Microsoft patches critical Windows drive-by bug

Also repairs 'DLL load hijacking' flaw in Vista, but leaves several vulnerabilities unfixed

Microsoft today patched three vulnerabilities in Windows, one that could be exploited by attackers who dupe users into visiting a malicious Web site.

The company also debuted a new defensive measure to help users ward off ongoing attacks that are exploiting a known bug in Internet Explorer (IE).

The light load -- just two security updates, or "bulletins" as Microsoft calls them -- was announced last week , making for an easier beginning to the new year than the end of 2010, when in December the company shipped a record 17 updates that patched a near-record 40 bugs.

One of today's updates was classified as "critical" by Microsoft, the firm's top threat ranking, while the other was marked as "important," the second-most dangerous rating.

MS11-002 was the update that security researchers and Microsoft recommended users apply first. The update patched two vulnerabilities, one critical, the other important.

"Attackers can exploit the critical vulnerability in MS11-002 by getting users to browse to a malicious Web site," said Amol Sarwate, manager of Qualys' vulnerabilities research labs. The tactic, usually called a "drive-by" attack, relies on enticing users to click a link that's offered in a baited e-mail.

"It's exploitable through a drive-by," confirmed Sarwate.

The bug is in the Microsoft Data Access Components (MDAC), a set of components that lets Windows access databases such as Microsoft's own SQL Server. The flaw is in the MDAC ActiveX control that allows users to access databases from within IE.

Only users running IE are at risk from attacks exploiting the critical bug Microsoft disclosed in MS11-002, said both Sarwate and Andrew Storms, the director of security operations at nCircle Security.

Microsoft also urged customers to apply MS11-002 first, noting that all client versions of Windows, including XP Service Pack 3 (SP3), Vista and Windows 7 were vulnerable. The server editions of the operating system are vulnerable as well, but for them Microsoft rated the threat as important, not critical.

Hackers will probably come up with reliable attack code to exploit the bugs patched by MS11-002 in the next 30 days.

The other update, dubbed MS11-001 , is less important, said Sarwate and Storms, because it applies only to Windows Vista.

The Backup Manager bug is one of several so-called "DLL load hijacking" or "binary planting" vulnerabilities in Windows.

Today's fix for Vista was the seventh update Microsoft's released to repair flaws that researchers disclosed last August . Microsoft shipped five DLL load hijacking updates last month, and one in November.

In December, Microsoft said that the month's five updates were the last DLL load hijacking bugs it knew about. "This fixes all of the [Windows] components that we're aware of," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an interview Dec. 14. He left the door open to more, however. "We're not closing that [DLL load hijacking] advisory just yet, and will continue to investigate."

Last month, researchers were skeptical that users were seeing the end of Microsoft's DLL load hijacking problems.

Today, Wolfgang Kandek, chief technology officer of Qualys, a California-based security risk and compliance management provider, said to figure on more from Microsoft. "We can expect a pretty constant stream, I think," said Kandek.

Also on Tuesday, Microsoft offered users an application "shim" that blocks in-the-wild attacks against IE that exploit a bug first disclosed last month.

Microsoft left several bugs unpatched today. In the last several weeks, the company has acknowledged a critical flaw in IE and serious vulnerabilities in Windows XP, Vista, Server 2003 and Server 2008, and confirmed reports that Chinese hackers were scouring the Web for information on another IE flaw.

The latter vulnerability was submitted to Microsoft last summer by Google security engineer Michal Zalewski. Microsoft and Zalewski have traded barbs over the timeline of his bug report, and subsequent release of a "fuzzer" tool that found the flaw.

Today's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about Andrew Corporation (Australia)GoogleMicrosoftnCircleQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts