It looks like at long last Microsoft will plug a zero-day flaw in its Internet Explorer (IE) Web browser March 11. That is, of course, the first Tuesday of the month and the time when Microsoft releases its monthly Patch Tuesday security update.
Ahead of every Patch Tuesday, Microsoft always releases an advance notification for what is to come. Last month at this time, when the advance notification for February was issued, Microsoft indicated that there would be no IE flaws fixed in February. It turns out that the advance notification wasn’t a complete indicator of February’s patches, as Microsoft did, in fact, patch 24 IE flaws Feb. 11.
As it turns out, though, even with the 24 patched flaws, Microsoft still missed at least one. On Feb. 13, the first public report about a new unpatched zero-day flaw in IE emerged. The flaw is formally known as CVE-2014-0322 and is a use-after-free memory flaw. In use-after-free exploits, an attacker is able to utilize legitimate areas of memory that should not be available.
The flaw could enable an attacker to execute arbitrary code. Security firm FireEye, reported that the CVE-2014-0322 flaw is being exploited in the wild as part of an attack based on the U.S. Veterans of Foreign Wars’ Website.
In the three weeks since the first disclosure of CVE-2014-0322, Microsoft has not issued an emergency patch for the IE flaw. The mitigations to date have included a “fix-it” tool to help users.
Microsoft has also noted that the flaw does not affect IE 11, and if users simply migrate from IE 10 or previous versions of IE, they can be protected. Going a step further, Microsoft’s Enhanced Mitigation Toolkit (EMET) also can protect IE 10 users from the CVE-2014-0322 flaw. EMET provides an additional layer of protection to Windows applications.
The problem with all of the mitigations that Microsoft has offered to date for the CVE-2014-0322 flaw is that none of them are automatically available to all regular Windows users and none of them were part of any default Windows Update.
The simple reality for most Windows users is that they update when Microsoft tells them to update. The mechanism for updates is Windows Update, and if an update is not there, it might as well not exist for a large number of Microsoft users because they will just never know about it.
However, the Patch Tuesday update is fully visible as a default update in Windows Update. When March 11 rolls around, most Microsoft users will finally be protected from against CVE-2014-0322.
The timing of this month’s Patch Tuesday, however, doesn’t bode well for Microsoft IE users in general. The annual Pwn2own browser-hacking competition gets under way March 12. In every single year that contest has run, new zero-day flaws have emerged in IE.
Hewlett-Packard, which runs the Pw2own event doesn’t just let zero-day flaws leak out from its event. Flaws first reported at Pwn2own are responsibly disclosed to the affected vendors first, giving them time to fix the issue. So while I have absolutely no doubt that a new zero-day flaw will emerge for IE on March 12, Microsoft will have some time to deal with it.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.