Researcher confirms kernel bugs will dominate Patch Tuesday

Computerworld - Microsoft will patch a large number of Windows kernel-mode device driver vulnerabilities later today, the researcher who reported them said.

Today's security updates will also close a bug in Internet Explorer (IE) that hackers have started exploiting, Microsoft confirmed Monday.

At around 1 p.m. ET, Microsoft will issue 17 security bulletins that fix a record 64 vulnerabilities in Windows, IE, Office, and Visual Studio.

As experts hinted last week when Microsoft published its usual pre-Patch Tuesday alert, a large number of the 64 vulnerabilities will be in the Windows kernel, the heart of the operating system.

"Yes, there will be a lot of kernel bugs addressed in the security bulletins next week," said Tarjei Mandt, a researcher who works for Norman ASA, a Norwegian antivirus firm. Mandt reported the vulnerabilities to Microsoft over the last six months.

One security expert who requested anonymity said that as many as half of the 64 vulnerabilities Microsoft plans to patch are kernel related.

But contrary to speculation last week by Computerworld that Mandt discovered the flaws while researching "kernel pool" exploits, the bugs Microsoft will patch today are more mundane.

At the Black Hat security conference last January, Mandt led a presentation and published a paper (download PDF) on kernel pool exploitation techniques in Windows 7. Kernel pools are memory blocks devoted to the operating system's kernel.

"They are not related to the research I did on the Windows kernel pool," said Mandt in an email reply to questions. "It's rather a class of bugs that is being fixed, present in the kernel component of the Windows user interface (win32k.sys), which dates back as far as Windows NT 4.0."

Microsoft has patched "win32k.sys," Windows' kernel-mode device driver, several times in the last year. Last February, Mandt was credited with reporting five flaws in win32k.sys that Microsoft patched in the MS11-012 update. Microsoft also addressed vulnerabilities in the kernel-mode driver in June, August, October and December 2010, fixing a total of 16 bugs. Five of those were reported by Mandt.

All the win32k.sys vulnerabilities were rated as "important," the second-highest threat ranking in Microsoft's four-step scoring system, and were classified as "elevation of privilege," or EoP bugs.

EoP vulnerabilities let attackers obtain higher administrative rights, and thus access to more resources than the compromised computer's user would normally have.

On Monday, the Microsoft Security Response Center (MSRC) also acknowledged that it was investigating reports of what it called "limited, targeted attacks" on a bug in IE that it will patch later today.

Mandt cautioned that the kernel-mode driver bugs he reported might be exploitable using the methods he outlined at Black Hat.

"I believe some of the vulnerabilities could be exploited using the techniques presented in the paper as they operate on data stored in the kernel pool," Mandt said.

Today's updates for Windows, IE, Office and other Microsoft software should appear on the company's download site shortly after 1 p.m. ET. They will also be made available through the Windows Update and Microsoft Update services, and the Windows Server Update Services tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.