Microsoft Patch Tuesday – January 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is quiet month —the vendor is releasing two bulletins covering a total of three vulnerabilities. One of the issues is rated ‘Critical’ and it affects Microsoft Data Access Components (MDAC). The remaining two issues are rated ‘Important’ and affect MDAC and a previously public issue in Windows Backup Manager.

Attackers can exploit all of these issues to execute arbitrary code. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the January releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)

CVE-2011-0026 (BID 45695) Microsoft Data Access Components Data Source Name Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates third-party API usage. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

CVE-2011-0027 (BID 45698) Microsoft Data Access Components ActiveX Data Objects Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Microsoft Data Access Components due to how it validates memory allocation when handling internal data structures. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Data Access Components 2.8 SP1, 2.8 SP2, and 6.0

2. MS11-001 Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)

CVE-2010-3145 (BID 42763) Microsoft Windows Backup 'fveapi.dll' DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (Aug 26, 2010) remote code-execution vulnerability affects Microsoft Backup Manager due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wbcat’ file from a remote SMB or WebDAV share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Vista SP1, SP2, x64 Edition SP1, and x64 Edition SP2

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.