Patch Tuesday for January - what you need to know

Filed Under: Malware, Microsoft, Vulnerability

In the first Patch Tuesday of 2011, Microsoft published just two security bulletins, unsurprisingly named MS11-001 and MS11-002, fixing three vulnerabilities with two patches.

All Microsoft security patches are assessed and categorised by SophosLabs - you can learn about our system, and follow the assessments, on our vulnerabilities page.

For this article, however, a brief summary of the patches will suffice:

* MS11-001 fixes the vulnerability classified as CVE-2010-3145.

This is an insecure library loading vulnerability, whereby an attacker may be able to trick an application into loading DLLs from a remote (WebDAV) network share instead of from a local filesystem. Microsoft describes this as a bug in the Windows Backup Manager; an oldish published exploit describes it as a bug in the Microsoft Vista BitLocker Drive Encryption API - an irony whichever way you look at it, since backup and encryption are supposed to contribute to security, not to introduce holes which allow it to be bypassed.

Patch the vulnerability and you won't need to worry which parts of the system are at risk.

* MS11-002 fixes two vulnerabilities: CVE-2011-0026 and CVE-2011-0027.

These are remote code execution flaws in various parts of MDAC (the Microsoft Data Access Components); the patch is considered critical, although the vulnerabilities were apparently discovered by Microsoft itself and have not been exploited in the wild yet.

January's Patch Tuesday, however, does not fix the two recent, well-publicised, vulnerabilities classified as CVE-2010-3970 and CVE-2010-3971.

The first of these is colloquially known as the thumbnail or the Graphics Rendering Engine vulnerability. This bug is caused by a remotely exploitable flaw in the way that Windows processes thumbnail images in Microsoft Office files. A thumbnail is a low-resolution bitmap used as a simple file preview for display by a file browser.

This vulnerability was first presented as a sort-of "hacker case study" at a recent hacking convention in Korea. A working exploit was recently added to the freely-available Metaspolit Framework.

Microsoft has published a workaround, which is worth considering while you wait for a patch.

Sophos customers are protected by the malware detection identity Mal/CVE3970-A. This detects and blocks files which contain the sort of malformed thumbnail image which is needed to trigger this vulnerability. This provides generic protection against exploitation.

The second unpatched hole is commonly known as the recursive CSS or nested CSS vulnerability. Like the thumbnail flaw, this one is publicly known, having been announced on a full disclosure list. Cascading Style Sheet (CSS) files are served up alongside HTML files to specify the look and feel of a web site.

The recursive CSS vulnerability is problematic because it can be exploited to allow remotely-delivered code to escape from the latest version of Internet Explorer, even when DEP and ASLR are turned on. The exploit involves forcing Windows to load a DLL module which does not itself opt in to those protections. (DEP and ASLR are explained here.)

Microsoft has published a workaround, using its free Enhanced Mitigation Experience Toolkit (EMET). With this tool, you can force ASLR protection for every DLL loaded by a specific application, such as Internet Explorer, whether the DLL asks for that protection or not.

The EMET, therefore, provides a degree of protection against this and other as-yet-unknown vulnerabilities. Randomising the loading of programs into memory makes it much harder for attackers to guess where to find the system code they need to pull off an exploit.

So, even though Patch Tuesday is small this month, Windows administrators still have plenty of security issues to worry about.

Here's my advice:

* Look into the suggested mitigations for the not-yet-patched security holes.

* Assume that there will be out-of-band patches some time this month. If Microsoft can produce and test fixes for the thumbnail and recursive CSS holes before February, I doubt they will (and I hope they won't!) wait until next month to make them available.

Good luck!

, , , , , , , ,

You might like

2 Responses to Patch Tuesday for January - what you need to know

  1. Thu Win · 1388 days ago

    Does this update fix the uac bug you mentioned last year

    • Paul Ducklin · 1388 days ago

      No. In fact, if memory serves, Microsoft hasn't even done an advisory about it yet, which seems a pity.

      FWIW, my assumption is that the UAC-based privilege escalation vulnerability you mention will, when fixed, be considered "important" rather than "critical" since it doesn't allow remote code execution straight off a web page.

      So I didn't add it to the list of critical issues not patched this time - though perhaps I ought to have :-)

      If you would like a mitigation for the "UAC vuln", my colleague Chester has advice here:
      http://nakedsecurity.sophos.com/2010/11/25/new-wi...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog