Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-575 on Wednesday, August 13th.

MS14-043

CSyncBasePlayer Use After Free Vulnerability CVE-2014-4060

MS14-044

SQL Master Data Services XSS Vulnerability CVE-2014-1820
Microsoft SQL Server Stack Overrun Vulnerability CVE-2014-4061

MS14-045

Win32k Elevation of Privilege Vulnerability CVE-2014-0318
Font Double-Fetch Vulnerability CVE-2014-1819
Windows Kernel Pool Allocation Vulnerability CVE-2014-4064

MS14-046

.NET ASLR Vulnerability CVE-2014-4062

MS14-047

LRPC ASLR Bypass Vulnerability CVE-2014-0316

MS14-048

OneNote Remote Code Execution Vulnerability CVE-2014-2815

MS14-049

Windows Installer Repair Vulnerability CVE-2014-1814

MS14-050

SharePoint Page Content Vulnerability CVE-2014-2816

MS14-051

Multiple Internet Explorer Elevation of Privilege Vulnerabilities MULTIPLE
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

 

MS14-043

Microsoft has decided to change things up this month. Normally, we’d be discussing Internet Explorer here but this month, instead of IE being at the top of the list, it’s at the bottom. We considered writing this update in reverse for consistency but ultimately decided against it. So, this month the first update is the other critical bulletin, which affects Windows Media Center.

The most important thing to note here is the applicability of the patch. Windows Media Center is an add-on for Vista and newer and Microsoft has never been entirely certain of how to deploy it. For Vista, Media Center is only available with special OEM purchases, unless you bought a Windows Vista Media Center you can likely ignore this.

For Windows 7, Media Center is a free feature that you can enable. For Windows 8 and 8.1, Media Center is a paid add-on that can only be used on the non-Volume License Pro Version. Once you figure out if your system can be affected by this vulnerability, applying the patch should be relatively simple by comparison.

MS14-044

This month, we have an update for Microsoft SQL Server – a product that doesn’t get patched too often. In fact, the patch that is replaced for SQL Server 2008 was released back in 2012. The important point to make with this update is that it’s the first time we’re seeing a patch issued for SQL Server 2014.

This important patch gives SQL Server admins some time to figure out any “gotchas” to applying patches. If a critical remote code execution patches was released this month, it could be a much more dangerous learning experience.

MS14-045

The third update this month addresses three issues affecting Windows Kernel Mode Drivers. This is a standard patch that has become nearly as common as IE and may have actually surprised Microsoft Office vulnerabilities in recent years. These vulnerabilities are extremely powerful when paired with remote code execution vulnerabilities to create a decent chained attack into the environment.

MS14-046

This is the first of two security feature bypass bulletins – a class of bulletin that demonstrates Microsoft’s commitment to security. Unlike a traditional vulnerability with a known outcome (code execution, privilege escalation, etc.), these bulletins resolve “utilities,” for lack of a better term, that make exploit development easier. Fixing solutions like this one, which affects .NET, may be the reason why the next IE Vulnerability doesn’t end up as the next IE Exploit.

MS14-047

MS14-047 is the second security feature bypass bulletin this month and resolves an issue where an attacker could fill available memory space to make address predication easier.

MS14-048

One of the features of OneNote 2007 allows users to create files on the file system when a document is opened. This bulletin resolves a vulnerability where that feature is re-purposed to write a malicious file to a start-up directory. Newer versions of OneNote are not affected.

MS14-049

The Microsoft Installer is responsible for installing files on your Windows PC, that familiar dialog that asks if you want to install, repair or remove the software. There is a way that attackers can modify an installer, replacing files with their own malicious copies. When the repair option is used, the malicious files are dropped on the file system.

MS14-050

Once again, SharePoint pays us a visit. This time with a vulnerability that allows third-party apps added to the SharePoint install to execute JavaScript in the context of the logged in users. This bulletin doubles as a solid reminder to be wary of software coming from untrusted third-parties.

MS14-051

The final bulletin this month belongs to Internet Explorer. The patching trend where you deploy the IE patch first each month should continue with this bulletin. A large number of vulnerabilities, including one that is public, are resolved this month. This bulletin also introduces the Microsoft Exploitability Index value of 0, indicating that exploit code is already available for a vulnerability. Patch this issue ASAP.

 

Additional Information

Adobe has released an update for Flash (APSB14-18[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2]. Adobe has also released an update for Acrobat and Reader (APSB14-19[3]).

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
MS14-051
No Known Exploit
MS14-046 MS14-047 MS14-043
MS14-044
MS14-048
MS14-050
MS14-045
MS14-049
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 


[3] http://helpx.adobe.com/security/products/reader/apsb14-19.html

 

Related Articles:

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Title image courtesy of ShutterStock

Categories: ,

Tags: , , , , ,


Tyler Reguly

Tyler Reguly has contributed 29 posts to The State of Security.

View all posts by Tyler Reguly >