It’s Microsoft Patch Tuesday, and while there were two critical security updates released today, the concern among IT managers is likely over the patch that isn’t there. Microsoft’s monthly security bulletins do not address a zero-day vulnerability in Internet Explorer that has been actively exploited in a series of watering hole attacks reported around Christmas that have been ongoing for a month.
Microsoft downplayed the impact of the attacks because only IE 6, 7 and 8 are vulnerable and the current exploits target only IE 8. Yet according to several sources, IE 8 remains the most popular version of the browser among the installed base. Netmarketshare.com, for example, has IE 8 atop the browser market share standings at 23.29 percent, followed by IE 9 (21.35 percent), Chrome 23.0 (15.42 percent) and Firefox 17 (10.74 percent). IE 6 and 7 account for 6.5 percent and 2.11 percent respectively of the browser market share.
Microsoft did release a Fix It for the buffer overflow vulnerability, but researchers at Exodus Intelligence this week reported they’d developed a bypass for the Fix It, putting a dent in the lone, current mitigation for the vulnerability. An out-of-band patch is likely.
“We’ve reviewed the information and are working on an update, which we will make available to all customers on IE6-8 as soon as it is ready for distribution,” said Dustin Childs, group manager, Microsoft Trustworthy Computing. “In the meantime, the current Fix it, mitigations and workarounds available in Security Advisory 2794220 fully protect against all known active attacks. We also continue to encourage customers to upgrade their browsers to IE9-10, which are not affected by this issue.”
Qualys CTO Wolfgang Kandek said in a blogpost today: “IT admins should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks.”
In the meantime, critical updates were released today that patch vulnerabilities in Microsoft XML Core Services and Windows Print Spooler Components.
MS13-002 addresses two XML Core Services flaws that an attacker could exploit to remotely execute code. A victim would have to be using IE and lured to a malicious website via a spam or phishing email or malicious IM message. The patch addresses the vulnerabilities by modifying the way that Microsoft XML Core Services parses XML content, the advisory said.
“It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove,” Kandek said. “The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.”
The second critical bulletin, MS13-001, warns of a vulnerability in Windows Print Spooler Components where a malicious print job sent to the print server could allow a remote attacker to execute code in all versions of Windows 7 and Windows Server 2008 R2.
“Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter,” the advisory said. “Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.”
None of the five remaining bulletins released today enable remote code execution, therefore all are rated important by Microsoft.
- MS13-003 patches two flaws in Microsoft System Center Operations Manager 2007 that could be exploited to elevate privileges, provided a victim follows a malicious URL to a hacker’s website. The update modifies the way the software accepts input, Microsoft said.
- MS13-004 addresses four vulnerabilities in the .NET framework. The most serious is a privilege escalation bug if a victim visits a malicious website using a browser running XAML Browser Applications. Microsoft said the vulnerabilities can also be used by .NET apps to bypass Code Access Security restrictions. The updates patch how .NET initializes memory arrays, copies objects in memory, validates the size of an array prior to copying objects in memory, and validates the permissions of objects.
- MS13-005 tackles a vulnerability in the Windows kernel-mode driver that could allow for privilege escalation. An attacker would have to run a malicious application to exploit the flaw. The update, Microsoft said, addresses how the driver handles window broadcast messages.
- MS13-006 patches a vulnerability in SSL and TLS in Windows. A successful exploit could bypass security features in Windows if an attacker sites between encrypted Web traffic handshakes. Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012 and Windows RT are affected. The patch modifies the way Windows’ SSL provider component handles encrypted network packets.
- MS13-007 fixes a denial-of-service vulnerability in the Open Data (OData) protocol. An attacker could send a malicious HTTP request to an affected site. The patch turns off the WCF Replace function by default, Microsoft said.