Microsoft Patches IE8's Pwn2Own Bug in Massive Update
Microsoft has patched 34 vulnerabilities in Windows, Office and Internet Explorer (IE), including an IE8 bug used by a Dutch security researcher in March to win $10,000 at the Pwn2Own contest.
The update was the largest from Microsoft so far this year.
Today's patch for IE8 was the last of those used to hack three browsers -- Mozilla's Firefox and Apple's Safari as well as IE -- at the March challenge. Mozilla patched Firefox April 1, eight days after the contest, while Apple fixed its flaw on April 14, 21 days post-Pwn2Own. This year, both Mozilla and Apple beat the time it took them to patch the vulnerabilities used in 2009's edition of Pwn2Own.
Microsoft essentially matched its patch speed of last year, when it also fixed 2009's Pwn2Own flaw with a June update.
"Actually, that's a pretty quick turn-around," said Aaron Portnoy, security research team lead with HP TippingPoint's Zero Day Initiative (ZDI) bug-bounty program. TippingPoint and ZDI sponsored this year's Pwn2Own, as it did the three years prior.
Researchers put the IE update at the top, or near the top of their to-do lists.
"IE is certainly the most important of the 10 to patch," said Andrew Storms, the director of security operations for nCircle Security, citing the six flaws fixed in the MS10-035 update.
Microsoft rated the IE update as "critical," the highest threat ranking in its four-step scoring system, and said the six fixes within the update addressed two critical bugs, two marked "important" and two more tagged as "moderate."
In late March, Dutch researcher Peter Vreugdenhil, a Pwn2Own newcomer, exploited a vulnerability in IE8 running on Windows 7 with attack code called at the time "technically impressive" by Portnoy. To hack IE8, Vreugdenhil first had to bypass the operating system's primary defenses -- Data Execution Prevention, or DEP, as well as Address Space Layout Randomization (ASLR).
Vreugdenhil used a two-exploit combination to circumvent first ASLR and then DEP to successfully break into IE8 within two minutes.
Josh Abraham, a security researcher with Rapid7, slipped MS10-035 a bit farther down his list. "I think people should be patching the media decompression vulnerability first," he said, referring to MS10-033. "I'd put the IE update directly following that."
Storms also put the spotlight on MS10-033, another of the three critical updates Microsoft issued today. "It's another 'movies-to-malware' kind of vulnerability, with exploits of malicious media files in a classic drive-by attack scenario," said Storms.
MS10-033 contains fixes for two vulnerabilities, both critical, that affect every supported operating system in Microsoft's portfolio, including the newest, Windows 7. Microsoft said that DirectX, the Windows media runtime, the encoder and a COM component all contain bugs.
"This is more of the usual," said Abraham, talking about MS10-033, "where attackers can leverage client software using drive-by downloads."
Altogether, Microsoft patched 34 vulnerabilities -- tying a record first set in October 2009 -- including six marked critical. Fixes were published for SharePoint, the Internet Information Services (IIS) server, the OpenType compact font format, the Windows kernel, .Net and several Microsoft-made and third-party ActiveX controls used in IE.
The biggest update, MS10-038, fixed a whopping 14 flaws in various versions of Microsoft's Excel spreadsheet, including one bug in the Mac editions. Jason Miller, data and security team manager for Shavlik Technologies, tagged the Excel update as one he'd put at the top of any to-do list because of the widespread use of the spreadsheet in businesses and the fact that Excel file are rarely blocked, giving hackers an easy entry.
But like Abraham, Miller pushed MS10-035 as extremely urgent. "We've seen this several times in the last six months or so, when Microsoft has patched its media software and media formats," he said. "Media, video, online stream...they're more and more prevalent not only for business, but for people in business. I can guarantee that someone is watching video right now in every organization. [Media] is just like a browser [as far as patching] at this point."
This month's security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.