Microsoft Skips Pwn2Own IE Flaws in April Patch Tuesday
Microsoft fixes 14 CVEs in April Patch Tuesday, but outstanding issues remain, including a vulnerability demonstrated at last month's Pwn2Own event.
Microsoft is now out with its April Patch Tuesday update, delivering fixes for 14 CVEs spread across nine security bulletins.
Though Microsoft is patching a good number of flaws, it is not patching vulnerabilities that were publicly demonstrated at the Pwn2Own 2013 event in March. Security research group VUPEN was able to exploit Internet Explorer 10 with a pair of zero day flaws as part of the event. The full exploit details were then privately given to Microsoft by event organizer HP TippingPoint.
Microsoft did not patch the Pwn2Own flaws in its March Patch Tuesday update either.
Pass on Pwn2Own Bug
"I am surprised Microsoft still hasn’t patched the Pwn2Own vulnerabilities," said Andrew Storm, director of security operations at nCircle. "You’d think that patch responsiveness would be a key component in the browser market share war."
Both Google and Firefox have already patched their respective Pwn2Own related flaws. Storms added that one factor that may contribute to Microsoft’s relatively slow response is that Pwn2Own rules require the bugs remain private, so the potential for exploitation is relatively low.
Wolfgang Kandek, CTO of Qualys, told eSecurity Planet that he's not surprised that the Pwn2Own flaw is not in the April update.
"Microsoft is treating the ZDI submission from Pwn2Own the same way as it does any other ZDI advisory, even though Pwn2Own is a high-profile event," Kandek said. "Looking at other examples of ZDI submitting Internet Explorer vulnerabilities (ZDI-13-047) one can see that it takes roughly two months to address such a vulnerability. We expect the Pwn2Own patches to be in next month’s release."
Though Microsoft is not patching for the Pwn2Own flaws, it is providing a critical patch for a pair of other flaws in IE. The MS13-028 bulletin details two flaws that both employ use-after-free vulnerabilities. In a use-after-free vulnerability, allocated memory can potentially be used by an attacker to execute malicious code.
The Google Security Team reported both of the use-after-free flaws to Microsoft. Google is no stranger to use-after-free flaws and frequently patches them in its own Chrome browser.
Google also builds an open source tool called Address-Sanitize rthat is used to find use-after-free bugs. Microsoft did not disclose in its bulletin if Address-Sanitizer was used by Google to find the flaw. Qualys' Kandek suspects the vulnerability was found using manual means, though probably involved tool-assisted research as well.
"I think AddressSanitizer needs source code to work with, even though I can imagine that a less functional version could be done on the binary level," he said.
Remote Desktop Vulnerability
The only other bulletin rated as critical this month is MS13-029, which fixes a remote desktop client vulnerability.
"A remote code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted," Microsoft warned in its bulletin. "An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
Also of note, Microsoft is providing a fix for a vulnerability in Active Directory rated as being "important."
"A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding," Microsoft warned in a bulletin. "The vulnerability is caused when the LDAP service fails to handle a specially crafted query."