Microsoft plugs three Windows holes, works on others

Patch Tuesday sees three Windows holes fixed, but experts await word on fixes for five pending vulnerabilities.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
Microsoft ranks the order of importance for the latest security patches.
Microsoft ranks the order of importance for the latest security patches. Microsoft

Microsoft today issued two bulletins fixing three holes in Windows, including one rated critical for Windows XP, Vista, and Windows 7 as part of Patch Tuesday.

"We are not aware of proof-of-concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month's release," the company wrote in a Microsoft Security Response Center blog post.

The critical vulnerability is addressed in Bulletin MS11-002. The bulletin fixes the critical hole and an "important" vulnerability, both in Microsoft Data Access Components, that could allow an attacker to take over the computer if a user merely viewed a malicious Web page.

The second bulletin, MS11-001, resolves an "important" vulnerability that could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a malicious library file. The user would have to visit an untrusted remote file system or WebDAV (Web-based Distributed Authoring and Versioning) share for the attack to be successful.

More details are in the security advisory for this month.

Meanwhile, Microsoft revised Security Advisory 2488013 related to Cascading Style Sheets (CSS) to add an additional workaround for a vulnerability that affects Internet Explorer and for which there have been reports of targeted attacks.

"The most important vulnerability, known as "css.css," affects all versions of Internet Explorer and is rated critical," said Wolfgang Kandek, chief technology officer at Qualys. "The exploit code is public and targeted attacks have been observed."

Security experts said they were more interested in when Microsoft plans to patch existing zero-day holes than in the fixes that were released.

"Instead of talking about the number of bulletins being patched today, everyone's mind is on the five vulnerabilities that are not being patched," said Andrew Storms, director of security operations for nCircle.

Microsoft has a list of the pending issues here. On that list is a bug in IE disclosed by Google security researcher Michal Zalewski for which he said an exploit had been leaked to the Web. He also publicly released a tool he said he had used to find the hole and others in major browsers. Microsoft says it is still assessing the issues Zalewski brought up.