A critical Windows kernel vulnerability, publicly disclosed in May by a Google security engineer, will be patched tomorrow when Microsoft releases its July Patch Tuesday security updates.
Tavis Ormandy, who has controversially disclosed Windows vulnerability details in the past, made a posting to the Full Disclosure mailing list on May 17 looking for help in developing an exploit for a privilege escalation bug he’d found in the kernel. Ormandy later reported he had a working exploit within a week. He also slammed Microsoft on his personal blog, calling the company hostile toward security researchers; Microsoft said at the time it could not turn around a patch quick enough for the June Patch Tuesday release. In the meantime, Metasploit module was released for the vulnerability, explained in CVE-2013-3660 as a memory issue in win32k.sys, or ring0, which could enable an attacker elevated privileges.
The Ormandy bug is among seven security bulletins being released tomorrow. Six are critical, remote-code execution vulnerabilities in dating back to Windows XP on numerous Microsoft products, including Internet Explorer, Office, Visual Studio, Lync, Silverlight and the .NET framework. One privilege escalation bug, rated important by Microsoft, is being resolved in Microsoft Windows Defender.
The IE bulletin patches vulnerabilities in versions 6-10 and continues a rash of patches this year for the browser. In June, a cumulative update for IE patched 19 vulnerabilities, all of them critical remote-code execution bugs. Aside from the kernel issue, IT managers should look at the IE patches closely since the browser has been a launch pad for numerous attacks resulting in data loss.
“This will probably the most important bulletin to implement, together with [another] which addresses vulnerabilities capable of giving [remote code execution] to an attacker in Windows, Office and Lync,” said Qualys CTO Wolfgang Kandek.
The rancor over the Ormandy bug comes at an interesting time for Microsoft, which announced its bug bounty program two weeks ago. Security researchers can be paid up to $100,000 for serious Microsoft vulnerabilities and $50,000 for defensive techniques to ward off exploits.
The program officially began June 26 and rewards researchers for exploits that feature new tactics to bypass current security mitigations in Windows such as DEP, ASLR, and others. This is different than last year’s Blue Hat competition which concluded at the 2012 Black Hat Briefings. Blue Hat awarded a one-time prize of $200,000 for a defensive technique against ROP attacks. The new bounty is an ongoing program open to any number of researchers.