Microsoft Hardens IE in August Patch Tuesday Update
Six months after security firm VUPEN first bypassed Internet Explorer security at Pwn2Own, Microsoft is taking aim at mitigating the risk.As expected, Microsoft is out today with its monthly Patch Tuesday release for August, delivering fixes for a total of 23 vulnerabilities, spread across eight security bulletins, three of which are rated as being critical. Among the critical fixes are a pair of vulnerabilities that were first privately disclosed to Microsoft at the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own browser hacking competition in March of this year. The critical MS13-059 bulletin is a cumulative update for Microsoft's Internet Explorer browser and includes 11 privately reported vulnerabilities. Six of the eleven vulnerabilities were reported to Microsoft by way of the HP ZDI effort. ZDI pays researchers for their security vulnerability research and then responsibly discloses the information to affected vendors. ZDI also operates the annual Pwn2own hacking challenge, which is where VUPEN Security was able to successfully exploit IE. "In today's patch release, Microsoft continues to fix weaknesses demonstrated by researchers at HP's Pwn2Own competition earlier this year," Brian Gorenc, manager of ZDI at HP Security Research, said. As part of the MS13-059 update, Microsoft is correcting the bypass vulnerability demonstrated by VUPEN Security at Pwn2Own. Gorenc explained that the vulnerability could be utilized by attackers to execute code outside the sandbox. The sandbox is the protected area of the browser in which code is supposed to remain.
IE is not the only Microsoft technology violated at Pwn2own that is now getting fixed. Gorenc added that the MS13-063 bulletin that Microsoft has rated as being important also benefits from Pwn2own research. MS13-063 patches four vulnerabilities in the Windows kernel that could potentially lead to an elevation of privilege attack. In that type of attack, the attacker gets access via a lower privileged account and is then able to gain elevated access to the system.