Microsoft Patches Department of Labor, Pwn2Own IE Vulnerabilities

Microsoft’s May 2013 Patch Tuesday security updates include patches for the IE 8 zero day at the heart of the Department of Labor watering hole attacks.

Microsoft wasted no time today delivering a patch for the Internet Explorer 8 vulnerability being exploited in watering hole attacks carried out against the U.S. Department of Labor website and nine others worldwide. Today’s Patch Tuesday security updates also include a fix for IE vulnerabilities exploited during the Pwn2Own Contest earlier this year.

Details on the DoL attack quickly emerged following the initial reports on May 1 that the agency’s Site Matrices Exposures site has been compromised and likely targeting DoE researchers working on nuclear weapons programs. This week it was revealed that a site in Cambodia was also serving malware exploiting IE 8 vulnerabilities targeting workers for the United States Agency for International Development (USAID).

Microsoft urges consumers and business users still on IE 8 to patch the browser immediately, or upgrade to newer versions. In the meantime, some experts are calling on Microsoft to consider revamping its browser update method to perhaps model that used by Mozilla and Google.

“On one level, this is Microsoft at their security best. They responded promptly to a publicly disclosed issue and got the fix out in the next scheduled wave of patches,” said Rapid7 senior manager of security engineering Ross Barrett. “On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft’s patching and support models.”

Microsoft has updated IE in every Patch Tuesday update this year, including an out-of-band patch in January that resolved a vulnerability used in another watering hole attack.

“Compare this to Google’s Chrome browser, which quietly patches itself as fixes become available and has no down-level supported ‘old version,’ which exposes millions of their users to risk. Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it’s users to the same model as Chrome,” Barrett said. “Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.”

Microsoft resolves the IE 8 bug in MS13-038, one of 10 bulletins released today. The critical update supplants a temporary Fix-It mitigation Microsoft released last week, a MSHTML Shim Workaround for CVE-2013-1347. The vulnerability is present in IE 8 only and is a use-after-free memory corruption flaw that enables remote code execution, and while IE 8 is an old version of the browser, it still has the highest market share with 23 percent, according to Net Market Share.

MS 13-037, meanwhile, also has expert concerned now that details are public. It is a cumulative update for IE that addresses the Pwn2Own vulnerabilities exploited by security company VUPEN.

VUPEN CEO Chaouki Bekrar told Threatpost his researchers used four zero-day exploits against Microsoft products during Pwn2Own, including an memory corruption, sandbox and ASLR-bypass bugs affecting IE 6-10.

“The exploit is rated a ‘1’ on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website,” said Wolfgang Kandek, Qualys CTO. “Patch this vulnerability as soon as possible.”

MS13-039, meanwhile, is rated important, but could lead to a denial-of-service condition on boxes running Windows’ IIS webserver software. The vulnerability could be disruptive to organizations running remote services or Active Directory integrations on http.sys.

“The good news is that only Windows 2012 web servers are affected. All IT security teams should be jump on this quickly as an exploit is likely to be developed very quickly.  A successful exploit could cause a DoS on affected servers creating temporary outages,” said Andrew Storms, director of security operations for nCircle, a Tripwire company. “The bad news is that a successful exploit of this bug could have serious implications for public web servers without some kind of inline IPS in front of them. Essentially, any user could launch a simple attack and the server will essentially be offline. It’s also worthwhile to note that many Microsoft servers have IIS turned on — including Exchange and SharePoint– so a successful exploit could potentially impact critical company infrastructure.”

The remainder of the bulletins were rated important by Microsoft and include a number of remote code execution, information leakage and privilege escalation bugs.

  • MS13-40: patches a spoofing vulnerability the .NET framework that could allow an attacker to modify the contents of an XML file
  • MS13-41: fixes a flaw on Microsoft Lync that could enable remote code execution if an attacker tricks a user into viewing malicious content.
  • MS13-42: takes care of vulnerabilities in Microsoft Publisher that could allow an attacker to remotely execute code if a user opens a malicious Publisher file
  • MS13-43: patches a Word flaw that could give an attacker the same privileges as the user on a compromised machine.
  • MS13-44: is a Visio vulnerability that could lead to information disclosure if a user opens an infected Visio file.
  • MS13-45: repairs a Windows Essentials vulnerability that could lead to information disclosure if a user opens Windows Writer using a malicious URL.
  • MS13-46: is a privilege escalation vulnerability in Kernel-Mode Drivers that happens if an attacker logs onto a system with valid credentials and runs a malicious application.

Suggested articles