Microsoft is issuing one of its largest Patch Tuesday updates in years, with 12 separate bulletins, five rated as being critical. In total, Microsoft is patching 57 different vulnerabilities in the second scheduled patch update of 2013.
Once again, Microsoft is dealing with vulnerabilities in its Internet Explorer (IE) browser this month. Fourteen different vulnerabilities in IE, spread across two separate bulletins are being fixed.
“It’s just so messed up that it couldn’t be fixed in one bulletin,” said Marc Maiffret, CTO of BeyondTrust.
The MS13-009 bulletin is the first of the two critical IE bulletins addressing 13 vulnerabilities affecting IE 6,7,8,9 and 10. Twelve of those vulnerabilities are Use-After-Free memory issues.
“Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted,” Microsoft warned in its bulletin. “These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
The other IE vulnerability addressed in the MS13-009 bulletin is for a “Shift JIS Character Encoding Vulnerability.”
“An information disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone,” Microsoft warned. “An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow information disclosure if a user viewed the webpage.”
“The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory,” Microsoft’s bulletin notes.
As to why Microsoft is patching so many IE vulnerabilities now, it is likely related to the upcoming Pwn2own competition.
“On IE, I know that Microsoft has been working hard on getting things addressed as quickly as possible and they have sped testing in the last year and streamlined their deployments,” Wolfgang Kandek, CTO of Qualys, told eSecurity Planet. “It is also the last opportunity to IE patched before the CanSecWest competition start of March.”
CanSecWest is the home of the Pwn2own browser hacking event. The 2013 event will reward the first researcher to hack IE 10 running on Windows 8 with $100,000 in cash.
While the IE vulnerabilities are rated as critical , the largest bucket of vulnerabilities in the February update are rated as being”‘important” by Microsoft. MS13-016 fixes a staggering 30 vulnerabilities in the Windows Kernel-mode driver. The vulnerabilities were found and privately reported to Microsoft by Google security researcher Mateusz ‘j00ru’ Jurczyk.
“The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application,” Microsoft warns in its bulletin. “An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.”