Microsoft releases nine bulletins, but no Pwn2Own fixes

News by Dan Raywood

Microsoft issued nine bulletins to fix 14 vulnerabilities this week; however it left several known flaws unpatched.

Microsoft issued nine bulletins to fix 14 vulnerabilities this week; however it left several known flaws unpatched.

The software giant released nine bulletins, two of which were rated as critical and the remaining seven as important, to fix vulnerabilities in Tools, Windows, Internet Explorer, Microsoft Anti-Malware Client, Office and Server Software. It recommended focusing on the critical patches MS13-028 and MS13-029 first.

Wolfgang Kandek, CTO of Qualys, said: “This month, the most important bulletin to apply to your infrastructure is MS13-028, which contains a new release of Internet Explorer (IE) covering all versions of the browser starting with IE6 going to IE10, and also including Windows RT, the operating system for mobile devices and tablets.

“The second vulnerability to apply is MS13-029, which fixes a vulnerability in the Remote Desktop Client ActiveX control included in all Windows versions prior to Windows 8. While ActiveX controls can be included in most Windows programs, the most likely attack vector is through a web browser. According to Microsoft EMET provides protection against both MS13-028 and MS13-029.”

Speaking on MS13-029, Ziv Mador, director of security research at Trustwave, said: “It has been a few months since we have had a remote desktop protocol vulnerability, but I was pretty sure we hadn't seen the last of them. In this case getting a user to visit a specially crafted web page could result in remote code execution. The actual flaw is located in the ActiveX control mstscax.dll, which attempts to access an object in memory that has been deleted.”

However, bugs revealed and exploited at the Pwn2Own event in March have not been fixed, with Vupen Security saying that its "Pwn2Own zero-days [were] still alive".

Marc Maiffret, CTO of BeyondTrust, said: “While Internet Explorer did get patched this month, it did not receive a fix for the recently disclosed zero-day. Instead, the patch addresses two use after free vulnerabilities that both affect every supported version of Internet Explorer (versions 6 through 10). Attackers will be looking into how to exploit these two vulnerabilities, since attackers can target multiple versions of Internet Explorer through the use of only a couple of vulnerabilities, so it is important to deploy this patch as soon as possible.”

Kandek suspected that a fix was not issued due to the time constraints imposed by the quality assurance (QA) work necessary for an IE release. However Adobe did release a security update for Flash based on the Pwn2Own research.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews