Microsoft released just two bulletins in this month’s
edition of patch Tuesday. Both bulletins cover vulnerabilities in Windows, and Microsoft is recommending that users install the critical fix for the two vulnerabilities covered in MS11-02 immediately.
In addition to the patches for three total vulnerabilities, Microsoft also released some updated guidance for customers trying to defend against the unpatched Internet Explorer CSS bug that was disclosed recently. The guidance includes the release of a FixIt tool to help users protect against attacks.
“This workaround is an MSI package (Microsoft “FixIt”) that uses the
Windows application compatibility toolkit to make a small change to
MSHTML.DLL every time it is loaded by Internet Explorer. This change
causes Internet Explorer to refuse to import a CSS style sheet if it has
the same URL as the CSS style sheet from which it is being loaded.
Simply put, the workaround inserts a check to see if a style sheet is
about to be loaded recursively, and if it so, it aborts the load of the
style sheet,” Microsoft said in its guidance.
The first patch release of 2011 is a relatively small one considering
the 16
bulletins released in October that addressed 49 vulnerabilities and the 17
released two months later addressing 40 vulnerabilities.
MS11-01
is rated as important, and resolves a vulnerability in Windows Backup Manager
that was disclosed publicly. Exploiting it could give remote code execution to
an attacker if a user opens a legitimate Windows Backup Manager file in the
same network directory as a specifically crafted library file. To be
successful, the user must visit an unknown
remote file system location or WebDAV share and open the legitimate file from
that location, which could cause Windows Backup Manager to load the specially crafted
library file.
MS11-02
is rated critical and resolves two privately disclosed vulnerabilities, a DSN
overflow and ADO record memory vulnerability, in Microsoft Data Access
Components. This bug could allow remote code execution if the user views a
specifically crafted Web page. The successful attacker could exploit this
vulnerability and gain access to the same user rights as the local user. The
accounts of users that are configured to allow fewer user rights are likely to
be less affected than those with administrative user rights.