Microsoft January Patch Tuesday misses open security issues

Microsoft's January 2011 Patch Tuesday security update contains only two bulletins, but misses several open security issues.

Of the two bulletins, MS11-002 is the more important one that should be patched immediately, according to Wolfgang Kandek, chief technology officer of security firm Qualys.

"It is a critically rated vulnerability in the MDAC OS component, affects all versions of the Windows operating system and can be triggered by browsing to a malicious website," he said.

The other bulletin, MS11-001 provides a patch for a DLL-preloading issue in the Windows Backup Tool, but is rated important and applies only to Windows Vista.

"While DLL preloading is an old systemic issue in Windows and many other operating systems, it gained new attention in August of last year, when many vulnerable applications were identified," said Kandek.

Given the scope of the DLL preloading vulnerabilities, he recommends implementing the work-around that Microsoft describes in KB2264107, which neutralises the most common attack vectors on the operating system level.

IT administrators should also be aware of the five additional security issues that Microsoft has acknowledged, said Kandek.

The most important vulnerability known as "css.css" affects all versions of Internet Explorer and is rated critical. The exploit code is public and targeted attacks have been observed.

Microsoft has recommended in Security Advisory 2488013 using the Enhanced Mitigation Experience Toolkit (EMET) to protect Internet Explorer against this flaw.

EMET is a separate download and installation and requires manual follow-up configuration steps, but Kandek recommends installing EMET if organisations have technical end-users who can follow the necessary configuration steps.

Microsoft has also introduced a workaround using the Windows Application Compatibility Toolkit to apply a hotpatch to the vulnerable component "mshtml.dll" and to prevent the recursive loading of CSS stylesheets which is the root cause of the vulnerability.

Andrew Storms, director of security operations at security firm nCircle, said the hotpatch effectively offers an additional check on the known security bug and prevents the vulnerability from occurring.

"Enterprises are likely to find this tactic enticing because it's easy to deploy and is a relatively low risk," he said.

According to Storms, the mitigation tactic is a new offering from Microsoft.

"They provided a similar kind of fix for Office XP, but this is the first time we have seen this approach to combat an un-patched, active zero-day bug," he said.