Microsoft Fixes 57 Internet Explorer Flaws, Addresses Hacker Contest Bugs


Microsoft issued a big security update for Internet Explorer users Tuesday, pushing out a critical security bulletin that fixes 57 vulnerabilities, including five flaws that were identified during the Pwn2Own hacking competition in March.

The Redmond, Wash.-based software vendor issued seven security bulletins, two rated critical and five important, addressing 66 vulnerabilities across its product line in its June 2014 Patch Tuesday. In addition to its browser, the company addressed errors impacting Windows, Office and Lync.

The Internet Explorer bulletin  impacts every currently supported version of Internet Explorer, according to Microsoft. The updates address other memory corruption vulnerabilities in the browser that criminals can remotely exploit in drive-by attacks, malware embedded in website advertisements, or links and attachments in email messages. It also addresses several flaws that can enable an attacker to elevate user privileges in the browser and an information disclosure vulnerability.

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

The software maker fixed five coding errors used by researchers at the Pwn2Own competition held in March at the CanSecWest Conference in Vancouver. The contest, sponsored by Hewlett-Packard, rewarded $100,000 to security researchers Sebastian Apelt and Andreas Schmidt for exploiting two memory vulnerabilities to bypass security restrictions in Internet Explorer. Researchers from Google and VUPEN were also rewarded for exploiting vulnerabilities in Internet Explorer 11.

The update also addressed 17 other vulnerabilities reported through the Zero-Day Initiative vulnerability reward program. A zero-day flaw in Internet Explorer 8 that was reported to the vendor in October through the Zero-Day Initiative wasn't addressed for more than 180 days, prompting an advisory last month from research firm Corelan and the researcher who discovered the coding error, Peter Van Eeckhoutte. Microsoft said in a statement that it was systematically releasing updates based on priority and reiterated that none of the vulnerabilities it fixed this month were being attacked in the wild.

IT teams need to deploy the patches as soon as possible to protect corporate endpoints, said Chris Goettl, a product manager at Shavlik, the Minneapolis-based patch management division of LANDesk Software.

"While Microsoft does not indicate that there have been any attacks in the wild, this is always a possibility with publicly disclosed vulnerabilities, so it will be important to patch this one quickly," Goetti said.

Solution providers say they are constantly educating customers about the need to patch endpoint systems and be vigilant about new updates issued by software vendors. The easiest way into most businesses is through Web-based attacks, said Wayne Berezan, director of business development at OPUS Consulting Group, which partners with Sophos for security. In a recent interview with CRN, Berezan said the scale of the threats impacting the network is constantly increasing.

"Our clients are constantly looking for ways to simplify threat detection and take risk reduction measures before there's a serious problem," Berezan said. "A lot of these issues go unaddressed and have been profitable for cybercriminals for a long time."

Microsoft's other critical bulletin addresses two vulnerabilities impacting Windows, Microsoft Office and Lync. The update is critical for Windows, Microsoft Live Meeting 2007, Microsoft Lync 2010 and Microsoft Lync 2013, the company said. The patches repair an image handling and script processing vulnerability that can be exploited remotely.

Shavlik's Goetti said the coding errors impact the widely used common core graphics component and could be used in phishing attacks.

Microsoft bulletins also addressed coding errors in Lync Server, Word and XML Core Services that were rated important. Also fixed was a Windows error that could be exploited to crash the operating system and a flaw in Microsoft's Remote Desktop software that weakens the encryption protection and could be used to tamper with a session.

PUBLISHED JUNE 10, 2014