Microsoft Patch Tuesday leaves MHTML bug unchecked


Microsoft Patch Tuesday leaves MHTML bug unchecked

Ryan Cloutier, Contributor

Microsoft issued three security bulletins, addressing two critical vulnerabilities affecting Direct Show and Windows Media Player in its March Patch Tuesday round of patches, but still left users looking for an MHTML fix.

The three security bulletins are all related to an advisory Microsoft released in august of 2010 regarding

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

DLL preloading, which can result in remote code execution, said Jason Miller, data team manager at St. Paul, Minn.-based vulnerability management vendor Shavlik Technologies LLC. Dynamic-link library (DLL) preloading, is a well-known class of vulnerabilities. It enables third party applications to preload shared files in Windows, but an error can enable an attacker to gain access to sensitive data or worse, take control of a victim's computer.

This month saw a lone critical security bulletin. MS11-015 repairs a serious vulnerability in DirectShow and a hole in Windows Media Player and Windows Media Center. The update is rated critical for nearly all supported editions of WIndows and Windows Media Center TV Pack for Windows Vista. The bulletin is rated important for Windows Server 2008 R2.

The critical vulnerabilities could enable an attacker to conduct remote code execution by tricking a victim into visiting a webpage with a malicious Microsoft Digital Video Recording (dvr-ms) file. The Windows media player vulnerability enables the attacker to exploit the hole by getting a victim to open a malicious video file through a browser.

"MS11-015 is very important because that vulnerability can be exploited without actually watching the video," said Wolfgang Kandek, CTO of vulnerability management vendor Qualys Inc.

Microsoft normally rates such vulnerabilities as "important" but because this particular attack does not require any user intervention (as this type of vulnerability normally does) and because of its "drive-by" nature, the patch was upgraded to critical, Kandek noted in a blog post.

Other DLL preloading issues were repaired in MS11-016, which is rated important because it only affects Microsoft Groove and .vcg or .gta files. Groove is a Microsoft SharePoint shared workspace Office suite application. MS11-017 patches a Windows Remote Desktop Protocol vulnerability wherein opening a malicious .rdp file on a network that contains a malicious DLL can result in remote code execution.

MHTML issue remains
Noticeably absent from this month's ration of patches is the almost enigmatic fix for the MHTML vulnerability that has lingered for some time. Amol Sarwate, a Vulnerabilities Lab Manager at Qualys said Microsoft engineers are likely "testing a fix" that it is important not to damage or inhibit functionality when rolling out the patch.

The MHTML information disclosure issue has not been patched through two Patch Tuesday cycles. Proof-of-concept code targeting the MHTML zero-day flaw was issued in January. Microsoft said a victim can be infected by clicking on a malicious link on a website that leads to a HTML document. The technique injects malicious JavaScript onto the victim's browser, giving the attacker the ability to "spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

Shavlik's Miller said he was surprised there was no repair to the vulnerability, but Microsoft has not seen any "uptick" in the amount of attacks using the flaw making it less of a priority to rush out.