One week after releasing an out-of-band patch for an Internet Explorer zero day, Microsoft has provided a head’s up that next week’s Patch Tuesday security updates will include another critical patch for the browser.
The IE roll-up is one of two critical bulletins expected next week; interestingly enough it rolls back to Windows Server 2003 Service Pack 2 and IE 6, which also ran on Windows XP. Last week’s out-of-band patch, MS14-021, was also made available for XP systems despite Microsoft ending support for the OS on April 8. Microsoft said next week’s patch will not be for XP machines.
“Our existing policy remains in place, and as such, Microsoft no longer supports Windows XP. We continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1,” a Microsoft spokesman said.
Qualys CTO Wolfgang Kandek said the IE fix should also patch vulnerabilities disclosed during the year’s Pwn2Own competition at CanSecWest. “This update should be high on your list,” he said.
Pwn2Own, held in March, produced three new IE vulnerabilities, two of them sandbox bypasses developed by vulnerability vendor VUPEN of France. Researchers Sebastian Apelt and Andreas Schmidt, meanwhile, chained two use-after-free vulnerabilities in the browser and a kernel bug to hack the underlying system.
Last week’s XP patch was a surprise, but was likely prompted by an uptick in attacks specifically targeting XP users. The zero day exploit targeted IE 9 through IE 11 users initially and was used alongside an Adobe Flash exploit to compromise computers. Researchers at FireEye then reported additional attacks against IE 8 running on XP systems.
Kaspersky Lab principal researcher Kurt Baumgartner said the exploits in the wild were dropping versions of the Pirpi remote access Trojan in order to steal data from hacked computers.
The second critical bulletin affects SharePoint Server 2007 SP 3, SharePoint Server 2010 and 2013 as well as Office Web Apps 2010 and 2013.
The remaining six bulletins are rated Important by Microsoft and affect a number of products from Office, to Windows, to .NET.
The most serious could be a remote code execution bug in Office 2007, 2010 and 2013. Microsoft is also patching a security feature bypass in Office.
“It is rated important and provides RCE to the attacker, indicating that the attacker vector is a malicious document that the target has to open in order to trigger the attack,” Kandek said. “Attackers would use a document like that in a social engineering attack, which aims at convincing the user to open the document, for example by making it appear as coming from the user’s HR department or promising information about a subject of interest to the user.”
The four bulletins addressing Windows and .NET patch elevation of privilege and denial of service vulnerabilities all the way back to Windows Server 2003.
Adobe to Patch Reader and Acrobat
Adobe, meanwhile, also plans to release a patch for a vulnerability in the Windows and Mac OS X versions of Adobe Reader and Acrobat. Adobe said it is not aware of active exploits against the vulnerability, which is in versions 10.1.9 and 11.0.06 and earlier of both products.
Adobe has given the vulnerability its highest criticality rating, indicating the bugs are remotely exploitable.