Microsoft Patch Tuesday Repairs Two IE Zero-Day Flaws

Microsoft issued eight security bulletins on Tuesday, repairing 26 flaws throughout its product portfolio including two Internet Explorer zero-day vulnerabilities actively targeted by attackers in the wild.

The software maker also announced it awarded a $100,000 prize to a researcher for demonstrating a unique way to bypass the company's built-in security controls.

Four of the eight security bulletins Microsoft issued as part of its October 2013 Patch Tuesday were rated critical, including a widely expected bulletin repairing 10 flaws in the Web browser. Other critical issues Microsoft repaired included repairs to the Windows Kernel-Mode Drivers, fixes to remote code execution vulnerabilities in the .Net Framework and an update to the Windows Common Control Library.

[Related: Top 10 Malware Threats To Microsoft PCs ]

The browser update impacts all supported versions of Internet Explorer. It repairs a known zero-day flaw that was used in carrying out the Bit9 data breach. The update also repairs a second actively targeted zero-day flaw impacting IE8 running on Windows XP and Windows 7. The attack appears to be used in financially motivated attacks targeting banking users in Korea and Japan, according to analysis conducted by security firm Trustwave, which is credited with detecting the flaw.

"The attacks so far seem to be limited to one part of the world," Trustwave said. "However, as with most zero-days, their exploitation tends to increase rapidly following disclosure so we expect to see more activity related to this zero-day in the future."

Security updates impacting Internet Explorer could be getting some enterprises to consider switching to Mozilla Firefox or Google's Chrome browser, said Tyler Reguly, technical manager of security research and development at vulnerability management vendor Tripwire. Automated updates that trigger in the background for both alternative browsers make them more secure for some enterprises, Reguly said.

"Unfortunately users are always going to be at risk of component flaws such as Java, Flash and PDF vulnerabilities," Reguly told CRN. "Some enterprises making the move to other browsers might worry about incompatibilities, but those are now far and few between."

Reguly and other vulnerability management experts said the other critical bulletins to Windows and the .NET framework are also frequent occurrences throughout the year. The update fixing seven flaws in the Windows Kernel-mode drivers impacts the way Windows addresses shared content using OpenType or TrueType font files. The update is critical because an exploit targeting the errors could easily be created and used in drive-by attacks. Most of the errors enable elevation of privileges and could be used in a two-pronged attack, according to Reguly.

NEXT: Microsoft's Bug Bounty Program Pays Out

Microsoft has made great strides in improving its Internet Explorer code base, but malware writers continue to find flaws in its aging code base, said Ross Barrett, senior manager of security engineering at Rapid7. Newer versions of Internet Explorer contain security components that help reduce some risks, Barrett said.

"Internet Explorer is an old code base, and you're seeing code that has been sitting there with vulnerabilities in it, in some cases as far back as 2001 or 2002," Barrett told CRN. "You have these pieces of the product that somewhat predate modern secure coding practices."

The .NET security update also addresses the use of OpenType font files and should be a patching priority. A critical Microsoft fix to the Windows Common Control Library impacts users of ASP.NET Web applications that could be used by a remote attacker also deserves a look, said Rapid7's Barrett. It doesn't require user interaction and is a legitimate issue that impacts website administrators and application developers, Barrett said.

In addition Microsoft issued updates, repairing flaws in Silverlight, Excel, Word and its SharePoint Server software, which the company rated as important.

Microsoft said it awarded $100,000 to James Forshaw, a security researcher at Context Information Security for a vulnerability he demonstrated that bypasses the company's built-in security restrictions. The mitigation bypass bounty was submitted as part of Microsoft's new bug bounty program. Forshaw also received $9,400 for flaws he detected in the Internet Explorer 11 Preview bounty program. Microsoft also released the names of the other security researchers who were rewarded under the program.

"James' submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," Microsoft said. The total amount rewarded under the program since its inception has been $128,000.

Microsoft unveiled its bug bounty program in June, reversing course on its earlier stance against such programs. The firm joins Google, Mozilla, Facebook and PayPal, which all run reward programs offering prizes to researchers who responsibly disclose flaws to the company.

PUBLISHED OCT. 8, 2013