Microsoft today released its monthly Patch Tuesday Security Bulletins, and the top priority is another cumulative update for Internet Explorer; this one patches 26 vulnerabilities, including one that’s been publicly reported, Microsoft said, and is likely being exploited. All of them are rated critical by Microsoft and allow for remote code execution should a user land on a malicious webpage using IE.
“If you feel like you are constantly patching IE – you are,” said Russ Ernst of Lumension. “A cumulative update for the browser is now the rule more so than the exception.”
Ernst’s sentiments are no doubt being echoed in enterprise IT shops worldwide. Admins have to contend with a number of upcoming changes related to IE as well. Microsoft last week put the word out that users had 18 months to migrate to the latest version of Internet Explorer for their respective versions of Windows before support would end. That would mean no more security updates for IE 6-8, older versions of the browser that lack built-in memory protections, making it so attractive for hackers and exploits.
The company followed that up last week with news that it would begin blocking older ActiveX controls in IE, starting with outdated versions of Java. That begins today, Microsoft said.
The point is that Microsoft is tired of IE being a punching bag, and it’s going to force users’ hands to upgrade to more secure versions of the browser and lessen the impact of targeted attacks and potential problems with zero-days such as the one reported by HP’s Zero Day Initiative in May.
“Outdated browsers represent a major challenge in keeping the Web ecosystem safer and more secure, as modern Web browsers have better security protection. Internet Explorer 11 includes features like Enhanced Protected Mode to help keep customers safer,” said Roger Capriotti, director Internet Explorer, in a blog post last week.
Today’s IE update, MS14-051, include a slew of memory corruption bugs, most of them use-after-free vulnerabilities that are quickly catching up to buffer overflows as a favorite exploit for attackers.
“Recent advances in the state of the art for DOM fuzzing have made it easier to find [use-after-free] bugs in web browsers as researchers have found it harder and harder to find and exploit more traditional buffer overflows,” said Craig Young, security researcher at Tripwire.
Young said hackers can combine a use-after-free vulnerability with a number of other techniques to bypass memory protections built in to the browser.
“JavaScript engines running in all browsers make it much easier for attackers to control memory allocators and therefore gain reliable code execution,” Young said. “Combining this vulnerability with JavaScript based ‘heap-spraying’ attacks and DEP-bypass techniques provides attackers with an easy way to execute arbitrary code.”
Microsoft also advises that users pay attention to out-of-band updates released today by Adobe that patch vulnerabilities in Flash Player, as well as a zero-day being exploited in targeted attacks against Adobe Reader and Acrobat.
The remaining critical bulletin released today by Microsoft addresses a remote code execution vulnerability in Windows Media Center. MS14-043 would require a user open a malicious Microsoft Office file that invokes a resource in the Media Center. This bulletin affects only Windows 7, 8 and 8.1 versions of Windows Media Center, as well as users of Windows Media Center TV Pack for Vista.
The final remote code execution vulnerability patched today, MS14-048, is in Microsoft OneNote 2007 digital note-taking software. It’s rated important because it requires user interaction to trigger an exploit.
The remaining bulletins are all rated important by Microsoft and include four privilege elevation vulnerabilities, and a pair of security feature bypass bugs.
- MS14-044 patches two vulnerabilities in Microsoft SQL Server Master Data Services and SQL Server relational database management system. Users would have to be lured to a website that injects client-side script into IE that would exploit the bug.
- MS14-045 fixes three vulnerabilities in Windows kernel-mode drivers where an attacker who is logged in to a computer and runs malicious code could elevate privileges.
- MS14-049 patches a vulnerability in Windows Installer Service that could be exploited if an attacker has valid credentials and runs a malicious application that tries to repair a previously installed app.
- MS14-050 is the final privilege escalation bug, and it’s found in SharePoint Server. An authenticated attacker would need a malicious app running JavaScript in the user’s context on a vulnerable SharePopint site to exploit the issue.
- MS14-046 and MS14-047 are security feature bypass vulnerabilities in .NET Framework and LRPC. Both bugs require certain circumstances be in place, but could lead to a bypass of Address Space Layout Randomization (ASLR) and remote code execution.