Microsoft took advantage today of its lightest batch of Patch Tuesday security updates this year to release an update to its certificate handling infrastructure. Meanwhile, administrators looking for a patch for a recently disclosed vulnerability by Google engineer Tavis Ormandy will have to wait at least another month for an update.
Building on features native to Windows 8 that automatically move untrusted or compromised certificates to the Windows Certificate Trust List, Microsoft announced enhancements that give enterprises additional options when managing PKI installations. Specifically, the update allows for computers on the same Active Directory domain to auto-update certificate lists without having to access Windows Update; they can also be configured to opt-in to auto-update for trusted and disallowed certificates. Finally, admins will be able to choose a subset of roots for distribution via Group Policy.
Auto-update was introduced a year ago, according to Dustin Childs, group manager, Trustworthy Computing; it is available starting with Windows Vista through Windows 8, Windows Server 2012 and Windows RT.
“Over the coming months, we’ll be rolling out additional updates to this advisory - all aimed at bolstering Windows’ cryptography and certificate-handling infrastructure,” Childs said. “Our efforts here aren’t in response to any specific incident; it’s the continuing evolution of how we handle digital certificates to ensure the safest possible computing environment for our customers.”
Microsoft issued five bulletins today, including another cumulative update for Internet Explorer that patches 19 vulnerabilities, all critical remote-code execution flaws. Another remote execution bug in Office was released, but it was not rated critical despite Microsoft being aware of limited targeted attacks exploiting the vulnerability.
Adobe also released an update to Adobe Flash Player patching a remote-code execution vulnerability.
The Ormandy issue, meanwhile, dates back to May 17 when he posted a note to the Full Disclosure mailing list that he had found an elevation of privilege vulnerability locally in the Windows kernel and was soliciting help in developing an exploit, which he said he had three days later. This isn’t the first time Ormandy has disclosed a Windows vulnerability without giving Microsoft much notice to address the issue. Ormandy wrote on his personal blog that Microsoft is hostile toward researchers and urged anyone submitting bugs to Microsoft do so under a pseudonym to protect themselves.
The IE update is the lone critical bulletin for June. MS13-047 affects IE 6-10 and in 18 of the 19 vulnerabilities, remote code execution is possible because of the way IE handles objects in memory. The remaining flaw, a Script Debug vulnerability, happens because IE improperly processes script while debugging a webpage leading to memory corruption that could allow an attacker to run code remotely once a user visits a site hosting an exploit.
“Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage.” said Wolfgang Kandek, CTO at Qualys. “Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.”
The Office vulnerability, MS13-051, also enables remote code execution but it was not rated critical because it affects only Office 2003 Service Pack 3 and Microsoft Office for Mac 2011. Users would have to open a malicious Office document or view a malicious email in Outlook in order for the flaw to be exploited, Microsoft said. Attackers taking advantage of the buffer overflow vulnerability would be able to install malware, change or delete data, and add accounts with full privileges.
“This issue is seeing limited, targeted exploitation in the wild and the only reason Microsoft hasn’t tagged it as a Critical issue is based on the limited number of affected platforms,” said Rapid7 senior manager of security engineering Ross Barrett. “Exploitation of this issue requires the user to interact with a malicious document.”
The remainder of the bulletins were rated important and include a pair kernel vulnerabilities.
- MS13-048 is an information-disclosure vulnerability in Windows kernel and requires local access to a computer and execution of a malicious application. An attacker would need valid credentials to exploit this flaw, Microsoft said.
- MS13-049 is a denial of service vulnerability in Windows Kernel-Mode Driver. An attacker would have to send specially crafted packets to a server to cause it to crash. Microsoft said standard default firewall configurations should help mitigate potential attacks.
- MS13-050 is a privilege escalation bug in Windows Print Spooler components. An attacker would need valid credentials and be logged on to exploit this bug.
Adobe Patches Flash Player Vulnerability
Adobe, which has been coordinating patch releases with Microsoft for several months, released a security update for Adobe Flash Player. Adobe said there are no public exploits available for the vulnerability, which could allow an attacker to crash Flash Player and remotely control the underlying system. Users are urged to upgrade to version 11.7.700.224 for Windows, which was given the highest criticality rating by Adobe. The vulnerability on Mac, Linux and Android versions was rated as a less severe threats.
Affected versions for Windows are 11.7.700.202 and earlier; 11.7.700.203 for Mac; 220.127.116.115 and earlier for Linux; and 18.104.22.168 and 22.214.171.124 and earlier for Android. Adobe AIR is also impacted by the vulnerability; versions 126.96.36.1990 are affected.