Appropriately enough for the start of the baseball season, Microsoft is going to go 4-for-4 and release another set of critical Internet Explorer patches on Tuesday, the fourth consecutive month in which serious vulnerabilities in the browser are being addressed in Microsoft’s Patch Tuesday monthly security updates.
The browser patches are expected to address vulnerabilities first brought to light and exploited last month during the Pwn2Own contest at the CanSecWest Conference. All three major browsers—IE, Mozilla Firefox and Google Chrome—were taken down with zero-day exploits during the contest. Mozilla and Google issued patches for the vulnerabilities within 24 hours. IE users have been exposed since the March 7 contest, however details on the IE bugs have not been publicly disclosed.
“Even with their new, more aggressive IE patch cadence they’re still behind other browsers that don’t stick to a monthly patch schedule,” said Andrew Storms, director of security operations at security company nCircle. “This probably isn’t a huge problem for enterprise security teams because the bug hasn’t been publicly released.”
IE has been a vehicle for many noteworthy attacks this year, including a series of watering hole attacks against human rights and political organizations that exploited zero-day vulnerabilities in IE. Those vulnerabilities were patched in an out-of-band security update.
Next week’s patches address remote code execution vulnerabilities rated critical in IE 10 on Windows 8 systems, IE 8 and 9 on Windows 7, IE 7 and 8 for Vista and IE 6, 7 and 8 on Windows XP.
The out-of-band patch fixed memory corruption vulnerabilities in the browser that were exploited in watering hole attacks against the Council of Foreign Relations website, as well as number of manufacturing and human rights sites. The emergency repair was necessitated when hackers were able to bypass a Fix It mitigation provided by Microsoft.
Shortly thereafter in February’s security update release, additional IE vulnerabilities in versions 6-10 were patched, including one being exploited in the wild.
Last month, Microsoft released a cumulative update for the browser, and came a few days after IE 10 running on a Windows 8 machine was compromised at Pwn2Own. The IE patches repaired nine use-after free vulnerabilities, one of which was being exploited in targeted attacks.
The IE update is one of two critical bulletins expected next week. The second addresses remote code execution vulnerabilities in Windows.
Seven other bulletins are expected next week, all of them rated important, including an information disclosure flaw in Microsoft Office and Microsoft SharePoint Server 2013, the company said.
The remaining important bulletins are privilege escalation vulnerabilities in Windows, Microsoft Office Web Apps 2010 Service Pack 1, Microsoft SharePoint Server 2010 Service Pack 1, Microsoft Groove Server 2010 Service Pack 1 and Windows Defender for Windows 8 and Windows RT.
“The number of bulletins isn’t the only factor IT security teams consider when they review a patch so, even though the overall patch count is a little higher than average this month and only two of the bulletins merit a critical rating, it’s too early to assume it’s going to be an easy month,” Storms said.