Microsoft issued one of the biggest security updates ever to patch its Internet Explorer Web browser. As part of Microsoft’s June Patch Tuesday update, the MS14-035 cumulative update for IE provides 59 fixes for security vulnerabilities.
The large number of updates for IE is surprising to some security researchers.
“Initially, I was surprised and assumed that it was somewhat of a clean-up, but there are many vulnerabilities that were found by the same few researchers,” Wolfgang Kandek, CTO at Qualys told eWEEK. “I assume that they have developed a new tool that looks through the IE binary and finds repeated uses of the same vulnerable patterns.”
Kandek noted that it is always a good engineering practice to automate as much as possible.
The large number of patches makes sense when you consider that the Patch Tuesday update for May was a noncumulative update for IE, Tyler Reguly, manager of security research at security firm Tripwire told eWEEK. “We normally only see those as an out-of-band [OOB], so we can assume that Microsoft had planned last month’s patch as an OOB and then replaced the bulletin update with it due to timing,” Reguly said. “If that’s the case, then this contains last month’s updates and this month’s updates all rolled into one.”
According to Tripwire’s data for Patch Tuesday, the June IE update has the highest number of identified Common Vulnerabilities and Exposures (CVEs) for IE in a monthly patch since 2009, when Tripwire first started recording patch trend data.
Among the 59 IE security fixes is a patch for a zero-day issue revealed by Hewlett-Packard’s Zero Day Initiative (ZDI) in May, as well as fixes for vulnerabilities first privately disclosed at the Pwn2own browsing hacking event in March.
The CVE-2014-01770 vulnerability was first disclosed to Microsoft in November 2013 and was only publicly disclosed by HP in May. HP publicly discloses flaws that have not been fixed by vendors after 120 days.
Microsoft credits CVE-2014-1764 and CVE-2014-2777, both of which are Elevation of Privilege Vulnerabilities, to security firm Vupen working with HP. Vupen is the research outfit that was successfully able to exploit IE during the HP-sponsored Pwn2own event in March.
“We’re glad to see the results of Pwn2Own coming to fruition as Microsoft releases new patches,” Brian Gorenc, manager of vulnerability research at HP ZDI, told eWEEK. “The amount of time it can take to patch a given vulnerability varies, based on the complexity of the bug.”
Though it took Microsoft eight months to patch CVE-2014-01770, the turnaround for the Pwn2own flaws is also considered reasonable, according to Reguly.
“I think March to June is a pretty reasonable turnaround, given some of the other timelines that we’ve seen from vendors,” Reguly said. “All in all, if a company can stick to approximately 90 days to turn around a patch for a major application, I think that’s a fairly successful track record.”
As part of the IE patch update, Microsoft is also fixing its browser for a TLS Server Certificate Renegotiation Vulnerability identified as CVE-2014-1771. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) security have been in the security headlines a great deal in 2014, thanks to the Heartbleed flaw, reported in April, inside the open-source OpenSSL cryptographic library. While the CVE-2014-1771 issue is serious, Microsoft noted that it has no reports of the vulnerability being publicly exploited.
“An information disclosure vulnerability exists in the way that Internet Explorer handles negotiation of certificates in a TLS session,” Microsoft warns in its advisory. “An attacker who successfully exploited this vulnerability could hijack a mutually authenticated TLS connection between Internet Explorer and an arbitrary target server.”
Microsoft identified 54 of the vulnerabilities fixed in the June Patch update for IE as memory-corruption vulnerabilities.
“Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory,” Microsoft warns in its advisory. “These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
While existing IE users should immediately patch their systems, there are also other mitigations that can be leveraged.
“I would recommend running EMET [Enhanced Mitigation Experience Toolkit] on top of the browsers to provide an additional hardening layer,” Kandek said. “Another option is to move to another browser, one that is less targeted than Internet Explorer.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.