patch could have adverse effects. In this scenario, the vulnerability is fixed, but normal functionality could be adversely affected.
Late last week, Microsoft released an update on all outstanding Security Advisories on their Security Research & Defense blog. This update contains information on each vulnerability currently open and actions that can be taken to mitigate the risk of the open vulnerabilities.
- Jason Miller