Patch Tuesday defined by the flaws that aren't fixed

There are only two security bulletins from Microsoft for Patch Tuesday, but a number of vulnerabilities remain unpatched

Microsoft is easing in to 2011 with a light Patch Tuesday for January. There are only two security bulletins this month, and only one of those two is rated as Critical by Microsoft.

MS11-002 is the more urgent of the two security bulletins. According to the Microsoft Security Response Center blog, "This bulletin addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server."

Joshua Talbot, security intelligence manager for Symantec Security Response provides some additional insight. "The patch for the critical vulnerability corrects a problem in the way MDAC validates memory allocation. The other patch fixes an issue--marked as important-- in the way MDAC validates third-party usage of a Microsoft API. Both vulnerabilities can be exploited by drive-by download, meaning simply viewing a legitimate site that has been compromised by an attacker can lead to a user's machine being exploited."

While IT admins may be thankful that there are so few security bulletins for January, it is worth noting, that there are still known vulnerabilities that remain unpatched following this Patch Tuesday release. The Windows Graphics Rendering Engine and IE zero-day vulnerabilities were not addressed.

"These vulnerabilities can still be exploited," said Dave Marcus, director of security research and communications at McAfee Labs. "It underscores how users and enterprises cannot and should not rely on patching to solve security issues."

In other words, It admins should have a framework of vulnerability and risk assessment tools to intelligently determine the potential impact of a given threat to their own unique environment. In addition, organizations should have layers of defense and the ability to limit exposure and mitigate threats even without a vendor patch.

Andrew Storms, Director of Security Operations for nCircle, e-mailed some insight on the unpatched flaws. "The most interesting thing this month is a new mitigation tactic that Microsoft is calling a 'shim' for the outstanding Internet Explorer bug described in advisory 2488013. The shim uses the application compatibility framework in Windows to rewrite in-memory function calls of MSHTML.DLL. "

Storms continues, "Effectively, this offers an additional check on the known security bug and prevents the vulnerability from occurring. Enterprises are likely to find this tactic enticing because it's easy to deploy and is a relatively low risk. This mitigation tactic is a new offering from Microsoft. They provided a similar kind of shim for Office XP, but this is the first time we have seen this approach to combat an un-patched, active zero-day bug."

Get the patches from Microsoft applied as soon as you can. But--more importantly--be aware of what remains unpatched and make sure you have measures in place to guard against exploits.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindowspatches & drivers

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?