Critical Patch Tuesday flaw easy to exploit

Microsoft only released three new security bulletins for Patch Tuesday, but one vulnerability has security experts concerned.

Guess what today is? Yes, it is Fat Tuesday--the official kick off of Mardi Gras. But, it's also Patch Tuesday. Again. The good news is that there are only three security bulletins--only one of which is rated Critical. The bad news is that the Critical flaw will be very easy for attackers to exploit.

The main concern this month is MS11-015, which addresses two separate vulnerabilities. The security bulletin explains that the more severe vulnerability could be exploited to allow an attacker to execute malicious code remotely. The good news is that triggering the vulnerability requires some action on the part of the user. But, social engineering attacks related to video clips are common, and often relatively successful.

"The lone critical issue this month - the DVR-MS vulnerability - will be somewhat trivial for attackers to exploit," said Joshua Talbot, security intelligence manager, Symantec Security Response. "It also allows attackers to skip a few of the traditional steps needed to get malicious code to execute on a targeted computer. This is because when processing DVR-MS files, Windows Media Player and Media Center use data in these files themselves to determine what code in memory gets executed. This allows an attacker to jump directly to executing malicious code."

As for the other two March security bulletins, there isn't much to see. Tyler Reguly, technical manager of security research and development for nCircle, says, "DLL Preloading is such a snooze it's really not worth talking about anymore."

Notably absent from the Patch Tuesday lineup is a fix for the MHTML flaw discovered in late January. It was expected that it wouldn't make the cut for last month's Patch Tuesday updates because of the short notice. But, with over a month to analyze the bug and develop a patch, it was expected that Microsoft would resolve the problem this time around.

Andrew Storms, director of security operations for nCircle, points out that April could bring another avalanche of patches and updates. "CanSec West's Pwn2own hacking contest is also scheduled for later this week and that traditionally unearths some interesting Internet Explorer and Windows 7 phone security bugs."

As always--whether Microsoft releases two security bulletins, or twelve--Microsoft and security experts all recommend that any applicable patches and updates be applied as soon as possible. Attacks against zero-day vulnerabilities grab headlines, but frequently malware targets known vulnerabilities that vendors have already deployed patches for, but customers haven't applied the updates.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftmalwarespamvirusessymantecantispampatches & drivers

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?