VERT Alert - January 14, 2014

Today’s VERT Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-544 on Wednesday, January 15th.

MS14-001

Multiple Memory Corruption Vulnerabilities in Microsoft Word

MULTIPLE

MS14-002 Kernel NDProxy Vulnerability CVE-2013-5065
MS14-003 Win32k Window Handle Vulnerability CVE-2014-0262
MS14-004 Query Filter DoS Vuln CVE-2014-0261

 

MS14-001

As far as Microsoft patches go, 2014 is starting off without a bang. The very first bulletin of the year describes multiple memory corruption vulnerabilities in Word that also affect Word Viewer, Office Web Apps, and SharePoint Word Automation Services. The most important thing to remember with this bulletin is that Office WebApps and SharePoint patches can be tricky installs, so you’ll want be extra vigilant in ensuring your systems are properly patched. 

MS14-002

The second bulletin this month is definitely the most interesting. It resolves a single vulnerability that has been public for at least a few months. The vulnerability, a privilege escalation in NDProxy, was used in conjunction with an Adobe exploit a few months ago, additional details on this can be found on the Microsoft Security Research & Defense blog. This should be at the top of everyone’s “to patch” list this month. The upside to this vulnerability is that only Windows XP and Server 2003 are affected.

MS14-003

Another privilege escalation, this one exists within Win32k.sys. There’s not much to add here, Win32k is commonly patched these days… it was also patched in December. It’s important to note that this vulnerability only affects Windows 7 and Server 2008 R2. 

MS14-004

The final bulletin this month resolves an issue with Microsoft Dynamics AX. This software is not as widely deployed as other Microsoft products, so fewer people are likely to be patching this and it will not prevent as juicy a target to attackers as other bulletins this month. Additionally, the vulnerability requires that the attacker have valid login credentials and only results in a denial of service. 

Additional Information

Additional security patches were released today from both Adobe and Oracle. Adobe has released updates for Adobe & Reader (APSB14-01) and Flash (APSB14-02). Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801.

Oracle is releasing 144 vulnerability fixes across a number of products including: Oracle Database, Oracle Solaris, and Oracle Java.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
          MS14-002  
Easy
             
Moderate
             
Difficult
             
Extremely Difficult
             
No Known Exploit
  MS14-004 MS14-001     MS14-003
 
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged