As expected, Microsoft is out today with its monthly Patch Tuesday release for August, delivering fixes for a total of 23 vulnerabilities, spread across eight security bulletins, three of which are rated as being critical. Among the critical fixes are a pair of vulnerabilities that were first privately disclosed to Microsoft at the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own browser hacking competition in March of this year.
The critical MS13-059 bulletin is a cumulative update for Microsoft’s Internet Explorer browser and includes 11 privately reported vulnerabilities. Six of the eleven vulnerabilities were reported to Microsoft by way of the HP ZDI effort. ZDI pays researchers for their security vulnerability research and then responsibly discloses the information to affected vendors. ZDI also operates the annual Pwn2own hacking challenge, which is where VUPEN Security was able to successfully exploit IE.
“In today’s patch release, Microsoft continues to fix weaknesses demonstrated by researchers at HP’s Pwn2Own competition earlier this year,” Brian Gorenc, manager of ZDI at HP Security Research, said.
As part of the MS13-059 update, Microsoft is correcting the bypass vulnerability demonstrated by VUPEN Security at Pwn2Own. Gorenc explained that the vulnerability could be utilized by attackers to execute code outside the sandbox. The sandbox is the protected area of the browser in which code is supposed to remain.
IE is not the only Microsoft technology violated at Pwn2own that is now getting fixed. Gorenc added that the MS13-063 bulletin that Microsoft has rated as being important also benefits from Pwn2own research. MS13-063 patches four vulnerabilities in the Windows kernel that could potentially lead to an elevation of privilege attack. In that type of attack, the attacker gets access via a lower privileged account and is then able to gain elevated access to the system.
“A security feature vulnerability exists in Windows due to improper implementation of Address Space Layout Randomization (ASLR),” Microsoft warns in its bulletin. “The vulnerability could allow an attacker to bypass the ASLR security feature, most likely during or in the course of exploiting a remote code execution vulnerability.”
The amount of time it has taken Microsoft to provide a full solution to the Pwn2own flaws is seen by some researchers as being a little slow.
“Given the criticality of the issues, I think the response time was a little a slow, but ASLR is very complex code so that’s not surprising,” Lamar Bailey, director of security research and development at security firm Tripwire, said. “Also when you take into account that IE has millions of users across the various OS and patch levels, the QA [quality assurance] time and test matrix for this has to be astounding.”
Bailey’s colleague, Tyler Reguly, technical manager of security research and development at Tripwire, added that he also wanted to see the patches sooner.
“Ultimately, they delivered an update in 6 months—I’d prefer 3 months, but at least it wasn’t 12 months,” Reguly said.
The August Patch Tuesday update also includes a critical bulletin detailing three vulnerabilities in Microsoft’s Exchange Server. Microsoft warns in its MS13-061 bulletin that two of the vulnerabilities that affect Exchange Server 2007, 2010 and 2013 could potentially allow an unauthorized remote code execution, if a user views a specially crafted file through Outlook Web Access in a browser.
Microsoft Hardens IE in August Patch Tuesday Update
“The third vulnerability, CVE-2013-3781, exists in Exchange Server 2013 through the Data Loss Protection (DLP) feature,” Microsoft’s bulletin states. “This vulnerability could cause the affected Exchange Server to become unresponsive if a user views a specially crafted file through Outlook Web Access in a browser.”
Although only rated by Microsoft as being “Important,” Ross Barrett security researcher at Rapid7, sees the MS13-062 bulletin as perhaps the most genuinely interesting vulnerability this month. That bulletin is an elevation of privilege issue in Microsoft Remote Procedure Call (RPC).
“Microsoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong,” Barrett said.
Wolfgang Kandek, CTO of security firm Qualys, commented that he sees the MS13-065 bulletin that details an IPv6 denial-of-service issue as being noteworthy. In Kandek’s view, the IPv6 flaw gives us a glimpse of this new attack surface. The vast majority of all Internet traffic today is carried over IPv4, which has a 32-bit addressing scheme that is running out of usable space. In contrast, the next-generation IPv6 addressing system has a 128-bit space.
“I don’t think researchers have focused on that [IPv6] area yet, so there will be more vulnerabilities to come,” Kandek said. “At the same time, IPv6 tends to be just on by default and I believe many organizations are not actively managing it.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.