News

January Windows Security Patch Lacks IE Fix

• By Jabulani Leffall
• 01/11/2011

As expected, Microsoft today released two security bulletins in its January security update.

One of the bulletins is deemed "critical," while the other is considered "important." Both are designed to address remote code execution exploit risks in Windows.

Critical and Important Fixes
The critical item affects all supported Windows operating systems and touches Microsoft Data Access Components, which are the link between the operating system and various databases operating in a Windows environment.

"The critical Microsoft Data Access Components vulnerability is one of two MDAC issues fixed this month," said Joshua Talbot, security intelligence manager at Symantec Security Response. "These components are a collection of technologies that enable applications -- both from Microsoft and third-party developers -- to access and manipulate databases."

Meanwhile, Microsoft said that the second and final item in the patch "resolves one reported issue rated important and affecting Windows Vista." This fix addresses a vulnerability in Windows Backup Manager.

The Backup Manager vulnerability is a fairly tough technical nut to crack, according to security experts. A hacker would have to open up Windows Backup and be able to access the target servers using Server Message Block (SMB) or Web-based Distributed Authoring and Versioning (WebDAV).

What About IE?
Obviously missing from this January slate is an update for the Internet Explorer flaw. It was exposed as a proof-of-concept exploit late last year and early this year. Microsoft hasn't ruled out producing an out-of-band fix, but the security team may wait till next month on delivery.

The software giant released this table identifying some of the current security issues being considered by the team, along with possible mitigations to implement while awaiting a fix. Microsoft also updated its security advisory on Internet Explorer, adding a new "Fix it" workaround solution associated with preventing "the recursive loading of CSS style sheets in Internet Explorer."

"The most interesting thing this month is the [Internet Explorer] mitigation tactic that Microsoft is calling a 'shim'," said Andrew Storms, director of security operations at nCircle. "The shim uses the application compatibility framework in Windows to rewrite in-memory function calls of MSHTML.DLL."

Storms said this tactic offers an additional check on the known security bug and prevents the vulnerability from occurring. Storms called the tactic "easy to deploy and is a relatively low risk."

As for the fixes Microsoft released in this month's patch, both may require restarts.

Microsoft provides this Knowledge Base article for nonsecurity updates rolled out through Windows Server Update Services, Windows Update and Microsoft Update.