Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:56 PM
Connect Directly

Microsoft's January Patch Missing Fixes For Five Flaws

The company's patch process seems slow to respond to known vulnerabilities.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

Microsoft on Tuesday published two Security Bulletins addressing three vulnerabilities, only one of which the company deems critical.

Affected software includes Microsoft Windows and Windows Server. This is the kind of lightweight patching that IT administrators would have liked to see last month, when holiday vacations beckoned. Instead, the company's December patch day established a new record with 17 separate Security Bulletins.

The critical vulnerability, MS11-002, addresses two flaws in Microsoft Data Access Components, which, if exploited, could allow remote code execution.

Perhaps more noteworthy than what was fixed this month is what was not: five ongoing vulnerabilities.

"Instead of talking about the number of bulletins being patched today, everyone’s mind is on the five vulnerabilities that are not being patched," said nCircle director of security operations Andrew Storms in an e-mailed statement.

Paul Henry, security and forensics analyst for Lumension, also warned in an e-mail that multiple Microsoft zero-day vulnerabilities remain unaddressed. He cited the Internet Explorer (versions 6 through 8) style sheet importing flaw (CVE-2010-3971) and the Windows graphics rendering engine flaw (CVE-2010-3970) as the two most worrisome. The other three do not have a CVE entry yet and are described by Microsoft on its Security Research and Defense blog.

Henry says that Microsoft is facing increasing pressure to respond more quickly to vulnerability disclosures following Google security researcher Michael Zalewski's recent release of an update to his security tool, cross_fuzz, which has helped identify holes in Internet Explorer.

Google has been pushing for more openness and faster responses to vulnerabilities. Microsoft has suggested that Google's approach amplifies risk and continues to back its interpretation of "responsible disclosure."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.