VERT Alert - August 13, 2014

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-575 on Wednesday, August 13th.

 

MS14-043

CSyncBasePlayer Use After Free Vulnerability

CVE-2014-4060

MS14-044

SQL Master Data Services XSS Vulnerability

CVE-2014-1820

Microsoft SQL Server Stack Overrun Vulnerability

CVE-2014-4061

MS14-045

Win32k Elevation of Privilege Vulnerability

CVE-2014-0318

Font Double-Fetch Vulnerability

CVE-2014-1819

Windows Kernel Pool Allocation Vulnerability

CVE-2014-4064

MS14-046

.NET ASLR Vulnerability

CVE-2014-4062

MS14-047

LRPC ASLR Bypass Vulnerability

CVE-2014-0316

MS14-048

OneNote Remote Code Execution Vulnerability

CVE-2014-2815

MS14-049

Windows Installer Repair Vulnerability

CVE-2014-1814

MS14-050

SharePoint Page Content Vulnerability

CVE-2014-2816

MS14-051

Multiple Internet Explorer Elevation of Privilege Vulnerabilities

MULTIPLE

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

MS14-043

Microsoft has decided to change things up this month. Normally, we’d be discussing Internet Explorer here but, this month, instead of IE being at the top of the list, it’s at the bottom. We considered writing this update in reverse for consistency but ultimately decided against it. So this month, the first update is the other critical bulletin, which affects Windows Media Center. The most important thing to note here is the applicability of the patch. Windows Media Center is an add-on for Vista and newer and Microsoft has never been entirely certain of how to deploy it. For Vista, Media Center is only available with special OEM purchases, unless you bought a Windows Vista Media Center you can likely ignore this. For Windows 7, Media Center is a free feature that you can enable. For Windows 8 and 8.1, Media Center is a paid add-on that can only be used on the non-Volume License Pro Version. Once you figure out if your system can be affected by this vulnerability, apply the match should be relatively simple by comparison.

MS14-044

This month we have an update to Microsoft SQL Server, a product that doesn’t get patched too often, the patch that is replaced for SQL Server 2008 was released in 2012. The important point to make with this update is that it’s the first time we’re seeing a patch issues for SQL Server 2014. This important patch gives SQL Server admins some time to figure out any “gotchas” to applying patches, if a critical remote code execution patches was released this month, it could be much more dangerous learning experience. 

MS14-045

The third update this month addresses three issues affecting Windows Kernel Mode Drivers. This is a standard patch that has become nearly as common as IE and may have actually surprised Microsoft Office vulnerabilities in recent years. These vulnerabilities are extremely powerful when paired with remote code execution vulnerabilities to create a decent chained attack into the environment.

MS14-046

This is the first of two security feature bypass bulletins, a class of bulletin that demonstrates Microsoft’s commitment to security. Unlike a traditional vulnerability with a known outcome (code execution, privilege escalation, etc), these bulletins resolve “utilities”, for lack of a better term, that make exploit development easier. Fixing solutions like this one, which affects .NET, may be the reason why the next IE Vulnerability doesn’t end up as the next IE Exploit.

MS14-047

MS14-047 is the second security feature bypass bulletin this month and resolves an issue where an attacker could fill available memory space to make address predication easier.        

MS14-048

One of the features of OneNote 2007 allows users to create files on the file system when a document is opened. This bulletin resolves a vulnerability where that feature is repurposed to write a malicious file to a start-up directory. Newer versions of OneNote are not affected.

MS14-049

The Microsoft Installer is responsible for installing files on your Windows PC, that familiar dialog that asks if you want to install, repair, or remove the software. There is a way that attackers can modify an installer, replacing files with their own malicious copies. When the repair option is used, the malicious files are dropped on the file system.

MS14-050

Once again, SharePoint pays us a visit. This time with a vulnerability that allows third party apps added to the SharePoint install to execute JavaScript in the context of the logged in users. This bulletin doubles as a solid reminder to be wary of software coming from untrusted third parties.

MS14-051

The final bulletin this month, as stated previously, belongs to Internet Explorer. The patching trend where you deploy the IE patch first each month should continue with this bulletin. A large number of vulnerabilities, including one that is public are resolved this month. This bulletin also introduces the Microsoft Exploitability Index value of 0, indicating that exploit code is already available for a vulnerability. Patch this issue ASAP.

Additional Information

Adobe has released an update for Flash (APSB14-18[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2]. Adobe has also released an update for Acrobat and Reader (APSB14-19[3]).

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
             
Easy
             
Moderate
             
Difficult
             
Extremely Difficult
    MS14-051        
No Known Exploit
MS14-046 MS14-047 MS14-043
MS14-044
MS14-048
MS14-050
   
MS14-045
MS14-049

 
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-18.html