5 Microsoft security flaws remain unpatched, despite 2 fixes

Microsoft kicks off 2011 with light Patch Tuesday

Microsoft gave the security a world a light Patch Tuesday today, with only two updates, after issuing a record 106 security bulletins in 2010 and 17 in December alone. But that doesn't mean Microsoft products have no holes in them. In fact, security researchers say there are five unpatched zero-day flaws that Microsoft is still working to fix.

Microsoft's Security Research & Defense blog listed five publicly known security holes last week, and said exploit code is publicly available for two of them. Another of the five issues set off a confrontation between Microsoft and a Google security researcher who made the security hole public.

Microsoft ends record security year with huge Patch Tuesday 

But even after today's monthly security update, all five of the bugs remain unpatched.

"These vulnerabilities can still be exploited," McAfee Labs security research director Dave Marcus said. "It underscores how users and enterprises cannot and should not rely on patching [alone] to solve security issues."

But IT pros should certainly take a look at the two patches issued by Microsoft today, which focus on a total of three vulnerabilities. The more important of the two is MS11-002, a critical patch for two privately reported vulnerabilities in Windows that can allow remote code execution. The vulnerabilities are present in Microsoft Data Access Components, which is part of Windows.

"The vulnerabilities could allow remote code execution if a user views a specially crafted Web page," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." The patch is rated critical for all supported editions of Windows XP, Vista and 7, and is rated important for Windows Server 2003 and 2008.

The second security update, MS11-001, is rated as "important," a step below critical, and addresses a publicly disclosed vulnerability in Windows Backup Manager that "could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file," Microsoft said. This vulnerability only affects Windows Vista - Windows XP and 7 are safe.

What about the five remaining vulnerabilities that haven't been patched? Microsoft has released security bulletins for two of them, with workarounds included. These two affect Internet Explorer 6, 7 and 8, and the Windows graphics rendering engine.

The bug reported by Google vulnerability researcher Michael Zalewski involves a "fuzzing" tool used to find many bugs in Internet Explorer and other browsers such as FireFox and Chrome. Microsoft said it is still trying to recreate the potential attack in its labs and is "unable to make an assessment at this time without stand-alone PoC [proof-of-concept]. However, we are working on a security update to address the issues found in fuzzing."

Two further vulnerabilities that haven't been patched involve a potential denial-of-service attack using a vulnerability in IIS FTP 7.5, and an ActiveX control in the WMI Administrative Toolkit. So far, Microsoft has not seen any attempts to exploit the FTP vulnerability, and says the ActiveX issue poses little real-world risk.

Microsoft could fix some or all of these five bugs in next month's Patch Tuesday, or even issue an out-of-band patch before then. However, Qualys researchers told me at this point it looks like out-of-band patches are not necessary, especially if IT pros find it easy enough to implement the workarounds offered by Microsoft. 

Follow Jon Brodkin on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in