Establishing Digital Trust: Don't Sacrifice Security for Convenience
Microsoft is fixing at least 19 vulnerabilities in the cumulative MS13-047 update, though it is missing at least one other public IE vulnerability.
"Microsoft is not fixing a recent vulnerability that Tavis Ormandy had alluded to in March and has recently (June 3) published an exploit for on the full-disclosure mailing list," Wolfgang Kandek, CTO of Qualys said. "The zero-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. "
Kandek expects that Ormandy's flaw will be addressed next Patch Tuesday unless wider exploitation in the wild is detected. Microsoft has been hit with multiple zero-day flaws targeting IE in 2013. Prior to Ormandy's disclosure, the most recent 0-Day flaw was rapidly patched as part of the May Patch Tuesday update.
Ormandy works for Google, which recently announced that it was moving to a seven day disclosure policy for vulnerabilities that are being exploited in the wild. While Microsoft is not patching Ormandy's IE flaw, it is fixing 19 other critical flaws across IE 6 to IE 10.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
The majority of the 19 flaws are memory-related issues that were responsibly disclosed to Microsoft and are not being exploited in the wild today. The flaws were reported to Microsoft from multiple sources, including HP's Zero Day Initiative (ZDI) as well as Google Security Team member Ivan Fratric.
"The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory," Microsoft states in its advisory.
Microsoft Office Security Fix
IE isn't the only Microsoft application with critical flaws being fixed. The MS13-051n advisory is titled Vulnerability in Microsoft Office Could Allow Remote Code Execution and fixes a single flaw.
"The vulnerability could allow remote code execution if a user opens a specially crafted Office document using an affected version of Microsoft Office software, or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader," Microsoft warns in its advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user."
Ross Barrett, senior manager of security engineering at Rapid7, commented that the MS13-051 flaw affects Office 2003 for PCs and Office 2011 for Mac.
"This issue is seeing limited, targeted exploitation in the wild and the only reason Microsoft hasn’t tagged it as a 'critical' issue is based on the limited number of affected platforms," Barrett said. "Exploitation of this issue requires the user to interact with a malicious document."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.