MS13-037 addresses a number of vulnerabilities in Internet Explorer, several of which were reported to us by the TippingPoint Zero Day Initiative (ZDI) program. We’ve gotten questions from customers about the specific vulnerabilities purchased by ZDI from the CanSecWest pwn2own contest. We’d like to use this blog post to provide more background on the set of vulnerabilities required for an attacker to exploit modern-day browsers and the state of fixes for those specific vulnerabilities.
Exploiting recent versions of Internet Explorer
Several years ago, a single memory corruption style vulnerability in the browser could be directly leveraged to compromise a system, could be used to run code in the context of the browsing user. Microsoft has invested heavily in platform-level mitigations for client-side applications such as browsers to the extent that today multiple different vulnerabilities must now be discovered and chained together in an exploit to compromise a system. A single memory corruption style vulnerability is just the start of an attacker’s discovery process. Typically, the attacker would need to also need to bypass ASLR and discover a way out of the IE Protected Mode limited code execution environment.
Pwn2own 2013
ZDI reported five separate vulnerabilities to Microsoft as a result of the contest:
- VUPEN’s IE10 exploit
-
- IE10 memory corruption style remote code execution vulnerability (CVE-2013-2551)
- IE post-exploitation Low Integrity -> Medium Integrity escalation (CVE-2013-2552)
-
- MWR Labs (Jon Butler and Nils) Chrome exploit
-
- Windows kernel elevation of privilege to escape sandbox (CVE-2013-2553)
-
- VUPEN’s FireFox exploit
-
- Windows LDRHotpatch ASLR/DEP bypass (CVE-2013-2554)
-
- VUPEN’s Adobe Flash exploit
-
- IE9 broker issue used in the exploit for Adobe Flash (CVE-2013-2556)
-
Status of security updates
MS13-037 addresses the two Internet Explorer vulnerabilities used in the VUPEN exploit. The Windows vulnerabilities and the IE9 broker issue will be addressed in a future security update cycle. Here’s a chart that describes the state of fixes and level of exposure for these vulnerabilities provided to us by the ZDI.
| CVE-2013-2551 | CVE-2013-2553 | CVE-2013-2552 | CVE-2013-2554 | CVE-2013-2556 | |
|---|---|---|---|---|---|
| IE10 | Fixed(MS13-037) | Not Affected | Fixed(MS13-037) | Not Affected | Not Affected |
| IE9 | Fixed(MS13-037) | Not Affected | Fixed(MS13-037) | Not Affected | Update Pending |
| Windows 8 | Not affected | Update Pending | Not Affected | Not Affected | Not Affected |
| Windows 7 | Not affected | Update Pending | Not Affected | Update Pending | Not Affected |
As you can see, MS13-037 addresses the primary or initial code execution vulnerabilities but we still are working on the updates to address other vulnerabilities used as part of the exploit chains to win pwn2own. Thankfully, ZDI reported those vulnerabilities directly to us and we don’t have any reason to believe that ZDI or the researchers who discovered these vulnerabilities have disclosed the vulnerability details to any third party. So we typically treat the pwn2own vulnerabilities as any other vulnerability report received as part of the coordinated vulnerability discovery process. It’s super interesting for us as security researchers ourselves to see the ingenuity displayed during the contest to exploit the hardest targets out there (!!) but its the severity of the vulnerabilities (not necessarily their debut as part of the contest) that guides our prioritization of fixes.
Each bulletin lists our “official” acknowledgement and thanks to the researchers and third parties involved in discovering and reporting these vulnerabilities to Microsoft. But today from everyone on the SRD team, we want to also pass along our thanks and a hat tip to the pwners out there – really impressive job on these vulns, guys. Thanks for helping us make the platform stronger.
- Jonathan Ness, MSRC Engineering and William Peteroy, MSRC