This month’s patch Tuesday is comprised of three bulletins covering four vulnerabilities. Two bulletins affect Windows while the other affects Office. The Windows vulnerabilities affect all currently supported client OS’s. The only critical vulnerability of this month belongs to Windows Media. A maliciously crafted MS-DVR file can allow for remote code execution.
The affected products are Windows Media, Groove and Remote Desktop. Two vulnerabilities are being fixed in Windows Media. All three products suffer from the now well-known “Insecure Library Loading” vulnerability, of which we’ve seen many over time. Given the affected programs and the way they function, these vulnerabilities aren’t likely candidates for mass exploitation.
This vulnerability has to do with how programs load libraries (DLLs) as they’re being executed. Rather than loading libraries from pre-determined locations affected products first try to find their libraries from the same directory as the file they’re trying to read. By placing a malicious library with a pre-determined name in the same (remote) directory as a file associated with the respective program an attacker is able to execute code.
For these attacks to work successfully the user needs to manually execute a file which is associated with these programs. Such as, but not limited to, a DVR-MS file for Windows Media and RDP file for Remote Desktop. These insecure library loading vulnerabilities are rated important.
Some well known vulnerabilities were absent in this month’s patch Tuesday, a patch for CVE-2011-0096 and a patch for the Windows Browser protocol vulnerability. Even though CVE-2011-0096 is ‘just’ an XSS vulnerability its importance should not be underestimated. While not often used in mass attacks they definitely serve a purpose in targeted attacks. Hopefully Microsoft can patch this vulnerability next month. The Windows Browser protocol vulnerability is extremely tough to exploit successfully, and Microsoft will want to do a very serious amount of QA on patching it. So it’s not very surprising a fix is not included in this month’s release.
As always, we recommend to apply these patches as soon as possible.
Patch Tuesday March 2011