Microsoft Patches 23 Security Vulnerabilities in March Update
Microsoft came out today with its monthly Patch Tuesday update, and as was the case in February, the Internet Explorer (IE) Web browser figures prominently into the total tally. Microsoft is fixing 23 different vulnerabilities in the March Patch Tuesday update, spread across five security advisories.
Of the 23 vulnerabilities, 18 of them are directly attributable to IE. One of the IE vulnerabilities fixed this month, was first publicly reported Feb. 13 and is formally known as CVE-2014-0322. That flaw has been exploited in the wild, and until today, Microsoft had not provided its users with a formal patch. Microsoft did, however, advise users to use a "fix-it' and consider upgrading to IE 11, which is not at risk from the flaw.
Security experts suggested a few possible reasons Microsoft did not provide an out-of-band patch for the CVE-2014-0322 flaw prior to today.
"Obviously, any zero-day exploit in the wild merits significant attention from Microsoft," Ken Pickering, director of engineering at CORE Security, told eWEEK. "I'm not sure why they wouldn't release an out-of-band patch for it, given that fact, though it's possible one wasn't ready and adequately tested for deployment until this patch update."
Tommy Chin, technical support engineer at CORE Security, said an out-of -band patch likely wasn't implemented because the CVE-2014-0322 flaw only affects users with IE10 that have Adobe Flash but not Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Even though the CVE-2014-0322 flaw leverages an Address Space Layout Randomization ASLR bypass, via an IE memory leak to disable data execution protection, it can only attack a very small attack surface, he added.
In addition to the CVE-2014-0322 flaw, 17 other flaws were fixed in IE, all of which were reported privately to Microsoft.
Six of those flaws were reported to Microsoft via Hewlett-Packard's (HP) Zero Day Initiative (ZDI), which pays security researchers for their discoveries. HP is likely to send a few more flaws to Microsoft this week from the HP-sponsored Pwn2own browser hacking competition in which HP will pay researchers $100,000 in prize money for a successful exploit of Microsoft Internet Explorer 11 running on Windows 8.1 x64. A $150,000 prize is being offered for an exploit of Microsoft Windows Internet Explorer 11 running on a 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running.
Of particular note in the March Patch Tuesday update is a patch that affects both Microsoft as well as Apple OS X users. The MS14-014 patch fixes a security feature bypass in Microsoft's Silverlight media technology.
Dustin Childs, group manager at Microsoft Trustworthy Computing, noted in a blog post that the Silverlight flaw is not under active attack.
"The update removes an avenue attackers could use to bypass ASLR protections," Childs said. "Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.