Patch Tuesday defined by the flaws that aren't fixed
- 12 January, 2011 06:34
Microsoft is easing in to 2011 with a light Patch Tuesday for January. There are only two security bulletins this month, and only one of those two is rated as Critical by Microsoft.
MS11-002 is the more urgent of the two security bulletins. According to the Microsoft Security Response Center blog, "This bulletin addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server."
Joshua Talbot, security intelligence manager for Symantec Security Response provides some additional insight. "The patch for the critical vulnerability corrects a problem in the way MDAC validates memory allocation. The other patch fixes an issue--marked as important-- in the way MDAC validates third-party usage of a Microsoft API. Both vulnerabilities can be exploited by drive-by download, meaning simply viewing a legitimate site that has been compromised by an attacker can lead to a user's machine being exploited."
While IT admins may be thankful that there are so few security bulletins for January, it is worth noting, that there are still known vulnerabilities that remain unpatched following this Patch Tuesday release. The Windows Graphics Rendering Engine and IE zero-day vulnerabilities were not addressed.
"These vulnerabilities can still be exploited," said Dave Marcus, director of security research and communications at McAfee Labs. "It underscores how users and enterprises cannot and should not rely on patching to solve security issues."
In other words, It admins should have a framework of vulnerability and risk assessment tools to intelligently determine the potential impact of a given threat to their own unique environment. In addition, organizations should have layers of defense and the ability to limit exposure and mitigate threats even without a vendor patch.
Andrew Storms, Director of Security Operations for nCircle, e-mailed some insight on the unpatched flaws. "The most interesting thing this month is a new mitigation tactic that Microsoft is calling a 'shim' for the outstanding Internet Explorer bug described in advisory 2488013. The shim uses the application compatibility framework in Windows to rewrite in-memory function calls of MSHTML.DLL. "
Storms continues, "Effectively, this offers an additional check on the known security bug and prevents the vulnerability from occurring. Enterprises are likely to find this tactic enticing because it's easy to deploy and is a relatively low risk. This mitigation tactic is a new offering from Microsoft. They provided a similar kind of shim for Office XP, but this is the first time we have seen this approach to combat an un-patched, active zero-day bug."
Get the patches from Microsoft applied as soon as you can. But--more importantly--be aware of what remains unpatched and make sure you have measures in place to guard against exploits.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Microsoft Security Bulletin Summary for January 2011
- Microsoft Warns of New Windows Vulnerability - PCWorld Business Center
- McAfee Labs
- Can Chrome Continue to Chip Away at Internet Explorer? - PCWorld Business Center
- Microsoft Security Advisory (2488013): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Bouncing Back From CIO Unemployment
Union slams latest fibre-to-premise trial in Tasmania
Chandler Macleod recruits new user virtualization platform
One of Australasia’s largest and most successful recruitment and human capital management companies share their success story after recruiting a user virtualization platform, giving them control over the users and devices that have access to specific applications.
Evolving Threats Demand New Approaches to Security
As the world becomes increasingly hyperconnected, the opportunities for innovation are virtually limitless. At the same time, the complexity and risk associated with those opportunities is great. Security threats have the potential for enormous ramifications, but so does deploying a security strategy that compromises the user experience, performance, and the ability to innovate online. This paper will profile the emerging disruptive players, and identifies the essential steps to establishing a secure environment without compromising performance or experience.
Security in a Faster Forward World
Organizations today operate in a Faster Forward world, as they experience a shift towards an increasingly mobile workforce. Following this, an evolving stream of attackers are now targeting mobile devices where they can more easily access a larger number of high-value corporate and government assets. This paper will guide you through finding the right Web security partner that can improve efficiency while reducing risks and improving web experience.