Microsoft Patch Tues Misses Pwn2own Flaws
Microsoft fixes "evil maid" flaw but lets others that have been publicly demonstrated remain for now.
Microsoft is out with its March Patch Tuesday update, issuing seven security bulletins dealing with flaws in Internet Explorer, Office, Silverlight and Windows.
This month's patch Tuesday, however, does not tackle any of the security vulnerabilities identified by security researchers during last week's Pwn2own event during which Chrome, Firefox and IE were all exploited running on Windows. The attackers were able to exploit alleged vulnerabilities in Windows in order to violate the browsers.
Both Google Chrome and Mozilla Firefox have already pushed out updates to fix issues found in their respective browsers. Microsoft has not.
"Microsoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition," Dustin Childs, group manager, Microsoft Trustworthy Computing, told eSecurity Planet. "We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition’s findings."
The speed at which Microsoft is able to publicly release fixes for the Pwn2own flaws is not seen as an issue by Qualys CTO Wolfgang Kandek.
"I am sure Microsoft has fixed the vulnerabilities turned over by Pwn2own already, but since they have an extensive testing scheme could not include the fixes in this month's Patch Tuesday," Kandek told eSecurity Planet. "I am certain we will see them by next month. When they look at how quickly to publish and whether to go out of band, they weigh the risk of a leak of the vulnerability (in the chain researcher - ZDI - Microsoft) and its use in the wild vs. breaking the predictable cycle of second Tuesday of each month."
Though Microsoft has not patched for the Pwn2own flaws yet, it is providing a cumulative security update for IE that fixes nine different issues affecting IE versions 6, 7, 8, 9 and 10. The vulnerabilities include multiple use-after-free issues.
"Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted," Microsoft warned in its advisory. "These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."
Microsoft's Silverlight media player is also being updated this month for a critical vulnerability. Microsoft has identified the flaw as a "double dereference" vulnerability and explained that the issues could enable a maliciously crafted Silverlight application to access memory unsafely.
"An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the current user," Microsoft warns in its advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
The MS13-027 bulletin describes one of the most interesting sets of flaws that Microsoft is fixing this month. The bulletin titled "Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege" encompasses three separate vulnerabilities (CVE-2013-1285, CVE-2013-1286 and CVE-2013-1287), all of which are labeled as "Windows USB Descriptor Vulnerability."
"An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory," Microsoft warns. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode."
Kandek noted that the attack vector used in the USB vulnerability was described as far back as 2009 as the "evil maid" attack.
"The attack vector is broad, encompassing anybody who has access to your unattended computer, be it the janitor at your workplace, the staff at the hotel where you are staying, or anywhere somebody with physical access can insert a USB drive into your computer," Kandek said.
February 12, 2013
Internet Explorer and Windows Kernel-Mode driver vulnerabilities top the list in Microsoft's Patch Tuesday for February 2013.