Microsoft Patches Critical Windows Vulnerability

The software maker also tweaked its exploitability index, which predicts the likelihood that vulnerabilities will soon be compromised.

Mathew J. Schwartz, Contributor

May 11, 2011

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Internet Explorer 9 Fast, Powerful, Intuitive

Internet Explorer 9 Fast, Powerful, Intuitive


Slideshow: Internet Explorer 9 Fast, Powerful, Intuitive (click image for larger view and for slideshow)

Microsoft on Tuesday patched a critical vulnerability in Microsoft Windows, as well as two less severe vulnerabilities in Microsoft Office.

"This continues the cycle of smaller and larger patches on alternate months," said Wolfgang Kandek, CTO of Qualys, in a blog post. Regardless, since all three of the bugs detailed this month could allow remote code execution, he recommends quick patching.

The critical Windows vulnerability involves a flaw in Windows Internet Name Server (WINS), which "could allow remote code execution if a user received specially crafted malware on an affected system running the WINS service," said Microsoft.

According to Symantec, the bug exists because WINS "fails to sufficiently validate data structures in WINS network packets." Note, however, that WINS isn't ever installed by default, hence only users that have manually installed the component will be receiving an update.

The two other bugs, rated "important," are both in Microsoft PowerPoint, and could be exploited via a specially crafted, malicious PowerPoint file. "An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as a logged-on user," said Microsoft. Of course, users operating with fewer rights will necessarily be better protected against any related exploits. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," said Microsoft.

Microsoft's advice recalls a study, released last month, which found that blocking admin-level rights for regular users would stop the majority of attacks seen against Microsoft Windows.

Another relevant attack-stopping technique is to use the Office file validation feature--included by default in Office 2010 but also released last month for Office 2003 and 2007--which scans Office files for malformed data. If found, users see a warning that the file they're trying to open might be dangerous. But they can choose to open the file anyway.

While Microsoft released a patch for all affected versions of PowerPoint--2002, 2003, 2007--for Windows, it has yet to patch Microsoft Office 2004 and 2008 for Mac, which are also at risk. As a result, Mac users remain vulnerable to malicious PowerPoint files, said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The risk is that cybercriminals will reverse engineer the fix for the Windows version of PowerPoint, and use the information they discover to exploit the vulnerability on Apple Mac versions."

Also on the vulnerability front, beginning this month, Microsoft has updated its "exploitability index," which estimates the likelihood of a vulnerability being exploited by attackers in the next 30 days. It's designed to help patch managers know which flaws to fix first.

Now, Microsoft is offering an exploitability index for both the current version of a product, as well as all former versions in aggregate. On Microsoft's website, Maarten Van Horenbeeck, a senior security program manager, said that "this change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built into Microsoft's newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions."

Van Horenbeeck said the change, which Microsoft has been testing internally for eight months, reflects its finding that 38% of bugs discovered in products don't exist in the latest version of that product. In contrast, only 3% of bugs discovered in the most recent version of a product don't also affect previous versions.

Read more about:

2011

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights