Surprise additions to Microsoft's Patch Tuesday

As if making up for lost time (there were no IE updates in January, and none initially expected for February), the IE bulletin actually covers 24 vulnerabilities and affects IE 6 thru 11. Twenty-two of these are memory corruption vulnerabilities. "The security update," says Microsoft, "addresses the vulnerabilities by adding additional permission validations to Internet Explorer, and by modifying the way that Internet Explorer handles objects in memory."

"The most severe of these," explains Ziv Mador, director of security research at Trustwave, "could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user."

One of the vulnerabilities has already been publicly disclosed. Although Microsoft does not say it has knowledge of this vulnerability currently being exploited, it is only a matter of time once it is public knowledge. Chester Wisniewski comments in the Sophos Naked Security blog, "Considering that 22 of these vulnerabilities can lead to remote code execution, this fix is priority one."

The second additional bulletin, critical on Windows clients but only moderate on Windows servers, resolves a privately reported vulnerability in the VBScript scripting engine in Windows. It is caused when the VBScript engine rendered in Internet Explorer does not properly handle objects in memory.

An attacker could, warns Microsoft, "take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability." Alternatively, an attacker could embed an ActiveX control marked 'safe for initialization' in an application or Office document that hosts the IE rendering engine. This means that it could be used in either a watering hole attack or an email-driven attack. In the latter, the attacker has the choice of attaching a weaponized document, or socially engineering the user to visit a compromised website.

The late inclusion of the two additional bulletins by Microsoft is unprecedented. Ross Barrett, senior manager of security engineering at Rapid7, wrote in an email, "I talked this over with some folks in the know, and the message is that something (in the IE patch) came in just under the wire, in terms of testing completeness on Microsoft’s side. Due to the criticality of it, they bent their schedule in favor of customer security to get the patch out sooner."

Given the series of 'patch recalls' suffered by Microsoft last year, the hope is that these two additional bulletins haven't been rushed out too quickly. Either way, however, what appeared to be a light Patch Tuesday in its preview, turns out to be require more effort than expected.

What’s Hot on Infosecurity Magazine?