Microsoft issues two security bulletins to address three vulnerabilities — one of which is critical.The folks at Symantec sent me this analysis:“The critical Microsoft Data Access Components vulnerability is one of two MDAC issues fixed this month,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “These components are a collection of technologies that enable applications – both from Microsoft and third-party developers – to access and manipulate databases.” “The patch for the critical vulnerability corrects a problem in the way MDAC validates memory allocation,” Talbot added. “The other patch fixes an issue – marked as important – in the way MDAC validates third-party usage of a Microsoft API. Both vulnerabilities can be exploited by drive-by download, meaning simply viewing a legitimate site that has been compromised by an attacker can lead to a user’s machine being exploited.”“The vulnerability in the Backup Manager DLL that was also patched has exploit code publicly available, but we haven’t seen any attacks attempt to use it in the wild,” Talbot concluded. “Because an exploit would require a user to take some fairly uncommon steps – such as opening up a Windows backup or ‘.wbcat’ file from an SMB or WebDAV server – it’s less appealing as an attack vector than other vulnerabilities out there that require much less of the user.”Meanwhile, McAfee sent me this: some flaws will not be patched, as Windows Graphics Rendering Engine and IE zero-day vulnerability patches are not included in today’s Patch Tuesday.“These vulnerabilities can still be exploited,” said Dave Marcus, director of security research and communications at McAfee Labs. “It underscores how users and enterprises cannot and should not rely on patching to solve security issues.”Click here for the official Microsoft Security Bulletin Summary for January 2011–Bill Brenner Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe