Microsoft issued two security bulletins, Tuesday, repairing two critical flaws that affect all versions of Windows. The software giant also updated a security advisory, issuing a temporary automated workaround that if deployed, would block attackers from exploiting an Internet Explorer zero-day vulnerability.
Microsoft released only two security bulletins in January, repairing three vulnerabilities in Microsoft Windows and Windows Server. It was a quite month compared to December, which saw a record breaking 17 bulletins.
The first security bulletin addressed two critical vulnerabilities in Microsoft Data Access Components, a framework used by application developers to access Windows data stores. The vulnerabilities could be used in drive-by attacks or by tricking a person to visit a malicious Web page. The update is rated critical for Windows XP, Vista, and Windows 7 and important for Windows Server 2003 and Windows Server 2008.
In addition, Microsoft addressed a vulnerability in Windows Backup Manager. The security bulletin is rated important and affects users of Windows Vista. The vulnerability could allow remote code execution, but Microsoft said a user would have to visit a remote file system location or WebDAV share and open a Windows Backup Manager file.
Microsoft also updated a security advisory, addressing a memory bug in the Cascading Style Sheet (CSS) function within Internet Explorer. The memory could be used by attackers to remotely execute malicious files, Microsoft said.
The software giant added an automated fix-it temporary patch that prevents the recursive loading of CSS stylesheets. Writing in the Microsoft Security Research and Defense blog, Microsoft engineer Kevin Brown, said the workaround is an MSI package that uses the Windows Application compatibility toolkit to make a small change to the .DLL controlling CSSS loading in Internet Explorer.
This is a vulnerability that attackers typically like to jump on, so there is some risk.
data and security team leaderShavlik Technologies LLC
Jason Miller, data and security team leader at St. Paul, Minn.-based patch management firm, Shavlik Technologies LLC, urged administrators to take a close look at the workarounds available to temporarily address the vulnerability. The temporary fix could cause Internet Explorer to display pages improperly, he said.
"This is a vulnerability that attackers typically like to jump on, so there is some risk with this," Miller said. "Before you deploy it you need to test what it can do to your systems."
Users can also apply Protected Mode in Windows Vista and Windows 7, and Enhanced Security Configuration in Windows Server 2003 and 2008. More advanced customers can use the Enhanced Mitigation Experience Toolkit as a workaround for the exploit.
Engineers are still preparing patches for several other publicly known Microsoft zero-day vulnerabilities. A flaw in the Windows Graphics Rendering Engine causes it to improperly parse a BMP thumbnail. The vulnerability affects all versions of Windows except Windows 7 and Windows Server 2008 R2. The security advisory includes a workaround and an automated fix-it to temporarily address the issue.
Other zero-day flaws include a IIS 7.0 and 7.5 FTP service vulnerability, several other memory corruption vulnerabilities in Internet Explorer and an ActiveX control vulnerability in the WMI Administrative Toolkit.