Microsoft’s first Patch Tuesday of 2015 did not patch a single Internet Explorer flaw. Today’s February Patch Tuesday update is a very different story, with Microsoft patching a staggering 41 vulnerabilities in IE. In total, Microsoft patched 56 vulnerabilities spread across nine security bulletins.
The IE update patches one issue that was publicly disclosed and 40 that were privately reported to Microsoft. The IE vulnerabilities include one cross-domain information disclosure vulnerability, two privilege escalation issues, four ASLR (Address Space Layout Randomization) flaws and 34 different memory corruption issues.
“I cannot remember when a single Microsoft patch included 41 CVEs, let alone an IE update so large,” Andrew Storms, vice president of Security Services at New Context, told eWEEK. “If you consider that all of the Microsoft patches in 2014 added up to 343 CVEs, then we are well on our way already to surpass that number in 2015.”
Considering that Web browsers are the most targeted applications, it makes sense to see Microsoft patch IE to this degree, Storms said.
Karl Sigler, threat intelligence manager at Trustwave, also wasn’t all that surprised at the number of IE flaws that needed to be patched, especially considering Microsoft’s historical trends for IE patching. Microsoft didn’t patch any IE vulnerabilities in January 2014 either, but, Sigler noted, the company went on to patch 24 IE vulnerabilities in February 2014. He added that most of the IE patches issued this month are memory corruption vulnerabilities, just like most of the vulnerabilities discovered last year.
“I expect that researchers are running IE through a fuzzer that is automating these vulnerability findings,” Sigler told eWEEK. “Hopefully they will reach a point where they’ve finally exhausted these critical bugs.”
Jon Rudolph, principal software engineer at Core Security, noted that IE has a long history it has to deal with that may soon be coming to an end in the upcoming Windows 10 operating system, which will likely include the new Spartan Web browser.
“The generation of browsers that are arriving nowadays get the lessons that IE has learned over time for free, and no constraints of backward compatibility or user base,” Rudolph told eWEEK.
“As we see these lists of exploits get longer, it makes more and more sense that Microsoft would be pushing a new browser altogether with Spartan.”
In addition to the IE vulnerabilities, Microsoft patched six vulnerabilities in the MS15-010 bulletin, titled “Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution.” Among the issues is CVE-2015-0010, which is a security bypass feature flaw that was publicly reported by the Google Project Zero effort. Google’s Project Zero has a policy of disclosing flaws 90 days after they are first reported to a vendor, which has led to the release of several zero-day issues so far in 2015.
Microsoft also patched a single critical flaw detailed in the MS15-011 bulletin as a vulnerability in group policy that could allow for remote code execution.
“The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network,” Microsoft warns in its advisory. “An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
Sigler noted that MS15-011 is pretty interesting from a bug perspective, though in his view the immediate risk is low.
“The fact that it affects Windows Domains means it’s a good candidate for attacking systems in a corporate environment,” Sigler said. “Luckily there is no public PoC [proof of concept] for the vulnerability and very few technical details about the vulnerability, which means exploitation remains theoretical for now.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.