Patch Tuesday Bottomline – January 2011

Wolfgang Kandek

Last updated on: October 27, 2022

Microsoft January 2011 Patch Tuesday represents a slow start of 2011 as far as number of patches go. But while there are only two bulletins, there are a number of additional open and documented security issues that IT admins should be aware of.

MS11-002 is the more important one of the two bulletins. It is a critically rated vulnerability in the MDAC OS component, affects all versions of the Windows Operating system and can be triggered by browsing to a malicious website. We recommend patching immediately.

MS11-001 provides a patch for a DLL-preloading issue in the Windows Backup Tool. It is rated important and is only applies to Windows Vista. While DLL preloading is an old systemic issue in Windows and many other operating systems, it gained new attention in August of last year, when many vulnerable applications were identified. Secunia maintains a list of Microsoft and 3rd party applications that have been shown vulnerable to the DLL preloading attacks. The list has over 200 vulnerable programs at http://secunia.com/advisories/windows_insecure_library_loading/ and includes the Vista Backup vulnerability that is being fixed today (SA41122). Given the scope of the DLL preloading vulnerabilities we highly recommend implementing the work-around that Microsoft describes in Security Advisory 2269637 and KB2264107, which neutralizes the most common attack vectors on the operating system level.

Microsoft has acknowledged five additional security issues of varying severity. The most important vulnerability known as "css.css" affects all versions of Internet Explorer and is rated critical. The exploit code is public and targeted attacks have been observed. Microsoft has recommended in Security Advisory 2488013 using the Enhanced Mitigation Experience Toolkit (EMET) to protect Internet Explorer against this flaw. EMET is a separate download and installation and requires manual followup configuration steps. We recommend installing EMET if you have technical end-users that can follow the necessary configuration steps.

A more scalable workaround for the problem has been introduced today. Microsoft is using using the Windows Application Compatibility Toolkit in a unique and creative way to apply a hotpatch to the vulnerable component "mshtml.dll" and to prevent the recursive loading of CSS stylesheets which is the root cause of the vulnerability. The workaround is delivered as MSI file, which makes it easily installable with automated tools. To our knowledge this is the first time that Microsoft has used this Toolkit for security enhancements and we believe it is an interesting new way to deliver temporary security fixes to Windows users. More information on the hotpatch mechanism can be found at Microsoft’s SRD blog

Let us know what you think of this new mechanism and if you will deploy his workaround. E-mail us at wkandek@qualys.com

Share your Comments

Comments

Your email address will not be published. Required fields are marked *