Microsoft has issued its monthly Patch Tuesday update for February, and unlike Microsoft’s January update, this one has at least one big surprise in it.
Before every Patch Tuesday event, Microsoft issues an advance notification to give administrators and users a sneak peek at what is coming. For the February Patch Tuesday advance notification, Microsoft initially indicated that there would be five security bulletins, none of them including the Internet Explorer (IE) Web browser. As it turns out, Microsoft today is releasing seven security bulletins, including a massive IE update that addresses no less than 24 vulnerabilities.
The IE security update impacts versions 6 through 11 and includes 23 privately reported vulnerabilities and one that was publicly disclosed.
Twenty-one of the IE vulnerabilities are grouped together by Microsoft in its security bulletin under the heading “Multiple Memory Corruption Vulnerabilities in Internet Explorer.”
“Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory,” Microsoft warns. “These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
Eight of the memory vulnerabilities were reported to Microsoft by Hewlett-Packard’s Zero Day Initiative (ZDI), which is an effort that purchases security research. In a recent report, HP noted that for 2013, it acquired more IE vulnerabilities than for any other software product. ZDI is now also preparing for its annual Pwn2Own event (March 12-13) at which researchers will be awarded $100,000 if they can successfully exploit IE 11 running on Windows 8.1 x64.
The other IE vulnerabilities fixed in the update include an elevation-of-privilege issue that occurred during local file installation. There is also a cross-domain information-disclosure vulnerability being patched in IE.
“An information-disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone,” Microsoft warned in its security bulletin. “An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage.”
The final IE vulnerability is one that is also in the MS14-011 bulletin, titled “Vulnerability in VBscripting Engine Could Allow Remote Code Execution.”
Tyler Reguly, manager of security research at Tripwire, told eWEEK that the IE bulletin and the VBscript bulletin contain an overlapping Common Vulnerabilities and Exposure (CVE)—CVE-2014-0271—which may have something to do with the initial failed exclusion from the advance notification.
“A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory,” Microsoft explains. “The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
Overall, the addition of the IE bulletin to the Patch Tuesday update was a surprise to some in the security community.
“I was surprised that Internet Explorer was not in the advance notice,” Wolfgang Kandek, CTO of Qualys, told eWEEK. “Just from following the normal flow of bugs from ZDI and iDefense, we were pretty certain that there had to be security fixes pending.”
Kandek noted that one possible explanation is that Microsoft wanted to wait until March to make Pwn2Own harder for everybody. Kandek added that his team does not view that as a likely theory as it would be unprofessional to delay such a bug-fix release.
“The explanation that they had a technical problem makes much more sense, after all, we can see that there were many vulnerabilities addressed,” Kandek said.
Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK that he had been told that the IE update was originally delayed due to incomplete testing.
“They worked over the weekend to complete the testing and get it out,” Barrett said.
Beyond the surprise critical IE update, there is at least one other bulletin to take note of. MS14-009 details vulnerabilities in the .NET framework. Reguly noted that flaws fixed are related to Slowloris, a low-bandwidth denial of service (DoS) attack. The Slowloris attack was first publicly discussed in 2009.
“There weren’t a lot of defenses in place previously,” Reguly said. “I’m not saying that I’m surprised they’d patch this, it’s actually great to see this issue resolved. It’s just surprising that it would take this long to get around to doing it.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.