VERT Alert - April 8, 2014

Today’s VERT Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-556 on Wednesday, April 9th.

MS14-017

Microsoft Office File Format Converter Vulnerability

CVE-2014-1757

Microsoft Word Stack Overflow Vulnerability

CVE-2014-1758

Word RTF Memory Corruption Vulnerability

CVE-2014-1761

MS14-018

Internet Explorer Memory Corruption Vulnerability

MULTIPLE

MS14-019

Windows File Handling Vulnerability

CVE-2014-0315

MS14-020

Arbitrary Pointer Dereference Vulnerability

CVE-2014-1759

 

MS14-017

The first bulletin released today fixes three vulnerabilities affecting Microsoft Word and the Word Family of products (including SharePoint with Word-related services enabled). Included in this list is the public CVE-2014-1761 for which Microsoft had previously released an advisory[1]. Given that the vulnerability is being used in limited attacks, this is likely the first update users will want to apply.

MS14-018

The second update today fixes six Internet Explorer issues. As always, with Internet Explorer it’s better to patch now rather than later. These vulnerabilities will likely find their way into Exploit Kits and Exploit Frameworks rather quickly.

MS14-019

The third bulletin this month is a little more interesting to look at and understand, however, it is not critical. A bug in the CreateProcess call could potentially allow a .cmd or .bat file to execute if an attacker can drop a malicious file in the current working directory. Microsoft has released a written explanation on this issue[2].

MS14-020

The final bulletin this month patches a vulnerability in Microsoft Publisher. If you’re not running Publisher, and most people aren’t, this is a bit of a freebie this month. If you are running Publisher, you may find solace in the fact that not many people target Microsoft Publisher vulnerabilities.

Additional Information

Adobe has released an update for Flash (APSB14-09[3]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[4].

Additionally, VERT would like to communicate information on the OpenSSL Heartbleed[5] vulnerability that is making headlines around the world today. The vulnerability allows information to be leaked via TLS requests, which could lead to the disclosure of SSL Private Keys. While immediate thoughts go to web servers, you should also consider your mail servers, VPN servers, and anything else that uses TLS with OpenSSL. This, thankfully, means that OpenSSH is not affected. In addition to deploying the latest updates or disabling services, when possible, until they can be updated, you may wish to consider revoking current SSL certificates, generating new public/private keys, and obtain new signed certificates. While this is not a requirement, keys that have already leaked could be used to decrypt future traffic making them as dangerous as the vulnerability itself.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
    MS14-017        
Easy
             
Moderate
             
Difficult
             
Extremely Difficult
    MS14-019        
No Known Exploit
    MS14-018
MS14-020
   
 
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged