BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Patch Tuesday – January 2011

Posted January 11, 2011    Chris Silva

The ebb and flow of Microsoft Security Bulletins continued this month, with a nice slow release of only two bulletins to follow up the record set in December. Unfortunately, neither of these two bulletins patched any of the zero-day vulnerabilities that are currently affecting Microsoft products.

Microsoft continued to patch DLL preloading vulnerabilities, this time updating Windows Backup Manager on Vista (MS11-001). This is the seventh security bulleting Microsoft has released to address a DLL preloading vulnerability in one of their products. And remember from last month, it is a good idea to follow the mitigation steps outlined in KB2269637 as numerous other third-party software products are affected and unpatched.

Join Marc Maiffret and the eEye Research team tomorrow (January 12) at 11AM PST for this month’s vulnerability expert forum (VEF). Because of the small number of bulletins, tomorrow’s VEF should have ample time to discuss trends in the security industry and to answer any questions that you may have. Listeners will have a chance to win an Amazon Kindle, so make sure to sign up and listen.

Here are our recommendations for the two security updates. You can find our full write-up in newsletter format here. Retina Network Security Scanner customers can view the list of audits associated with these bulletins.

CRITICAL

MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)

  • Analysis
    There are two vulnerabilities in Microsoft Data Access Components, both allowing for remote code execution in the context of the local user. A user must visit a specially crafted web page in order for the vulnerability to be exploited; once a user has visited a malicious page, an attacker may gain complete control of the system if the user is running as an administrator.
  • Recommendations
    Administrators are urged to patch immediately, however there is one mitigating factor and one workaround to help lessen the impact of these vulnerabilities:

    CVE-2011-0026 is not exploitable under the default Windows configuration.
    - A third-party application that uses ODBC (Open Database Connectivity) APIs in an insecure way must be installed on the system in order to be vulnerable.

    CVE-2011-0027 may be mitigated by setting the Internet and local Intranet zones to “High” within Internet Explorer or by configuring Internet Explorer to prompt the user before running Active Scripting.
    - In Internet Explorer, click the Security Tab –> Internet –> Custom Level.
    * Under Settings, in the Scripting section, under Active Scripting click “Prompt or Disable”.
    - Go back to the Security Tab –> Local Intranet –> Custom Level.
    * Under Settings, in the Scripting section, under Active Scripting click “Prompt or Disable”.

IMPORTANT

MS11-001 – Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)

  • Analysis
    Windows Backup Manager contains a vulnerability when loading DLLs, causing susceptibility to DLL preloading attacks. Files that are opened with Windows Backup Manager, such as .wbcat, from attacker controlled locations (e.g. a WebDAV server or other untrusted location) could allow the attacker to execute arbitrary code in the context of the local user. This vulnerability only affects Windows Vista (both 32-bit and 64-bit).
  • Recommendations
    dministrators are urged to install the patch; however, there is a workaround that may be used to help mitigate this threat:
    Disable loading of libraries from remote network locations (http://support.microsoft.com/kb/2264107).

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,