Critical Patch Tuesday Flaw Easy to Exploit

08.03.2011
Guess what today is? Yes, it is Fat Tuesday--the official kick off of Mardi Gras. But, it's also The good news is that there are --only one of which is rated Critical. The bad news is that the Critical flaw will be very easy for attackers to exploit.

The main concern this month is , which addresses two separate vulnerabilities. The security bulletin explains that the more severe vulnerability could be exploited to allow an attacker to execute malicious code remotely. The good news is that triggering the vulnerability requires some action on the part of the user. But, social engineering attacks related to video clips are common, and often relatively successful.

"The lone critical issue this month - the DVR-MS vulnerability - will be somewhat trivial for attackers to exploit," said Joshua Talbot, security intelligence manager, . "It also allows attackers to skip a few of the traditional steps needed to get malicious code to execute on a targeted computer. This is because when processing DVR-MS files, Windows Media Player and Media Center use data in these files themselves to determine what code in memory gets executed. This allows an attacker to jump directly to executing malicious code."

As for the other two March security bulletins, there isn't much to see. Tyler Reguly, technical manager of security research and development for , says, "DLL Preloading is such a snooze it's really not worth talking about anymore."

Notably absent from the Patch Tuesday lineup is a fix for the MHTML flaw discovered in late January. It was expected that it wouldn't make the cut for updates because of the short notice. But, with over a month to analyze the bug and develop a patch, it was expected that Microsoft would resolve the problem this time around.

Andrew Storms, director of security operations for nCircle, points out that April could bring another avalanche of patches and updates. "CanSec West's Pwn2own hacking contest is also scheduled for later this week and that traditionally unearths some interesting Internet Explorer and Windows 7 phone security bugs."