Microsoft Takes Four Months to Patch Critical Exploit
Microsoft releasing a single Security Bulletin for January 2010 is no longer accurate, with a hurriedly released out-of-cycle patch (MS10-002) released to address a number of issues with Internet Explorer. Due to the criticality of the vulnerabilities and the fact that some have been used in active attacks (most notably the Google compromise) and with exploit code freely available, it is Critical that the bulletin is applied as soon as possible.
As part of the patching process, weaknesses in the mshtml.dll library are fixed, protecting other software that relies upon it for processing and displaying content. Just because a concerned user stopped using Internet Explorer doesn't mean that they are safe from these vulnerabilities.
From Microsoft's own Security Team, the vulnerability being used in active attacks was privately reported in September last year and Microsoft were planning to release a cumulative Internet Explorer update in February, anyway.
The cumulative patch, MS10-002, has now been released and it addresses eight separate vulnerabilities that range from Information Disclosure to Remote code execution. Not all eight vulnerabilities are equally applicable to each supported version of Internet Explorer, but the presence of at least one Remote Code Execution vulnerability for each version means that the rating of Critical is applicable for all the versions.
For all of Microsoft's significant advancements in handling and managing security, planning on taking five months to release a security bulletin for such a Critical vulnerability seems risky, especially in light of the fact that three months after the vulnerability was initially reported (but still two months prior to patch release) the vulnerability was being targeted via exploits, with at least one highly visible successful attack as a result.
Further complicating matters is release of information that suggests the Data Execution Protection (DEP) system used in Windows can be bypassed. Microsoft's investigation identifies that Windows XP is vulnerable to the current DEP avoidance method, but later Windows versions, which utilise Address Space Layout Randomisation (ASLR) have more effective protection against exploitation.
Microsoft continues to attract public attention on security issues, with details of a privilege elevation vulnerability that affects all 32-bit versions of Windows being made public. To successfully attack this vulnerability, the attacker needs to have valid login credentials to the target system. With this level of access, the attacker can exploit a weakness in the NT Virtual Dos Machine and gain higher levels of privilege across the system, leading to complete control over the target system. Despite only being made public now, the vulnerability has been around for at least 17 years.
22 January 2010
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.