Patch Tuesday for January – what you need to know

In the first Patch Tuesday of 2011, Microsoft published just two security bulletins, unsurprisingly named MS11-001 and MS11-002, fixing three vulnerabilities with two patches.

All Microsoft security patches are assessed and categorised by SophosLabs – you can learn about our system, and follow the assessments, on our vulnerabilities page.

For this article, however, a brief summary of the patches will suffice:

* MS11-001 fixes the vulnerability classified as CVE-2010-3145.

This is an insecure library loading vulnerability, whereby an attacker may be able to trick an application into loading DLLs from a remote (WebDAV) network share instead of from a local filesystem. Microsoft describes this as a bug in the Windows Backup Manager; an oldish published exploit describes it as a bug in the Microsoft Vista BitLocker Drive Encryption API – an irony whichever way you look at it, since backup and encryption are supposed to contribute to security, not to introduce holes which allow it to be bypassed.

Patch the vulnerability and you won’t need to worry which parts of the system are at risk.

* MS11-002 fixes two vulnerabilities: CVE-2011-0026 and CVE-2011-0027.

These are remote code execution flaws in various parts of MDAC (the Microsoft Data Access Components); the patch is considered critical, although the vulnerabilities were apparently discovered by Microsoft itself and have not been exploited in the wild yet.

January’s Patch Tuesday, however, does not fix the two recent, well-publicised, vulnerabilities classified as CVE-2010-3970 and CVE-2010-3971.

The first of these is colloquially known as the thumbnail or the Graphics Rendering Engine vulnerability. This bug is caused by a remotely exploitable flaw in the way that Windows processes thumbnail images in Microsoft Office files. A thumbnail is a low-resolution bitmap used as a simple file preview for display by a file browser.

This vulnerability was first presented as a sort-of “hacker case study” at a recent hacking convention in Korea. A working exploit was recently added to the freely-available Metaspolit Framework.

Microsoft has published a workaround, which is worth considering while you wait for a patch.

Sophos customers are protected by the malware detection identity Mal/CVE3970-A. This detects and blocks files which contain the sort of malformed thumbnail image which is needed to trigger this vulnerability. This provides generic protection against exploitation.

The second unpatched hole is commonly known as the recursive CSS or nested CSS vulnerability. Like the thumbnail flaw, this one is publicly known, having been announced on a full disclosure list. Cascading Style Sheet (CSS) files are served up alongside HTML files to specify the look and feel of a web site.

The recursive CSS vulnerability is problematic because it can be exploited to allow remotely-delivered code to escape from the latest version of Internet Explorer, even when DEP and ASLR are turned on. The exploit involves forcing Windows to load a DLL module which does not itself opt in to those protections. (DEP and ASLR are explained here.)

Microsoft has published a workaround, using its free Enhanced Mitigation Experience Toolkit (EMET). With this tool, you can force ASLR protection for every DLL loaded by a specific application, such as Internet Explorer, whether the DLL asks for that protection or not.

The EMET, therefore, provides a degree of protection against this and other as-yet-unknown vulnerabilities. Randomising the loading of programs into memory makes it much harder for attackers to guess where to find the system code they need to pull off an exploit.

So, even though Patch Tuesday is small this month, Windows administrators still have plenty of security issues to worry about.

Here’s my advice:

* Look into the suggested mitigations for the not-yet-patched security holes.

* Assume that there will be out-of-band patches some time this month. If Microsoft can produce and test fixes for the thumbnail and recursive CSS holes before February, I doubt they will (and I hope they won’t!) wait until next month to make them available.

Good luck!