Microsoft issued three security bulletins, addressing two critical vulnerabilities affecting Direct Show and Windows Media Player in its March Patch Tuesday round of patches, but still left users looking for an MHTML fix.
The three security bulletins are all related to an advisory Microsoft released in August of 2010 regarding DLL preloading, which can result in remote code execution, said Jason Miller, data team manager at St. Paul, Minn.-based vulnerability management vendor Shavlik Technologies LLC. Dynamic-link library (DLL) preloading, is a well-known class of vulnerabilities. It enables third party applications to preload shared files in Windows, but an error can enable an attacker to gain access to sensitive data or take control of a victim's computer.
This month saw a lone critical security bulletin. MS11-015, which repairs a serious vulnerability in DirectShow and a hole in Windows Media Player and Windows Media Center. The update is rated "critical" for nearly all supported editions of WIndows and Windows Media Center TV Pack for Windows Vista. The bulletin is rated "important" for Windows Server 2008 R2.
The critical vulnerabilities could enable an attacker to conduct remote code execution by tricking a victim into visiting a webpage with a malicious Microsoft Digital Video Recording (dvr-ms) file. The Windows media player vulnerability enables the attacker to exploit the hole by getting a victim to open a malicious video file through a browser.
"MS11-015 is very important because that vulnerability can be exploited without actually watching the video," said Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc.
Microsoft normally rates such vulnerabilities as "important" but because this particular attack does not require any user intervention (as this type of vulnerability normally does) and because of its "drive-by" nature, the patch was upgraded to a "critical" rating, Kandek noted in a blog post.
Other DLL preloading issues were repaired in MS11-016, which is rated important because it only affects Microsoft Groove and .vcg or .gta files. Groove is a Microsoft SharePoint shared workspace Office suite application. MS11-017 patches a Windows Remote Desktop Protocol vulnerability wherein opening a malicious .rdp file on a network that contains a malicious DLL can result in remote code execution.
MHTML issue remains
Noticeably absent from this month's ration of patches is the almost enigmatic fix for the MHTML vulnerability that has lingered for some time. Amol Sarwate, a vulnerabilities lab manager at Qualys said Microsoft engineers are likely "testing a fix" that it is important not to damage or inhibit functionality when rolling out the patch.
Shavlik's Miller said he was surprised there was no repair to the vulnerability, but Microsoft has not seen any "uptick" in the amount of attacks using the flaw making it less of a priority to rush out.