Six months after security firm VUPEN first bypassed Internet Explorer security at Pwn2Own, Microsoft is taking aim at mitigating the risk.
As expected, Microsoft is out today with its monthly Patch Tuesday release for August, delivering fixes for a total of 23 vulnerabilities, spread across eight security bulletins, three of which are rated as being critical.
Among the critical fixes are a pair of vulnerabilities that were first privately disclosed to Microsoft at the Hewlett-Packard Zero Day Initiative (ZDI) Pwn2Own browser hacking competition in March of this year.
The critical MS13-059 bulletin is a cumulative update for Microsoft’s Internet Explorer browser and includes 11 privately reported vulnerabilities. Six of the eleven vulnerabilities were reported to Microsoft by way of the HP ZDI effort. ZDI pays researchers for their security vulnerability research and then responsibly discloses the information to affected vendors. ZDI also operates the annual Pwn2own hacking challenge, which is where VUPEN Security was able to successfully exploit IE.
“In today’s patch release, Microsoft continues to fix weaknesses demonstrated by researchers at HP’s Pwn2Own competition earlier this year,” Brian Gorenc, manager of ZDI at HP Security Research, said.
As part of the MS13-059 update, Microsoft is correcting the bypass vulnerability demonstrated by VUPEN Security at Pwn2Own. Gorenc explained that the vulnerability could be utilized by attackers to execute code outside the sandbox.
The sandbox is the protected area of the browser in which code is supposed to remain.
IE is not the only Microsoft technology violated at Pwn2own that is now getting fixed. Gorenc added that the MS13-063 bulletin that Microsoft has rated as being important also benefits from Pwn2own research. MS13-063 patches four vulnerabilities in the Windows kernel that could potentially lead to an elevation of privilege attack. In that type of attack, the attacker gets access via a lower privileged account and is then able to gain elevated access to the system.
“A security feature vulnerability exists in Windows due to improper implementation of Address Space Layout Randomization (ASLR),” Microsoft warns in its bulletin. “The vulnerability could allow an attacker to bypass the ASLR security feature, most likely during or in the course of exploiting a remote code execution vulnerability.”
The amount of time it has taken Microsoft to provide a full solution to the Pwn2own flaws is seen by some researchers as being a little slow.
“Given the criticality of the issues, I think the response time was a little a slow, but ASLR is very complex code so that’s not surprising,” Lamar Bailey, director of security research and development at security firm Tripwire, said. “Also when you take into account that IE has millions of users across the various OS and patch levels, the QA [quality assurance] time and test matrix for this has to be astounding.”
Bailey’s colleague, Tyler Reguly, technical manager of security research and development at Tripwire, added that he also wanted to see the patches sooner.
“Ultimately, they delivered an update in 6 months—I’d prefer 3 months, but at least it wasn’t 12 months,” Reguly said.
The August Patch Tuesday update also includes a critical bulletin detailing three vulnerabilities in Microsoft’s Exchange Server. Microsoft warns in its MS13-061 bulletin that two of the vulnerabilities that affect Exchange Server 2007, 2010 and 2013 could potentially allow an unauthorized remote code execution, if a user views a specially crafted file through Outlook Web Access in a browser.