Microsoft Patch Tuesday Toughens IE Browser

Microsoft has issued its monthly Patch Tuesday update for August, that fixes a total of 23 vulnerabilities, spread across eight security bulletins, three of which were critical.

Among the critical fixes are a pair of vulnerabilities that were first privately disclosed to Microsoft at the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own browser hacking competition in March of this year.

Patch Tuesday

The critical MS13-059 bulletin is a cumulative update for Microsoft’s Internet Explorer browser and includes 11 privately reported vulnerabilities. Six of the eleven vulnerabilities were reported to Microsoft by way of the HP ZDI effort. ZDI pays researchers for their security vulnerability research and then responsibly discloses the information to affected vendors. ZDI also operates the annual Pwn2own hacking challenge, which is where VUPEN Security was able to successfully exploit IE.

“In today’s patch release, Microsoft continues to fix weaknesses demonstrated by researchers at HP’s Pwn2Own competition earlier this year,” Brian Gorenc, manager of ZDI at HP Security Research, said.

As part of the MS13-059 update, Microsoft is correcting the bypass vulnerability demonstrated by VUPEN Security at Pwn2Own. Gorenc explained that the vulnerability could be utilised by attackers to execute code outside the sandbox. The sandbox is the protected area of the browser in which code is supposed to remain.

IE is not the only Microsoft technology violated at Pwn2own that is now getting fixed. Gorenc added that the MS13-063 bulletin that Microsoft has rated as being important also benefits from Pwn2own research. MS13-063 patches four vulnerabilities in the Windows kernel that could potentially lead to an elevation of privilege attack. In that type of attack, the attacker gets access via a lower privileged account and is then able to gain elevated access to the system.

“A security feature vulnerability exists in Windows due to improper implementation of Address Space Layout Randomization (ASLR),” Microsoft warns in its bulletin. “The vulnerability could allow an attacker to bypass the ASLR security feature, most likely during or in the course of exploiting a remote code execution vulnerability.”

Slow Response?

The amount of time it has taken Microsoft to provide a full solution to the Pwn2own flaws is seen by some researchers as being a little slow.

“Given the criticality of the issues, I think the response time was a little a slow, but ASLR is very complex code so that’s not surprising,” Lamar Bailey, director of security research and development at security firm Tripwire, said. “Also when you take into account that IE has millions of users across the various OS and patch levels, the QA [quality assurance] time and test matrix for this has to be astounding.”

Bailey’s colleague, Tyler Reguly, technical manager of security research and development at Tripwire, added that he also wanted to see the patches sooner.

“Ultimately, they delivered an update in 6 months – I’d prefer 3 months, but at least it wasn’t 12 months,” Reguly said.

Exchange Server

The August Patch Tuesday update also includes a critical bulletin detailing three vulnerabilities in Microsoft’s Exchange Server. Microsoft warns in its MS13-061 bulletin that two of the vulnerabilities that affect Exchange Server 2007, 2010 and 2013 could potentially allow an unauthorised remote code execution, if a user views a specially crafted file through Outlook Web Access in a browser.