VERT Alert - January 11, 2011

- Jan 11, 2011 -

January 11, 2011 4:05 PST

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 2 new Microsoft Security Bulletins. VERT is actively working on coverage for this bulletin in order to meet our 24-hour SLA and expects to ship ASPL-384 on Wednesday, January 12th.

Backup Manager Insecure Library Loading Vulnerability CVE-2010-3145
DSN Overflow Vulnerability CVE-2011-0026
ADO Record Memory Vulnerability CVE-2011-0027


The single vulnerability described by this bulletin is another DLL Preloading issue, similar to the group that we saw patched in December. This one affects the Microsoft Windows Backup Manager found in Windows Vista. As with previous vulnerabilities, successful exploitation of this issue requires the attacker to entice the user to open a file from a WebDAV or SMB share.


There are two vulnerabilities patched by MS11-002. One of these vulnerabilities exists within the API and has no known attack surface via Microsoft applications. The other vulnerability could allow for code execution when the user visits a specially crafted web page.

Other Information

Microsoft has published a number of security advisories recently involving 0-day vulnerabilities. Microsoft Security Research & Defense has provided an excellent resource tracking these public issues1.

Microsoft Security Advisory 248013

This advisory describes a vulnerability affecting Internet Explorer and the CSS import function. Microsoft has stated that there are public reports of limited attacks and an exploit for this vulnerability (CVE-2010-3971) exists in popular exploit frameworks. A new Microsoft SRD Blog post details a workaround and provides a Microsoft FixIt that will apply this workaround2.

Microsoft Security Advisory 2490606

CVE-2010-3970 is a vulnerability affecting the Windows Graphics Rendering Engine. This vulnerability is also included in popular exploit frameworks and can be exploited by browsing to a share with malicious thumbnail or opening an Office document containing the file. Microsoft has provided a FixIt for this issue3 however it will cause media files handled by the Graphics Rendering Engine to not be displayed properly.

Additional Issues

Microsoft has additionally documented a public Denial of Service affecting IIS 7.0 and 7.5 FTP, as well as a vulnerability affecting the WMI Administrative Tools ActiveX control.

Microsoft FixIt

Microsoft releases their FixIt file in the msi format, which means that these files can be published to multiple systems without the need for application on a per -system basis.

In addition to coverage for the two Microsoft Bulletins, VERT will be shipping detection of the IE and WMI Administrative Tools ActiveX control 0-day vulnerabilities. Customers wishing to identify the Windows Graphics Rendering Engine and FTP vulnerabilities can use the Focus queries below.
As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Extremely Difficult
No Known Exploit
  Exposure Local Availability Local Access Remote Availability Remote Access Local Privileged Remote Privileged

All data and commentary is based on information available when the VERT Alert is published.

About Tripwire, Inc.
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their IT infrastructure. Thousands of customers rely on Tripwire's integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively achieve continuous compliance, mitigate risk, and ensure operational control through Visibility, Intelligence and Automation. Learn more at and @TripwireInc on Twitter.