• United States



Happy Patch Tuesday

Jan 11, 20112 mins
Data and Information Security

Microsoft issues two security bulletins to address three vulnerabilities — one of which is critical.

The folks at Symantec sent me this analysis:

“The critical Microsoft Data Access Components vulnerability is one of two MDAC issues fixed this month,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “These components are a collection of technologies that enable applications – both from Microsoft and third-party developers – to access and manipulate databases.”

“The patch for the critical vulnerability corrects a problem in the way MDAC validates memory allocation,” Talbot added. “The other patch fixes an issue – marked as important – in the way MDAC validates third-party usage of a Microsoft API. Both vulnerabilities can be exploited by drive-by download, meaning simply viewing a legitimate site that has been compromised by an attacker can lead to a user’s machine being exploited.”

“The vulnerability in the Backup Manager DLL that was also patched has exploit code publicly available, but we haven’t seen any attacks attempt to use it in the wild,” Talbot concluded. “Because an exploit would require a user to take some fairly uncommon steps – such as opening up a Windows backup or ‘.wbcat’ file from an SMB or WebDAV server – it’s less appealing as an attack vector than other vulnerabilities out there that require much less of the user.”

Meanwhile, McAfee sent me this:

some flaws will not be patched, as Windows Graphics Rendering Engine and IE zero-day vulnerability patches are not included in today’s Patch Tuesday.

“These vulnerabilities can still be exploited,” said Dave Marcus, director of security research and communications at McAfee Labs. “It underscores how users and enterprises cannot and should not rely on patching to solve security issues.”

Click here for the official Microsoft Security Bulletin Summary for January 2011

–Bill Brenner