Microsoft yesterday patched three vulnerabilities in Windows, including one that could be exploited by attackers who fool users into visiting a malicious website. The company also provided a new defensive measure to help users ward off ongoing attacks that are exploiting a known bug in Internet Explorer (IE).
The light load – just two security updates, or “bulletins” as Microsoft calls them – was announced last week, making for an easier beginning to the new year than the end of 2010, when in December the company shipped a record 17 updates that patched a near-record 40 bugs.
One of the updates was classified as ‘critical’ by Microsoft, the firm’s top threat ranking, while the other was marked as ‘important’, the second-most dangerous rating.
MS11-002 was the update that security researchers and Microsoft recommended users apply first. The update patched two vulnerabilities, one critical, the other important. “Attackers can exploit the critical vulnerability in MS11-002 by getting users to browse to a malicious website,” said Amol Sarwate, manager of Qualys’ vulnerabilities research labs. The tactic, usually called a “drive-by” attack, relies on enticing users to click a link that’s offered in a baited email. The bug is in the Microsoft Data Access Components (MDAC), a set of components that lets Windows access databases such as Microsoft’s own SQL Server. The flaw is in the MDAC ActiveX control that allows users to access databases from within IE.
Only users running IE are at risk from attacks exploiting the critical bug Microsoft disclosed in MS11-002, said Sarwate.
Microsoft also urged customers to apply MS11-002 first, noting that all client versions of Windows, including XP Service Pack 3 (SP3), Vista and Windows 7, were vulnerable. The server editions of the operating system are vulnerable as well, but for them Microsoft rated the threat as important, not critical.
The other update, dubbed MS11-001, is less important because it applies only to Windows Vista. The Backup Manager bug is one of several so-called “DLL load hijacking” or “binary planting” vulnerabilities in Windows.
In December, Microsoft said that the month’s five updates were the last DLL load hijacking bugs it knew about. “This fixes all of the [Windows] components that we’re aware of,” said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview on December 14. He left the door open to more, however. “We’re not closing that [DLL load hijacking] advisory just yet, and will continue to investigate,” Bryant said.
Also on Tuesday, Microsoft offered users an application “shim” that blocks in-the-wild attacks against IE that exploit a bug first disclosed last month.
Microsoft left several bugs unpatched today. In the last few weeks, the company has acknowledged a critical flaw in IE and serious vulnerabilities in Windows XP, Vista, Server 2003 and Server 2008, and confirmed reports that Chinese hackers were scouring the web for information on another IE flaw. The latter vulnerability was submitted to Microsoft last summer by Google security engineer Michal Zalewski. Microsoft and Zalewski have traded barbs over the timeline of his bug report, and subsequent release of a “fuzzer” tool that found the flaw.
Today’s security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.