Microsoft Releases Two Critical Patches; Promises Update for IE Watering Hole Zero Day

It’s Microsoft Patch Tuesday, and while there were two critical security updates released today, the concern among IT managers is likely over the patch that isn’t there. Microsoft’s monthly security bulletins do not address a zero-day vulnerability in Internet Explorer that has been actively exploited in a series of watering hole attacks reported around Christmas that have been ongoing for a month.

Microsoft patchIt’s Microsoft Patch Tuesday, and while there were two critical security updates released today, the concern among IT managers is likely over the patch that isn’t there. Microsoft’s monthly security bulletins do not address a zero-day vulnerability in Internet Explorer that has been actively exploited in a series of watering hole attacks reported around Christmas that have been ongoing for a month.

Microsoft downplayed the impact of the attacks because only IE 6, 7 and 8 are vulnerable and the current exploits target only IE 8. Yet according to several sources, IE 8 remains the most popular version of the browser among the installed base. Netmarketshare.com, for example, has IE 8 atop the browser market share standings at 23.29 percent, followed by IE 9 (21.35 percent), Chrome 23.0 (15.42 percent) and Firefox 17 (10.74 percent). IE 6 and 7 account for 6.5 percent and 2.11 percent respectively of the browser market share.

Microsoft did release a Fix It for the buffer overflow vulnerability, but researchers at Exodus Intelligence this week reported they’d developed a bypass for the Fix It, putting a dent in the lone, current mitigation for the vulnerability. An out-of-band patch is likely.

“We’ve reviewed the information and are working on an update, which we will make available to all customers on IE6-8 as soon as it is ready for distribution,” said Dustin Childs, group manager, Microsoft Trustworthy Computing. “In the meantime, the current Fix it, mitigations and workarounds available in Security Advisory 2794220 fully protect against all known active attacks. We also continue to encourage customers to upgrade their browsers to IE9-10, which are not affected by this issue.”

Qualys CTO Wolfgang Kandek said in a blogpost today: “IT admins should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks.”

In the meantime, critical updates were released today that patch vulnerabilities in Microsoft XML Core Services and Windows Print Spooler Components.

MS13-002 addresses two XML Core Services flaws that an attacker could exploit to remotely execute code. A victim would have to be using IE and lured to a malicious website via a spam or phishing email or malicious IM message. The patch  addresses the vulnerabilities by modifying the way that Microsoft XML Core Services parses XML content, the advisory said.

“It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove,” Kandek said. “The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.”

The second critical bulletin, MS13-001, warns of a vulnerability in Windows Print Spooler Components where a malicious print job sent to the print server could allow a remote attacker to execute code in all versions of Windows 7 and Windows Server 2008 R2.

“Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter,” the advisory said. “Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.”

None of the five remaining bulletins released today enable remote code execution, therefore all are rated important by Microsoft.

Suggested articles