Researcher confirms kernel bugs will dominate Patch Tuesday
And the Internet Explorer update will close at least one hole hackers are already using
Computerworld - Microsoft will patch a large number of Windows kernel-mode device driver vulnerabilities later today, the researcher who reported them said.
Today's security updates will also close a bug in Internet Explorer (IE) that hackers have started exploiting, Microsoft confirmed Monday.
At around 1 p.m. ET, Microsoft will issue 17 security bulletins that fix a record 64 vulnerabilities in Windows, IE, Office, and Visual Studio.
"Yes, there will be a lot of kernel bugs addressed in the security bulletins next week," said Tarjei Mandt, a researcher who works for Norman ASA, a Norwegian antivirus firm. Mandt reported the vulnerabilities to Microsoft over the last six months.
One security expert who requested anonymity said that as many as half of the 64 vulnerabilities Microsoft plans to patch are kernel related.
But contrary to speculation last week by Computerworld that Mandt discovered the flaws while researching "kernel pool" exploits, the bugs Microsoft will patch today are more mundane.
At the Black Hat security conference last January, Mandt led a presentation and published a paper (download PDF) on kernel pool exploitation techniques in Windows 7. Kernel pools are memory blocks devoted to the operating system's kernel.
"They are not related to the research I did on the Windows kernel pool," said Mandt in an email reply to questions. "It's rather a class of bugs that is being fixed, present in the kernel component of the Windows user interface (win32k.sys), which dates back as far as Windows NT 4.0."
Microsoft has patched "win32k.sys," Windows' kernel-mode device driver, several times in the last year. Last February, Mandt was credited with reporting five flaws in win32k.sys that Microsoft patched in the MS11-012 update. Microsoft also addressed vulnerabilities in the kernel-mode driver in June, August, October and December 2010, fixing a total of 16 bugs. Five of those were reported by Mandt.
All the win32k.sys vulnerabilities were rated as "important," the second-highest threat ranking in Microsoft's four-step scoring system, and were classified as "elevation of privilege," or EoP bugs.
EoP vulnerabilities let attackers obtain higher administrative rights, and thus access to more resources than the compromised computer's user would normally have.
On Monday, the Microsoft Security Response Center (MSRC) also acknowledged that it was investigating reports of what it called "limited, targeted attacks" on a bug in IE that it will patch later today.
Mandt cautioned that the kernel-mode driver bugs he reported might be exploitable using the methods he outlined at Black Hat.
"I believe some of the vulnerabilities could be exploited using the techniques presented in the paper as they operate on data stored in the kernel pool," Mandt said.
Today's updates for Windows, IE, Office and other Microsoft software should appear on the company's download site shortly after 1 p.m. ET. They will also be made available through the Windows Update and Microsoft Update services, and the Windows Server Update Services tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts