14 DAY TRIAL // Microsoft has released its monthly batch of patches yesterday, but left open a vulnerability in the MHTML protocol handler that has been publicly known for two months.
The vulnerability, which affects all supported version of Windows, is identified as CVE-2011-0096 and was disclosed in a Chinese-language hacking webzine in January.
If exploited, the vulnerability can result in the disclosure of sensitive information both server-side and locally. Several proof of concept attacks have been published.
Microsoft didn't address the vulnerability during the February Patch Tuesday, but it has a released a Fix it tool to mitigate the risks.
Many thought that yesterday's patches will cover it, but apparently the company decided to postpone fixing it yet again.
"Microsoft is actively monitoring the threat landscape in conjunction with our Microsoft Active Protections Program (MAPP) partners," said Angela Gunn, security response communications manager.
"We are currently working to provide a solution through our monthly security update release process and will continue to monitor the issue as we prepare that," she added.
Meanwhile, Microsoft patched two vulnerabilities in DirectShow and Windows Media Player (MS11-015), that are rated as important and critical, respectively.
In both cases the flaws can be exploited by tricking users to open malformed media files and can lead to remote code execution.
Another security bulletin (MS11-016) is for Microsoft Office and covers a DLL preloading issue in Microsoft Groove 2007 SP2.
A similar binary planting vulnerability was patched in the Microsoft Windows Remote Client Desktop (MS11-017) and is rated as important.
DLL preloading vulnerabilities result from the use of insecure search paths when the absolute location of library files are not specified.
This attack vector has been known for a while, but it was actively publicized last year. Hundreds of popular applications were found to be vulnerable.
"We continue to address DLL-preloading issues as they are discovered; however, it's important to note that we have not seen exploitation of these issues in the wild," Angela Gunn stressed.