Microsoft Surprises With IE Patch Tuesday Update

Microsoft has issued its usual Patch Tuesday update for the month of February, which includes an Internet Explorer patch which will  surprise many system administrators. Meanwhile Adobe’s monthly updated fixes a flaw in Shockwave.

Every Patch Tuesday event, Microsoft issues an advance notification to give administrators and users a sneak peek at what is coming. For the February Patch Tuesday advance notification, Microsoft initially indicated that there would be five security bulletins, none of them for the Internet Explorer (IE) Web browser. However, as it turns out, Microsoft has released seven security bulletins, including a massive IE update that addresses no less than 24 vulnerabilities.

Browser patch

The IE security update impacts versions 6 through 11 and includes 23 privately reported vulnerabilities and one that was publicly disclosed.

Twenty-one of the IE vulnerabilities are grouped together by Microsoft in its security bulletin under the heading “Multiple Memory Corruption Vulnerabilities in Internet Explorer.”

“Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory,” Microsoft warns. “These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”

Eight of the memory vulnerabilities were reported to Microsoft by Hewlett-Packard’s Zero Day Initiative (ZDI), which is an effort that purchases security research. In a recent report, HP noted that for 2013, it acquired more IE vulnerabilities than for any other software product. ZDI is now also preparing for its annual Pwn2Own event (12-13 March) at which researchers will be awarded $100,000 (£60,709) if they can successfully exploit IE 11 running on Windows 8.1 x64.

The other IE vulnerabilities fixed in the update include an elevation-of-privilege issue that occurred during local file installation. There is also a cross-domain information-disclosure vulnerability being patched in IE.

“An information-disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone,” Microsoft warned in its security bulletin. “An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage.”

The final IE vulnerability is one that is also in the MS14-011 bulletin, titled “Vulnerability in VBscripting Engine Could Allow Remote Code Execution.”

Tyler Reguly, manager of security research at Tripwire, told eWEEK that the IE bulletin and the VBscript bulletin contain an overlapping Common Vulnerabilities and Exposure (CVE) – CVE-2014-0271 – which may have something to do with the initial failed exclusion from the advance notification.

“A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory,” Microsoft explains. “The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”

Surprise inclusion

Overall, the addition of the IE bulletin to the Patch Tuesday update was a surprise to some in the security community.

“I was surprised that Internet Explorer was not in the advance notice,” Wolfgang Kandek, CTO of Qualys, told eWEEK. “Just from following the normal flow of bugs from ZDI and iDefense, we were pretty certain that there had to be security fixes pending.”

Kandek noted that one possible explanation is that Microsoft wanted to wait until March to make Pwn2Own harder for everybody. Kandek added that his team does not view that as a likely theory as it would be unprofessional to delay such a bug-fix release.

“The explanation that they had a technical problem makes much more sense, after all, we can see that there were many vulnerabilities addressed,” Kandek said.

Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK that he had been told that the IE update was originally delayed due to incomplete testing.

“They worked over the weekend to complete the testing and get it out,” Barrett said.

Beyond the surprise critical IE update, there is at least one other bulletin to take note of. MS14-009 details vulnerabilities in the .NET framework. Reguly noted that flaws fixed are related to Slowloris, a low-bandwidth denial of service (DoS) attack. The Slowloris attack was first publicly discussed in 2009.

“There weren’t a lot of defences in place previously,” Reguly said. “I’m not saying that I’m surprised they’d patch this, it’s actually great to see this issue resolved. It’s just surprising that it would take this long to get around to doing it.”

Adobe Shockwave fix

Meanwhile, Adobe’s monthly updated included a fix for a remote execution flaw in Shockwave, which would have allowed attacks on Shockwave users. The flaw is fixed in both Windows and OS X.  The patch follows a far more urgent update for Adobe Flash, which was issued “out of band” last week.

Are you a security expert? Try our quiz!

Originally published on eWeek.