IE Is Focus of Microsoft's May Patch Tuesday


Some vulnerabilities get patched faster than others.

Microsoft is out today with its May Patch Tuesday update, which includes 10 bulletins fixing 33 vulnerabilities across Microsoft products. Included among those fixes are two critical patches for two-month-old vulnerabilities in IE disclosed at Pwn2own, as well as a patch for a zero-day vulnerability just disclosed last week.

The MS13-038 bulletin details a critical zero-day flaw that was used in an attack against the U.S. Department of Labor. Microsoft first admitted the flaw on May 3 and has been scrambling ever since to get the issue fixed.

"Our engineers worked around the clock to prepare and test MS13-038, which will help keep customers safe by permanently addressing the Internet Explorer 8 issue," Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing, said in a statement.

The flaw as detailed in Microsoft's bulletin is a use-after-free memory error.

"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft warns. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."

Multitude of IE Issues

In addition to the zero-day IE8 flaw, Microsoft patched 11 other issues with IE as part of the MS13-037 bulletin. Among those 11 issues are two items that were publicly demonstrated by VUPEN Security at the Pwn2own 2013 event in March. Microsoft credited VUPEN Security, working together with Pwn2own event organizer HP Zero Day Initiative, for helping to build defense-in-depth changes to fix the reported flaws.

The other nine vulnerabilities were all privately reported flaws and include additional use-after-free issues.

At least one security professional is putting a positive spin on Microsoft's quick zero-day turnaround, though others have a different view.

"The quick release of this patch, just 11 days from advisory to release, is an outstanding example of Microsoft’s responsiveness to the security community and their users," said Andrew Storms, director of security of operations at nCircle Tripwire.

Wolfgang Kandek, CTO of Qualys, noted that in his view the rapid zero-day fix is "great" though he wasn't really surprised by it. "They (Microsoft) have been working hard over the last year to get faster updating into Internet Explorer, given that it is the main attack vector," Kandek said. "They now release patches monthly."

Ross Barrett, senior manager of security engineering at Rapid7, agreed that the quick response is a good thing, noting that on one level this is Microsoft at their security best.

"They responded promptly to a publicly disclosed issue and got the fix out in the next scheduled wave of patches," Barrett said. "On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft’s patching and support models."

Barrett argued that Google's Chrome browser and its automatic silent updating is a superior model for browser updates. With the Chrome model older versions aren't supported as users are rapidly updated to the latest release version.

Sean Michael Kerner is a senior editor at eSecurity Planet and Follow him on Twitter @TechJournalist.