Microsoft patches critical Windows drive-by bug
Also repairs 'DLL load hijacking' flaw in Vista, but leaves several vulnerabilities unfixed
Computerworld - Microsoft today patched three vulnerabilities in Windows, one that could be exploited by attackers who dupe users into visiting a malicious Web site.
The company also debuted a new defensive measure to help users ward off ongoing attacks that are exploiting a known bug in Internet Explorer (IE).
The light load -- just two security updates, or "bulletins" as Microsoft calls them -- was announced last week, making for an easier beginning to the new year than the end of 2010, when in December the company shipped a record 17 updates that patched a near-record 40 bugs.
One of today's updates was classified as "critical" by Microsoft, the firm's top threat ranking, while the other was marked as "important," the second-most dangerous rating.
MS11-002 was the update that security researchers and Microsoft recommended users apply first. The update patched two vulnerabilities, one critical, the other important.
"Attackers can exploit the critical vulnerability in MS11-002 by getting users to browse to a malicious Web site," said Amol Sarwate, manager of Qualys' vulnerabilities research labs. The tactic, usually called a "drive-by" attack, relies on enticing users to click a link that's offered in a baited e-mail.
"It's exploitable through a drive-by," confirmed Sarwate.
The bug is in the Microsoft Data Access Components (MDAC), a set of components that lets Windows access databases such as Microsoft's own SQL Server. The flaw is in the MDAC ActiveX control that allows users to access databases from within IE.
Only users running IE are at risk from attacks exploiting the critical bug Microsoft disclosed in MS11-002, said both Sarwate and Andrew Storms, the director of security operations at nCircle Security.
Microsoft also urged customers to apply MS11-002 first, noting that all client versions of Windows, including XP Service Pack 3 (SP3), Vista and Windows 7 were vulnerable. The server editions of the operating system are vulnerable as well, but for them Microsoft rated the threat as important, not critical.
Hackers will probably come up with reliable attack code to exploit the bugs patched by MS11-002 in the next 30 days.
The other update, dubbed MS11-001, is less important, said Sarwate and Storms, because it applies only to Windows Vista.
The Backup Manager bug is one of several so-called "DLL load hijacking" or "binary planting" vulnerabilities in Windows.
Today's fix for Vista was the seventh update Microsoft's released to repair flaws that researchers disclosed last August. Microsoft shipped five DLL load hijacking updates last month, and one in November.
In December, Microsoft said that the month's five updates were the last DLL load hijacking bugs it knew about. "This fixes all of the [Windows] components that we're aware of," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview Dec. 14. He left the door open to more, however. "We're not closing that [DLL load hijacking] advisory just yet, and will continue to investigate."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts