Patch Tuesday Update Tackles Critical IE Flaw

Microsoft has issued its monthly Patch Tuesday update, that once again includes fixes for its Internet Explorer (IE) Web browser.

With the update, Redmond is fixing 23 different vulnerabilities in total, spread across five security advisories.

Patch Update

Of the 23 vulnerabilities, 18 of them are directly attributable to IE. One of the IE vulnerabilities fixed this month, was first publicly reported 13 February and is formally known as CVE-2014-0322. That flaw has been exploited in the wild, and until today, Microsoft had not provided its users with a formal patch. Microsoft did, however, advise users to use a “fix-it’ and consider upgrading to IE 11, which is not at risk from the flaw.

Security experts suggested a few possible reasons Microsoft did not provide an out-of-band patch for the CVE-2014-0322 flaw prior to today.

“Obviously, any zero-day exploit in the wild merits significant attention from Microsoft,” Ken Pickering, director of engineering at CORE Security, told eWEEK. “I’m not sure why they wouldn’t release an out-of-band patch for it, given that fact, though it’s possible one wasn’t ready and adequately tested for deployment until this patch update.”

Tommy Chin, technical support engineer at CORE Security, said an out-of -band patch likely wasn’t implemented because the CVE-2014-0322 flaw only affects users with IE10 that have Adobe Flash but not Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).  Even though the CVE-2014-0322 flaw utilises an Address Space Layout Randomization ASLR bypass, via an IE memory leak to disable data execution protection, it can only attack a very small attack surface, he added.

In addition to the CVE-2014-0322 flaw, 17 other flaws were fixed in IE, all of which were reported privately to Microsoft.

Six of those flaws were reported to Microsoft via Hewlett-Packard’s (HP) Zero Day Initiative (ZDI), which pays security researchers for their discoveries. HP is likely to send a few more flaws to Microsoft this week from the HP-sponsored Pwn2own browser hacking competition in which HP will pay researchers $100,000 (£60,157) in prize money for a successful exploit of Microsoft Internet Explorer 11 running on Windows 8.1 x64. A $150,000 (£90,236) prize is being offered for an exploit of Microsoft Windows Internet Explorer 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running.

Silverlight Fix

Of particular note in the March Patch Tuesday update is a patch that affects both Microsoft as well as Apple OS X users. The MS14-014 patch fixes a security feature bypass in Microsoft’s Silverlight media technology.

Dustin Childs, group manager at Microsoft Trustworthy Computing, noted in a blog post that the Silverlight flaw is not under active attack.

“The update removes an avenue attackers could use to bypass ASLR protections,” Childs said. “Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable.”

Are you a security expert? Try our quiz!

Originally published on eWeek.