UPDATE – In an unexpected turn, Microsoft’s monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago.
The popular hacker contest attracted researchers from all over who were targeting all the major browsers, as well as third-party software such as Flash and Java. Companies such as VUPEN and MWR Labs were able to beat locked-down versions of IE 10 running on Windows 8 and Mozilla’s Firefox browser, as well as Chrome running on Windows. Unlike Mozilla and Google, both of which patched the flaws exploited during the contest within 24 hours, Microsoft had yet to update its browser. This has been compounded after last Thursday’s advanced notification that indicated a cumulative IE update was coming today.
“This puts them quite a bit behind other browsers that already patched their Pwn2Own bugs,” said Andrew Storms, director of security operations at nCircle.
A Microsoft representative, along with Qualys CTO Wolfgang Kandek, said the delay is likely due to regression testing and QA work necessary for patches.
“Microsoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition’s findings,” said Dustin Childs, group manager, Microsoft Trustworthy Computing.
Today’s IE rollup addresses a pair of critical remote code execution flaws in versions 6-10 the browser. Both are use- after free vulnerabilities that exist in the way IE accesses objects in memory that have been deleted. “These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of a user,” Microsoft said in its advisory MS13-028. Users would have to be lured to a website hosting an exploit via a phishing or spam email, Microsoft said.
“MS13-028 has a score of “2” in the Exploitability Index, indicating that the construction of an exploit for the vulnerability is not entirely straightforward and not expected within the next 30 days,” Kandek said.
The IE update is one of nine bulletins released today addressing 14 vulnerabilities, a relatively light month compared to the 57 updates foisted upon users in February. One other bulletin was rated critical, another remote code execution vulnerability in Microsoft Remote Desktop Client. MS13-029 includes patches for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client on Windows XP, Vista and Windows 7, as well as Windows Server 2003, 2008 and 2008 R2.
“A remote-code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted. An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage.” Microsoft said in its alert. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”
Ross Barrett, senior manager of security engineering at Rapid7 said that while versions 6.1 and 7 are vulnerable, version 8 is unaffected and is not yet the default.
“This issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the ‘kill-bit’ for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control,” Barrett said.
Storms said there are enough mitigating circumstances to make it less problematic for most businesses.
“The bug does not affect the latest RDP client, version 8, which dramatically reduces the affected number of machines,” Storms said. “Microsoft has released mitigation steps to disable the affected ActiveX control. Also, if your users browse with default IE settings, they will be presented with the ‘gold bar’ warning providing them with an opportunity to opt out of an attack.”
The remaining seven bulletins are rated critical by Microsoft, a denial-of-service bug in Active Directory has caught experts’ attention. MS13-032 could be triggered if an attacker sends a specially crafted query to the LDAP service that will consume CPU cycles and cause it to crash. The vulnerability affects Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on Microsoft Windows servers.
“It should be high on the list for enterprise installations,” Kandek said. “An attacker can shut down the domain controllers for an organization using only with a single workstation.”
Among the remaining bulletins are privilege escalation vulnerabilities and an information disclosure bug:
- MS13-030 is an information-disclosure vulnerability in SharePoint if an attacker knew the location of a SharePoint list and gained access with legitimate credentials.
- MS13-031 is a privilege escalation flaw in the Windows Kernel. Exploits would require valid credentials in order to carry out an attack.
- MS13-033 affects Windows Client/Server Runtime Subsystem in the way that the system handles objects in memory. Attackers would need valid credentials and local access to pull off an exploit.
- MS13-034 is another privilege escalation bug, this time in Windows Defender, the Microsoft antimalware client. Successful exploits could enable an attacker to run code on an infected machine, view, change or delete data or create new accounts.
- MS13-035 repairs a vulnerability in Microsoft HTML Sanitization Component found in Microsoft Office. An attacker would have to send a malicious Office document to pull off an attack.
- MS13-036 patches three vulnerabilities in Kernel Mode Driver that elevates privileges for an attacker, who must have valid credentials and local access to exploit the flaws.
This article was updated to include a comment from Microsoft.