For the second month in a row, Microsoft has released a cumulative update for Internet Explorer, patching a number of critical remote code execution vulnerabilities in the browser, including one previously disclosed. It also patched a serious kernel mode driver vulnerability that could enable attackers to gain root access to a machine using a malicious USB drive, a la Stuxnet.
Microsoft’s Patch Tuesday security updates include four critical bulletins among the seven released today. Microsoft also released its policy on providing patches for Windows Store applications, saying that it will deliver patches for Windows Store apps as they become available.
“Providing security updates to Windows Store apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process,” Microsoft Security Response Center senior director Mike Reavey wrote in a blogpost today.
As for IE, the security of the browser has been headline news for much of the year, starting with watering hole attacks against a number of political and government sites right through last week’s Pwn2Own contest at the CanSecWest Conference in Vancouver. Researchers at security company VUPEN compromised IE 10 running on a Windows 8 machine to earn $100,000 in prize money. While similar vulnerabilities were exploited in Firefox and Chrome during Pwn2Own, Mozilla and Google were able to deliver patches within days of the contest, unlike Microsoft.
Today’s IE patches, MS13-021, address nine use-after free vulnerabilities, one of which (CVE-2013-1288) is being exploited in the wild; users have to be lured via IE to a site controlled by the attacker that is hosting an exploit. The exploit was built for a Metasploit module written one month ago for MS13-009, which was patched in February, and still works against a fully patched version of IE 8.
“The attack vector is through a webpage that anybody with access to Metasploit can set up quite easily,” said Qualys CTO Wolfgang Kandek. “You are going to want to patch this as quickly as possible.”
Microsoft also addressed a trio of Kernel-Mode Driver vulnerabilities in MS13-027 that could be exploited by an attacker using a malicious USB drive to gain root access on a machine. Known as the evil maid attack, these types can be pulled off by anyone with physical access to a machine. Attacks such as Stuxnet were also initiated via infected USB sticks.
“While this isn’t the first issue to leverage physical access and USB devices, it is different in that it doesn’t require a machine to be logged on. It also provides kernel-level code execution where previous attacks only allowed code execution at the logged-on level,” wrote Dustin Childs, group manager, Microsoft Trustworthy Computing.
“Because of this, someone with casual physical access, such as a custodian sweeping your office at night or a security guard making his rounds, could simply plug in a USB device to perform any action as an administrator,” Childs said. “This is much different than unrestricted physical access, where that same person would have to steal your machine, boot it using removable media, and decrypt files on the hard drive.”
Three other critical bulletins were released today. MS13-022 patches a remote code execution vulnerability in Microsoft Silverlight; users would have to visit a website hosting a malicious Silverlight application in order be exploited. The vulnerability, known as a double dereference vulnerability, could allow Silverlight applications to access memory in an unsafe manner, Microsoft said.
Microsoft also patched another remote code execution flaw in Microsoft Visio Viewer 2010. MS13-023 describes how malicious Visio files could exploit a Visio Viewer Tree Object Type Confusion vulnerability, which lies in the way the viewer handles memory when rendering Visio files.
The final critical bulletin, MS13-024, is for SharePoint. The patch addresses four vulnerabilities, including a cross-site scripting bug, that could lead to privilege escalation if a user follows a URL to a malicious SharePoint site. Qualys’ Kandek said an attacker could spike a search query with malicious code to initiate an exploit. “Later when an admin reviews the queries, the code is run in the admin’s context giving full control to the attacker,” Kandek said.
The remaining tw0 bulletins were rated important and are both information disclosure vulnerabilities in Microsoft OneNote, MS13-025, and Office Outlook for Mac, MS13-026.
This article was updated to clarify that one of the IE vulnerabilities was previously disclosed, and is not being exploited in the wild.