Patch Tuesday Update Tackles Critical IE Flaw

Microsoft has issued its monthly Patch Tuesday update, that once again includes fixes for its Internet Explorer (IE) Web browser.

With the update, Redmond is fixing 23 different vulnerabilities in total, spread across five security advisories.

Patch Update

Of the 23 vulnerabilities, 18 of them are directly attributable to IE. One of the IE vulnerabilities fixed this month, was first publicly reported 13 February and is formally known as CVE-2014-0322. That flaw has been exploited in the wild, and until today, Microsoft had not provided its users with a formal patch. Microsoft did, however, advise users to use a “fix-it’ and consider upgrading to IE 11, which is not at risk from the flaw.

Security experts suggested a few possible reasons Microsoft did not provide an out-of-band patch for the CVE-2014-0322 flaw prior to today.

“Obviously, any zero-day exploit in the wild merits significant attention from Microsoft,” Ken Pickering, director of engineering at CORE Security, told eWEEK. “I’m not sure why they wouldn’t release an out-of-band patch for it, given that fact, though it’s possible one wasn’t ready and adequately tested for deployment until this patch update.”

Tommy Chin, technical support engineer at CORE Security, said an out-of -band patch likely wasn’t implemented because the CVE-2014-0322 flaw only affects users with IE10 that have Adobe Flash but not Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).  Even though the CVE-2014-0322 flaw utilises an Address Space Layout Randomization ASLR bypass, via an IE memory leak to disable data execution protection, it can only attack a very small attack surface, he added.

In addition to the CVE-2014-0322 flaw, 17 other flaws were fixed in IE, all of which were reported privately to Microsoft.

Six of those flaws were reported to Microsoft via Hewlett-Packard’s (HP) Zero Day Initiative (ZDI), which pays security researchers for their discoveries. HP is likely to send a few more flaws to Microsoft this week from the HP-sponsored Pwn2own browser hacking competition in which HP will pay researchers $100,000 (£60,157) in prize money for a successful exploit of Microsoft Internet Explorer 11 running on Windows 8.1 x64. A $150,000 (£90,236) prize is being offered for an exploit of Microsoft Windows Internet Explorer 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running.

Silverlight Fix

Of particular note in the March Patch Tuesday update is a patch that affects both Microsoft as well as Apple OS X users. The MS14-014 patch fixes a security feature bypass in Microsoft’s Silverlight media technology.

Dustin Childs, group manager at Microsoft Trustworthy Computing, noted in a blog post that the Silverlight flaw is not under active attack.

“The update removes an avenue attackers could use to bypass ASLR protections,” Childs said. “Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable.”

Are you a security expert? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago