The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday’s advance notification and added two more bulletins to the February 2014 Patch Tuesday security updates, including the first IE rollup of 2014.
IE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.
Today, however, Microsoft reversed course with MS14-010, which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.
All of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in MS14-011.
A IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.
“To go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,” said Tyler Reguly, manager of security research at Tripwire. “Either way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.”
Colleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.
“Without any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,” Young said.
As promised, Microsoft did patch a remote code execution vulnerability, MS14-008, in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.
“I’m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can’t trigger the vulnerability in a meaningful way, I intend to believe them,” said Tripwire’s Reguly. “I suspect we’ll wake up tomorrow and beyond pressing apply, we’ll forget this was even released.”
Microsoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months
“This should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,” said Russ Ernst of Lumension. “Administrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.”
The final critical bulletin, MS14-007, is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.
Microsoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.
- MS14-009 patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.
- MS14-005 handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.
- MS14-006 addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.
Microsoft also sent out an update that officially deprecates the use of the MD5 hash algorithm. Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.
“Certificates with MD5 hashes should no longer be considered safe,” said Dustin Childs, group manager, Microsoft Trustworthy Computing. “We’ve given our customers six months to prepare their environments, and now this update is available through automatic updates.”