Tuesday 10 May 2011

Microsoft Patch Tuesday: May Preview


That time again, here we go with a light Patch Tuesday May update from Microsoft.

We are expecting 2 updates for May 2011; one rated as Critical and the other rated as Important. Interestingly, both patches relate to Remote Code Execution.

Let me tell you why...

On August 23rd, 2010 (so, a little while ago now) Microsoft published the following security advisory;

"Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. "

You also note, that over the past few months the following Microsoft patches have been released specifically to resolve this issue;

Update released on November 9
  • Microsoft Security Bulletin MS10-087

Updates released on December 14 2010
  • Microsoft Security Bulletin MS10-093
  • Microsoft Security Bulletin MS10-094
  • Microsoft Security Bulletin MS10-095
  • Microsoft Security Bulletin MS10-096
  • Microsoft Security Bulletin MS10-097

Update released on January 11
  • Microsoft Security Bulletin MS11-001

Update released on February 8
  • Microsoft Security Bulletin MS11-003

Updates released on March 8
  • Microsoft Security Bulletin MS11-015
  • Microsoft Security Bulletin MS11-016
  • Microsoft Security Bulletin MS11-017


Updates released on April 12
  • Microsoft Security Bulletin MS11-023
  • Microsoft Security Bulletin MS11-025

All of these updates appear to relate to the same security issue: no specified path in the DLL Link routine and all have the same potential adverse security outcome: Unauthorised Remote Control. As you walk through these past Microsoft updates, most of them relate to Microsoft Office products. I find it a little hard at this point, given Microsoft 7 year long security initiative that we are still find (and having to patch) DLL's that have a well-defined security vulnerability.

Given Microsoft's track record on this issue, I bet that both patches released later tonight will relate to either IE or Microsoft Office and that the offending issue will be non-secured linking routines for dynamic link DLL's.


 You can read more about Microsoft Advance Security notification bulletin here: http://www.microsoft.com/technet/security/Bulletin/MS11-may.mspx

You can find the August Microsoft Security advisory here: http://www.microsoft.com/technet/security/advisory/2269637.mspx

No comments: