Patch Tuesday: Microsoft plugs 'drive-by download' security holes

Microsoft released two bulletins today with patches for three security holes affecting all versions of the Windows operating system.

The most serious of the vulnerabilities could be exploited in drive-by downloads via maliciously rigged web sites, according to a warning from the software vendor.

The drive-by download flaws, covered in MS11-002, were reported to Microsoft via TippingPoint Zero Day Initiative, a program that purchases vulnerability data from private researchers.

The bulletin documents at least two separate vulnerabilities in MDAC (Microsoft Data Access Components) and warned that there are security problems in the way MDAC validated third-party API usage and memory allocation.

Microsoft rates this a "critical" issue for all supported editions of Windows XP, Windows Vista, and Windows 7.   On Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, the severity is downgraded to "important."

The second bulletin (MS11-001) covers a publicly disclosed vulnerability in Windows Backup Manager. The vulnerability could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file, Microsoft said.

For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the specially crafted library file.

The vulnerability is rated "important" and only applies to Windows Vista.

Qualys CTO Wolfgang Kandek provides more details on this issue:

MS11-001 provides a patch for a DLL-preloading issue in the Windows Backup Tool. It is rated important and is only applies to Windows Vista. While DLL preloading is an old systemic issue in Windows and many other operating systems, it gained new attention in August of last year, when many vulnerable applications were identified. Secunia maintains a list of Microsoft and 3rd party applications that have been shown vulnerable to the DLL preloading attacks. The list has over 200 vulnerable programs at and includes the Vista Backup vulnerability that is being fixed today (SA41122). Given the scope of the DLL preloading vulnerabilities we highly recommend implementing the work-around that Microsoft describes in Security Advisory 2269637 and KB2264107, which neutralizes the most common attack vectors on the operating system level.

Despite this month's relatively light Patch Tuesday, it's important for Windows users to note that there are at least five publicly documented issues that were NOT addressed this month.  These include security problems in Internet Explorer and Windows graphics rendering.  More to come...