Microsoft's January Patch Tuesday: 3 fixes but 5 holes unpatched
On its first Patch Tuesday of 2011, Microsoft fixes three vulnerabilities within two security updates but leaves at least five confirmed security problems unpatched.
According to bulletin MS11-002, the MDAC database module has been given two updates. One of the vulnerabilities is rated critical and can be exploited to infect systems with malware without requiring any user interaction. Microsoft's security experts consider the danger of attackers successfully exploiting this vulnerability as very high (Exploitability Index of 1). Peter Vreugdenhil apparently already exploited this hole, which affects all versions of Windows, to crack Internet Explorer 8 on Windows 7 despite ASLR and DEP at the Pwn2Own contest in March 2010. The second MDAC hole is contained in the API and can only be exploited in combination with third-party applications. However, Microsoft hasn't disclosed which applications could be involved.
The update described in bulletin MS11-001 exclusively affects Windows Vista users and is only rated "important". Apparently, the Windows Backup Manager prefers to load libraries from the directory which holds the .wbcat file that was used to launch it. As this directory could be located on a network, a click on a suitable link could cause a system to become infected.
An overview of the January patches is available in Microsoft's summary. Users should install particularly the MDAC update as soon as possible. However, this isn't enough to make Windows systems fully secure, as five known security holes now listed in a blog posting have not been patched. A particularly critical vulnerability is the CSS hole in Internet Explorer, which has been known since Christmas and is already actively being exploited for targeted attacks on the internet. Protection is available via the Enhanced Mitigation Experience Toolkit (EMET); the article "Damage limitation: Mitigating exploits with Microsoft's EMET" at The H Security describes how to use this toolkit.
Another dangerous security problem is contained in the Windows Graphics Rendering Engine, which chokes on specially crafted thumbnails. Windows 7 and 2008 Server are not affected by this problem.