14 DAY TRIAL // Microsoft is making really big efforts to make its software more secure (or at least, that’s what the company is saying), so every month’s Patch Tuesday rollout addresses vulnerabilities in a wide array of products, including Windows, Internet Explorer, and Office.
Redmond has recently fixed a vulnerability in Internet Explorer that was three years old, as it was found by the security researchers at VUPEN on February 12, 2011.
Officially patched on June 17 as part of bulletin MS14-035, the glitch was disclosed by VUPEN at the Pwn2Own hacking event in March this year.
“The vulnerability is caused due to an invalid handling of a sequence of actions aimed to save a file when calling ‘ShowSaveFileDialog()’, which could be exploited by a sandboxed process to write files to arbitrary locations on the system and bypass IE Protected Mode sandbox,” the security researchers explained.
The Microsoft Security Bulletin MS14-035 was released to address two publicly disclosed vulnerabilities and 58 privately reported glitches in Internet Explorer, including the one discovered by VUPEN.
“The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” Microsoft explained.
“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates permissions, and handles negotiation of certificates during a TLS session.”
The security flaw found by VUPEN affected pretty much all Internet Explorer versions on the market, including the old IE6 and the newly-launched IE11 which is part of Windows 8.1.
Microsoft hasn’t shared any details regarding the number of exploits that could have involved the flaw found by VUPEN, but since it was reported via private channels, users have most likely been on the safe side until the company rolled out a patch.
In case you’re wondering, VUPEN has a pretty good history on finding vulnerabilities at hacking competitions, as the company has until now raised no less than $300,000 (€225,000) for flaws found in Adobe Reader, Internet Explorer, Mozilla Firefox, and Adobe Flash, according to The Register.
At this point, all Internet Explorer installations should be on the safe side if all security patches delivered via Windows Update are installed.