Today was Microsoft Patch Tuesday, and Microsoft released 3 patches addressing 4 vulnerabilities. This has been a very light year so far for Microsoft patches; year-to-date, MS has released a total of 17 patches, fixing 29 individual vulns. By this time last year, MS had released a similar number of patches (18) but covering almost twice as many vulns (57)! It’s too early to say whether this is a trend, but it is definitely welcome.
One of the vulns is a typical client-side exploit related to how Microsoft handles certain kinds of media files (DVR-MS). If an attacker can convince a user to open a malicious file, and their workstation is unprotected, the workstation will be exploited. Application exploits like this are fairly commonplace these days, although still important to patch.
The remaining three vulns are very similar in nature, and somewhat interesting. They all represent a class of vulnerabilities called “Insecure Library Loading”. If an attacker can convince a user to open a vulnerable type of file, and they can pre-plant a malicious DLL in the same directory, then can exploit the end user’s system and run the code of their choice. In general, these kinds of vulnerabilities are trickier to exploit than most typical client-side vulns, since they require some setup beyond getting a user to click on a malicious URL or open a malicious email attachment.
Microsoft first acknowledged the class of Insecure Library Loading vulnerabilities in August 2010. Since then they have released 11 patches addressing this class of vuln. The most likely scenario for exploiting these vulns is via a an untrusted file share, such as WebDAV. Back in August, McAfee Labs released an IPS signature designed to identify and block any insecure library loading over WebDAV, and this signature continues to provide proactive protection for all three related vulns this month.
McAfee’s protection for this month’s vulnerabilities is good:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of the DVR-MS vulnerability.
- McAfee's Host Intrusion Prevention is expected to provide proactive protection against exploits of 2 of the vulns (the DVR-MS vuln and one of the secure library loading vulns).
- McAfee's Network Security Platform will very shortly have content to protect against exploits all 4 new vulnerabilities.
- McAfee Vulnerability Manager and Policy Auditor will shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Additional analysis is underway to determine the protection level to be expected by McAfee Application Control and Web Gateway. In particular, Application Control should prove to be very capable of addressing insecure library loading vulnerabilities. Keep an eye on the McAfee Threat Center for more details as they become available.