Researcher confirms kernel bugs will dominate Patch Tuesday
And the Internet Explorer update will close at least one hole hackers are already using
Computerworld - Microsoft will patch a large number of Windows kernel-mode device driver vulnerabilities later today, the researcher who reported them said.
Today's security updates will also close a bug in Internet Explorer (IE) that hackers have started exploiting, Microsoft confirmed Monday.
At around 1 p.m. ET, Microsoft will issue 17 security bulletins that fix a record 64 vulnerabilities in Windows, IE, Office, and Visual Studio.
"Yes, there will be a lot of kernel bugs addressed in the security bulletins next week," said Tarjei Mandt, a researcher who works for Norman ASA, a Norwegian antivirus firm. Mandt reported the vulnerabilities to Microsoft over the last six months.
One security expert who requested anonymity said that as many as half of the 64 vulnerabilities Microsoft plans to patch are kernel related.
But contrary to speculation last week by Computerworld that Mandt discovered the flaws while researching "kernel pool" exploits, the bugs Microsoft will patch today are more mundane.
At the Black Hat security conference last January, Mandt led a presentation and published a paper (download PDF) on kernel pool exploitation techniques in Windows 7. Kernel pools are memory blocks devoted to the operating system's kernel.
"They are not related to the research I did on the Windows kernel pool," said Mandt in an email reply to questions. "It's rather a class of bugs that is being fixed, present in the kernel component of the Windows user interface (win32k.sys), which dates back as far as Windows NT 4.0."
Microsoft has patched "win32k.sys," Windows' kernel-mode device driver, several times in the last year. Last February, Mandt was credited with reporting five flaws in win32k.sys that Microsoft patched in the MS11-012 update. Microsoft also addressed vulnerabilities in the kernel-mode driver in June, August, October and December 2010, fixing a total of 16 bugs. Five of those were reported by Mandt.
All the win32k.sys vulnerabilities were rated as "important," the second-highest threat ranking in Microsoft's four-step scoring system, and were classified as "elevation of privilege," or EoP bugs.
EoP vulnerabilities let attackers obtain higher administrative rights, and thus access to more resources than the compromised computer's user would normally have.
On Monday, the Microsoft Security Response Center (MSRC) also acknowledged that it was investigating reports of what it called "limited, targeted attacks" on a bug in IE that it will patch later today.
Mandt cautioned that the kernel-mode driver bugs he reported might be exploitable using the methods he outlined at Black Hat.
"I believe some of the vulnerabilities could be exploited using the techniques presented in the paper as they operate on data stored in the kernel pool," Mandt said.
Today's updates for Windows, IE, Office and other Microsoft software should appear on the company's download site shortly after 1 p.m. ET. They will also be made available through the Windows Update and Microsoft Update services, and the Windows Server Update Services tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!