Microsoft’s first foray into patching Internet Explorer in 2015 is still short one zero day fix.
Today’s Patch Tuesday security bulletins included a monster IE rollup taking care of 41 vulnerabilities in the browser, and another bulletin patching a Windows zero day publicly disclosed by Google’s Project Zero research team. Missing, however, is a patch for another publicly disclosed cross-site scripting vulnerability in the browser disclosed Jan. 31 by researcher David Leo of Deusen, a U.K. consultancy.
The XSS bug, tested on IE 11 in Windows 7, was disclosed along with proof-of-concept code and reported to Microsoft in October, shortly after the third of three bugs reported by Google that were ultimately released by Project Zero. The XSS bug uses an iFrame to bypass the same origin policy as well as standard HTTP-to-HTTPS restrictions.
Internet Explorer was not patched in January’s security bulletins, but Microsoft sure made up for it this time around. Most of the vulnerabilities in the critically rated bulletin (one of three critical bulletins released today) are memory corruption issues leading to remote code execution and go back all the way to IE 6.
There are 35 memory corruption vulnerabilities addressed in the IE bulletin, MS15-009, along with three ASLR bypasses, two privilege-escalation vulnerabilities, and an information disclosure issue.
Microsoft also announced that it had released an update that prevents insecure fallback to SSL 3.0 in IE 11 for Protected Mode sites; the issue was at the heart of the POODLE attacks. Microsoft said it will disable SSL 3.0 by default in IE 11 in April.
Also a priority is MS15-010, which patches six vulnerabilities, including the one publicly disclosed by Google in the Windows Kernel-Mode Driver. Microsoft said attackers could use a specially crafted document or build a malicious website containing embedded TrueType fonts that would remotely exploit another bug in this bulletin.
The update is rated critical for Windows 7 and above, Microsoft said, and it corrects how the kernel-mode driver validates a number of processes that could allow for remote code execution, denial of service, privilege escalation and security feature bypasses.
The Google Project Zero vulnerability is addressed in this bulletin. The bug is in cng.sys, the Cryptography Next Generation kernel-mode driver. The driver fails to validate and enforce impersonation levels, allowing an attacker to elevate privileges.
The final critical bulletin, MS15-011, patches a Windows vulnerability in Group Policy that could allow for remote code execution.
“An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft said in its advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
All versions of Windows going back to Windows Server 2003 are impacted, but Microsoft said it is not issuing an update for Server 2003.
“The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component,” Microsoft said in its advisory. “The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.”
The remaining six bulletins are all rated important by Microsoft:
- MS15-012 patches three vulnerabilities in Microsoft Office that could allow for remote code execution if a user opens a malicious Office file.
- MS15-013 addresses one publicly disclosed vulnerability in Microsoft Office that allows for a security feature bypass, which could be used with another vulnerability to remotely run code on an affected computer.
- MS15-014 patches one Windows vulnerability in Group Policy that allows for a security bypass via a man-in-the-middle attack.
- MS15-015 patches one Windows privilege escalation vulnerability, addressing a lack of impersonation-level security checks.
- MS15-016 patches one vulnerability in Microsoft Graphics Component that could lead to information disclosure if a user browses to a website hosting a malicious TIFF image.
- MS15-017 addresses a privilege elevation vulnerability in Virtual Machine Manager; an attacker would need valid Active Directory credentials to exploit this vulnerability.
Microsoft also released a new security advisory, an update for Windows Command Line Auditing. Microsoft said the update expands the Audit Process Creation policy to include command information passed to every process.
“This is a new feature that provides valuable information to help administrators investigate, monitor, and troubleshoot security-related issues on their networks,” Microsoft said in its advisory.
Microsoft also re-released MS14-083, a bulletin from last December patching two remote code execution vulnerabilities in Microsoft Excel. The revision includes an additional update package for Microsoft Excel Viewer, and also addresses a vulnerability patched in MS15-012.