Home > Latest News > January Windows Security Patch Lacks IE Fix

January Windows Security Patch Lacks IE Fix

As expected, Microsoft today released two security bulletins in its January security update.

One of the bulletins is deemed “critical,” while the other is considered “important.” Both are designed to address remote code execution exploit risks in Windows.

Critical and Important Fixes
The critical item affects all supported Windows operating systems and touches Microsoft Data Access Components, which are the link between the operating system and various databases operating in a Windows environment.

“The critical Microsoft Data Access Components vulnerability is one of two MDAC issues fixed this month,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “These components are a collection of technologies that enable applications — both from Microsoft and third-party developers — to access and manipulate databases.”

Meanwhile, Microsoft said that the second and final item in the patch “resolves one reported issue rated important and affecting Windows Vista.” This fix addresses a vulnerability in Windows Backup Manager.

The Backup Manager vulnerability is a fairly tough technical nut to crack, according to security experts. A hacker would have to open up Windows Backup and be able to access the target servers using Server Message Block (SMB) or Web-based Distributed Authoring and Versioning (WebDAV).

What About IE?
Obviously missing from this January slate is an update for the Internet Explorer flaw. It was exposed as a proof-of-concept exploit late last year and early this year. Microsoft hasn’t ruled out producing an out-of-band fix, but the security team may wait till next month on delivery.

The software giant released this table identifying some of the current security issues being considered by the team, along with possible mitigations to implement while awaiting a fix. Microsoft also updated its security advisory on Internet Explorer, adding a new “Fix it” workaround solution associated with preventing “the recursive loading of CSS style sheets in Internet Explorer.”

“The most interesting thing this month is the [Internet Explorer] mitigation tactic that Microsoft is calling a ‘shim’,” said Andrew Storms, director of security operations at nCircle. “The shim uses the application compatibility framework in Windows to rewrite in-memory function calls of MSHTML.DLL.”

Storms said this tactic offers an additional check on the known security bug and prevents the vulnerability from occurring. Storms called the tactic “easy to deploy and is a relatively low risk.”

As for the fixes Microsoft released in this month’s patch, both may require restarts.

Microsoft provides this Knowledge Base article for nonsecurity updates rolled out through Windows Server Update Services, Windows Update and Microsoft Update.

 

Advertisements
  1. March 7, 2011 at 3:09 am

    I think Microsoft should really do its best to fix their Windows security because it’s really hard for us to work knowing that there were a lot of errors with the OS. In my experience as a programmer, it was really inconvenient for me with my PC crashing from time to time. Good thing that I can always call for a Boston IT solutions provider to help me fix any problems.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: