Microsoft Patches 23 Security Vulnerabilities in March Update
A critical Internet Explorer zero-day flaw first disclosed nearly a month ago is among the patches.Microsoft came out today with its monthly Patch Tuesday update, and as was the case in February, the Internet Explorer (IE) Web browser figures prominently into the total tally. Microsoft is fixing 23 different vulnerabilities in the March Patch Tuesday update, spread across five security advisories. Of the 23 vulnerabilities, 18 of them are directly attributable to IE. One of the IE vulnerabilities fixed this month, was first publicly reported Feb. 13 and is formally known as CVE-2014-0322. That flaw has been exploited in the wild, and until today, Microsoft had not provided its users with a formal patch. Microsoft did, however, advise users to use a "fix-it' and consider upgrading to IE 11, which is not at risk from the flaw. Security experts suggested a few possible reasons Microsoft did not provide an out-of-band patch for the CVE-2014-0322 flaw prior to today. "Obviously, any zero-day exploit in the wild merits significant attention from Microsoft," Ken Pickering, director of engineering at CORE Security, told eWEEK. "I'm not sure why they wouldn't release an out-of-band patch for it, given that fact, though it's possible one wasn't ready and adequately tested for deployment until this patch update."
Tommy Chin, technical support engineer at CORE Security, said an out-of -band patch likely wasn't implemented because the CVE-2014-0322 flaw only affects users with IE10 that have Adobe Flash but not Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Even though the CVE-2014-0322 flaw leverages an Address Space Layout Randomization ASLR bypass, via an IE memory leak to disable data execution protection, it can only attack a very small attack surface, he added.
"The update removes an avenue attackers could use to bypass ASLR protections," Childs said. "Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.