Microsoft patches critical Windows drive-by bug

But leaves IE vulnerable at Pwn2Own, says unexpected update would be disruptive

Microsoft today shipped three security updates that patched four vulnerabilities in Windows and Office.

And, as expected, Microsoft did not release patches for Internet Explorer (IE) to bolster the browser's chances of surviving Pwn2Own, the hacking contest that begins tomorrow.

Even the company called today's Patch Tuesday an easy ride for customers. "It's a light month," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), the team responsible for investigating, patching and issuing fixes.

Microsoft has fallen into the practice of shipping fewer patches during odd-numbered months. In January, for example, it patched just three vulnerabilities, while last month it fixed 22 flaws .

Only one of the three updates -- Microsoft calls them "bulletins" -- was rated "critical," the company's top-level threat ranking. The other two were labeled "important," the second-most dire warning.

The MS11-015 bulletin was the single critical update.

"That's the one we would worry about most," said Wolfgang Kandek, CTO of Qualys.

The update patches a pair of vulnerabilities, including one in the Windows Media Center and Windows Media Player components found in almost all versions of Windows. The flaw resides in Digital Video Recording (DVR-MS) files, which are created by the Stream Buffer Engine (SBE) and stored with the ".dvr-ms" file extension.

"This is a browse and own vulnerability," said Bryant, talking about the kind of bug attackers could exploit simply by convincing users to visit a malicious site.

"It's a drive-by bug," echoed Andrew Storms, director of security operations at nCircle Security. "There are two exploit methods, the first in an IFRAME, which would be a typical drive-by. The other is as an e-mail attachment, which it appears that users would have to actually open, not just preview [in their e-mail client]."

All client editions of Windows, including Windows XP, Vista and Windows 7, are vulnerable until patched. The sole exception: Windows XP Home Edition, which does not support the flawed codec, said Angela Gunn, a senior communications response manager with MSRC.

The second vulnerability in MS11-015, and the two others patched in MS11-016 and MS11-017 , are classified as "DLL load hijacking" flaws, sometimes called "binary planting" bugs.

Researchers first revealed significant DLL load hijacking issues in Windows, Microsoft's software and a wide range of third-party Windows applications last August. Microsoft started patching DLL load hijacking bugs in its own programs last November.

In December, Bryant said that Microsoft believed it had wrapped up its work on DLL load hijacking. But in January and February, the company issued additional fixes for the problem.

"This is kind of an ongoing investigation for us," Bryant said today. "[Although] we think we've found all the ones in IE, we're still going through the rest of our product base."

Kandek and Storms both said that it was likely Microsoft would continue to roll out DLL load hijacking fixes for some time. "This will continue for years to come, not only from Microsoft, but also from third-party vendors," said Kandek.

Even though the alarm was raised in August and Microsoft rushed out a tool to block potential attacks, hackers have not used the technique to compromise Windows computers, or if they have, the efforts have gone undetected.

Storms wasn't surprised.

"These are very difficult to exploit," he said. "Last year, it was 'Oh my gosh,' but it turned out to be not so easy to exploit these because it required users to browse to the malicious location and open the file, and the attacker to plant a [malicious] DLL and a bad file. That's quite a few steps."

HD Moore, the chief security officer at Rapid7 and the creator of the popular Metasploit open-source hacking toolkit, today reminded enterprises that they can make it more difficult for attackers to exploit any DLL load hijacking bug by disabling the WebDAV client service on all Windows PCs, and blocking outbound ports 139 and 445.

Moore was one of the first to reveal the new class of DLL load hijacking vulnerabilities last year.

Microsoft did not patch IE before the Pwn2Own hacking challenge that kicks off Wednesday, however.

Pwn2Own, which pits security researchers against four browsers, including IE, Apple's Safari, Google's Chrome and Mozilla's Firefox, runs March 9-11 in Vancouver, British Columbia, at the CanSecWest security conference. The first researcher to take down IE, Safari or Firefox will receive a $15,000 prize, while $20,000 is at stake for Chrome.

Today, Bryant said it wasn't worth disrupting customers' patching schedules with an unexpected security update to boost IE's chance of surviving Pwn2Own.

"We don't see a reason to disrupt customers just for the contest," Bryant said. "Going out-of-band is a potential disruption, and we don't do that unless [a vulnerability] is actively being attacked."

Microsoft's declining to patch IE prior to Pwn2Own wasn't a surprise : The company now delivers IE updates in even-numbered months, and last patched the browser on Feb. 8.

In any case, Bryant added, there's no danger of any vulnerability exploited at Pwn2Own escaping into the wild. "Pwn2Own bugs are reported to vendors in a coordinated way," Bryant said.

HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program sponsors Pwn2Own and pays out the vast majority of the cash prizes, buys the rights to the bugs exploited at the contest, then hands them over to the vendors. ZDI gives developers six months to patch any bug it buys before it publicly releases information.

Both Google and Mozilla have recently patched their browsers -- Google did again earlier today -- and Apple is expected to update Safari before Pwn2Own begins.

Microsoft's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?