VERT Alert - June 10, 2014

Today’s VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-566 on Wednesday, June 11th.

MS14-030

RDP MAC Vulnerability

CVE-2014-0296

MS14-031

TCP Denial of Service Vulnerability

CVE-2014-1811

MS14-032

Lync Server Content Sanitization Vulnerability

CVE-2014-1823

MS14-033

MSXML Entity URI Vulnerability

CVE-2014-1816

MS14-034

Embedded Font Vulnerability

CVE-2014-2778

MS14-035

TLS Server Certificate Renegotiation Vulnerability

CVE-2014-1771

Information Explorer Information Disclosure Vulnerability

CVE-2014-1777

Multiple Elevation of Privilege Vulnerabilities in Internet Explorer

MULTIPLE

Multiple Memory Corruption Vulnerability in Internet Explorer

MULTIPLE

MS14-036

Unicode Scripts Processor Vulnerability

CVE-2014-1817

GDI+ Image Parsing Vulnerability

CVE-2014-1818

MS14-030

The first vulnerability patched this month was discovered and reported to Microsoft by Tripwire. The vulnerability was discovered while enhancing our Microsoft Remote Desktop detection capabilities and was most evident on Windows 8.1. The issue exists in the signature verification of the generated MAC. According to Microsoft, users that can’t immediately install the update can enable NLA (network level authentication) to mitigate the vulnerability.  

MS14-031

The second bulletin this month resolves an issue in the Microsoft Windows TCP/IP stack. A specially crafted packet TCP packet with malformed TCP Options can cause a denial of service on Windows Vista and newer operating systems.

MS14-032

Up next we have an XSS in Microsoft Lync Server 2010 and 2013. An attacker with a valid Lync meeting ID that convinces a user in a web session to click a link could perform a cross-site scripting attack. It’s important to note with this bulletin, that the update is a cumulative update for Lync Server.

MS14-033

Microsoft XML Core Services (MSXML) versions 3.0 and 6.0 contain an information disclosure vulnerability. An attacker that persuades a user to browse to a malicious website could cause MSXML to load a file. A specifically crafted file could reveal information about the file path to the attacker. The risk with this information disclosure is that the path could contain the user’s username.

MS14-034

This month’s Office vulnerability is a welcome change, the latest versions of Office – 2010 and 2013 – are not affected and only Word 2007 and the Compatibility Pack are affected. The issue is an embedded font parsing vulnerability that could lead to code execution. Note that while it’s often only the older binary file format (.doc) that is vulnerable, in this case the newer XML format (.docx) is also affected.

MS14-035

The big update this month is MS14-035. After missing out on a cumulative update last month, it feels like Microsoft is making up for lost time with this month’s IE update – patching 59 vulnerabilities. So it’s hard to say which vulnerabilities were destined for this month and which were destined for last month, either way it’s an impressive list of issues with a few notable characters that we should call out. CVE-2014-1762 is a leftover from pwn2own at CanSecWest. CVE-2014-1770 is the vulnerability that was disclosed recently by ZDI after Microsoft violated their 180-day patch release policy. Finally, CVE-2014-1771 had been publicly disclosed.

MS14-036

The final bulletin this month is really two bulletins wedged into one. Half of the bulletin affects GDI+ while the other half affects Uniscribe/DirectWrite (Unicode Font Rendering). This is something that Microsoft has done in the past, which can create confusion. Bringing together multiple bulletins simple to reduce bulletin count can be messy and this is a great example, we are left with multiple bulletin replacements and multiple patches per operating system. Use care when patching your systems.

Additional Information

Adobe has released an update for Flash (APSB14-16[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2].

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
             
Easy
             
Moderate
             
Difficult
    MS14-035        
Extremely Difficult
      MS14-031      
No Known Exploit
MS14-033   MS14-034
MS14-036
  MS14-030
MS14-032

 
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged