Microsoft Squashes Three Bugs, One 'Critical' In 2011's First Patch Tuesday

Microsoft slapped away three bugs, one the software giant considered "critical," with a pair of security bulletins this week with the first Patch Tuesday of 2011.

The critical bulletin, MS11-002, patched two Windows vulnerabilities that affect Microsoft Data Access Components (MDAC). One of the bugs was found in the way MDAC validates third party API usage, while the second was due to the way MDAC validates memory allocation. Both vulnerabilities could be exploited by maliciously crafted Web sites that let an attacker remotely execute code, Microsoft said.

Microsoft considered the MDAC vulnerability "critical" in XP, Vista and Windows 7, and important on Server 2003 and Server 2008. So far, Microsoft is unaware of any attacks leveraging the vulnerabilities or any proof of concept code to exploit them.

"The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server," wrote Carlene Chmaj, Microsoft senior security response communications manager in a blog post detailing the two Patch Tuesday security bulletins. "It involves the Microsoft Data Access Components (MDAC). This has an Exploitability Index rating of 1, and because there is a Web based attack vector, this is at the top of our deployment priority list."

The second bulletin, MS11-001, which Microsoft ranked as "important," addresses a vulnerability in Windows Backup Manager.

"The vulnerability could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file," Microsoft wrote in the bulletin.

For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the specially crafted library file."

Chmaj wrote that the second security bulletin has an Exploitability Index rating of 1 and is a 2 on Microsoft's deployment priority list.

Microsoft had issued an early warning of the two pending security bulletins last week. And despite one being considered critical, Microsoft's first Patch Tuesday of 2011 was light compared to the December 2010 update, in which Microsoft issued 17 patches to fix 40 security flaws.

Microsoft also issued a workaround for an Internet Explorer bug Microsoft warned about in Disremember. That vulnerability occurs when an attacker creates a malicious CSS file that points to itself and provides it to IE. The action corrupts memory and could be exploited. Microsoft urged Internet Explorer users to review the workaround.

"This month we are revising Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability," Chmaj wrote. "This workaround only applies to systems that have the MS10-090 update for Internet Explorer installed."