Patch Tuesday defined by the flaws that aren't fixed

There are only two security bulletins from Microsoft for Patch Tuesday, but a number of vulnerabilities remain unpatched

Microsoft is easing in to 2011 with a light Patch Tuesday for January. There are only two security bulletins this month, and only one of those two is rated as Critical by Microsoft.

MS11-002 is the more urgent of the two security bulletins. According to the Microsoft Security Response Center blog, "This bulletin addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server."

Joshua Talbot, security intelligence manager for Symantec Security Response provides some additional insight. "The patch for the critical vulnerability corrects a problem in the way MDAC validates memory allocation. The other patch fixes an issue--marked as important-- in the way MDAC validates third-party usage of a Microsoft API. Both vulnerabilities can be exploited by drive-by download, meaning simply viewing a legitimate site that has been compromised by an attacker can lead to a user's machine being exploited."

While IT admins may be thankful that there are so few security bulletins for January, it is worth noting, that there are still known vulnerabilities that remain unpatched following this Patch Tuesday release. The Windows Graphics Rendering Engine and IE zero-day vulnerabilities were not addressed.

"These vulnerabilities can still be exploited," said Dave Marcus, director of security research and communications at McAfee Labs. "It underscores how users and enterprises cannot and should not rely on patching to solve security issues."

In other words, It admins should have a framework of vulnerability and risk assessment tools to intelligently determine the potential impact of a given threat to their own unique environment. In addition, organizations should have layers of defense and the ability to limit exposure and mitigate threats even without a vendor patch.

Andrew Storms, Director of Security Operations for nCircle, e-mailed some insight on the unpatched flaws. "The most interesting thing this month is a new mitigation tactic that Microsoft is calling a 'shim' for the outstanding Internet Explorer bug described in advisory 2488013. The shim uses the application compatibility framework in Windows to rewrite in-memory function calls of MSHTML.DLL. "

Storms continues, "Effectively, this offers an additional check on the known security bug and prevents the vulnerability from occurring. Enterprises are likely to find this tactic enticing because it's easy to deploy and is a relatively low risk. This mitigation tactic is a new offering from Microsoft. They provided a similar kind of shim for Office XP, but this is the first time we have seen this approach to combat an un-patched, active zero-day bug."

Get the patches from Microsoft applied as soon as you can. But--more importantly--be aware of what remains unpatched and make sure you have measures in place to guard against exploits.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftsecuritypatches & driversWindowssoftwareoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?