VERT Alert - May 14, 2014

Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-562 on Wednesday, May 14th.

MS14-022

SharePoint Page Content Vulnerabilities

CVE-2014-0251

SharePoint XSS Vulnerability

CVE-2014-1754

Web Applications Page Content Vulnerability

CVE-2014-1813

MS14-023

Microsoft Office Chinese Grammar Checking Vulnerability

CVE-2014-1756

Token Reuse Vulnerability

CVE-2014-1808

MS14-024

MSCOMCTL ASLR Vulnerability

CVE-2014-1809

MS14-025

Group Policy Preferences Password Elevation of Privilege Vulnerability

CVE-2014-1812

MS14-026

TypeFilterLevel Vulnerability

CVE-2014-1806

MS14-027

Windows Shell File Association Vulnerability

CVE-2014-1807

MS14-028

iSCSI Target Remote Denial of Service Vulnerability

CVE-2014-0255

iSCSI Target Remote Denial of Service Vulnerability

CVE-2014-0256

MS14-029

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

MS14-022

The first bulletin this month resolves multiple issues in SharePoint. It’s important to note that beyond the usual suspects, SharePoint Server and Office WebApps, a couple of non-standard applications are affected by this issue including: SharePoint Designer and the SharePoint SDK. One of the three vulnerabilities is a cross-site scripting issue while the other two have to do with the way in which user input in sanitized. Improper sanitization can lead to code execution in the context of the W3WP service account.

MS14-023

This month’s Office bulletin resolves two issues with Microsoft Office. One of these issues only affects users of the Chinese (Simplified) Grammar Checker. The second update allows an attacker to steal access tokens for certain Microsoft Online services. Attackers that successfully steal tokens could use them to gain access to information stored in the users online account.

MS14-024

The third bulletin this month is listed as a fix for ‘Microsoft Common Controls” but when you look at the details, you realize that it’s a second patch for Microsoft Office, this isn’t immediately clear from the bulletin name. This update doesn’t resolve a vulnerability in the traditional sense, instead it enables ALSR for the MSCOMCTL library. Microsoft indicated on the Security Research & Defense blog[1] that at least 4 in-the-wild exploits have used these ASLR bypasses in the past, which is a pretty good reason to apply this update as quickly as possible.

MS14-025

One of the more interesting bulletins this month, MS14-025 closes a hole used by many popular exploit toolkits to obtain credentials via Group Policy Preferences files. When you set a password in a GPP file, this password is encrypted using AES and stored in an XML file on SYSVOL. The key to use for decryption is published on MSDN. This makes it very easy to abuse this “feature”. Microsoft has released a blog post[2] with additional details. This should be considered a high priority fix this month and it’s worth noting that this update only stops you from configuring additional GPP configurations, you will need to track down and remove existing configurations, and Microsoft is releasing a script to assist with this.

MS14-026

This update is probably the lowest priority update for the majority of users. It affects servers with .NET Remoting enabled that use TypeFilterLevel checks. This is a rare situation to find a system in since .NET Remoting is not a popular feature.

MS14-027

This is an interesting bug in the way that ShellExecute calls are handled. A large number of malware families make use of this technique, so it’s an important update to apply, however it’s not going to lead to access to your system, this is simply an elevation of privilege attack.

MS14-028

There’s not a lot to say here, other than the affected platform list is somewhat unique. Server 2008 R2, Server 2012 and Server 2012 R2 are all affected but Server 2008 is only affected if you install Windows Storage Server 2008. It’s interesting to note that, due to its architecture, Windows Storage Server 2008 is not being patched. That means that users of Storage Server 2008 should be hyper-vigilant in defending against this vulnerability via the mitigations and workarounds provided by Microsoft.  Ultimately thought, the outcome is only a denial of service, which limits the impact should a system be targeted.

MS14-029

The final bulletin of the month applies to Internet Explorer and while it replaces the previous OOB update, it is not a cumulative update. This means that new systems will also require last months update to find IE fully patched. This is also the first IE update to not include Windows XP.

Additional Information

Adobe has released an update for Flash (APSB14-14[3]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[4]. Additionally, Adobe has released new updates for Adobe Reader[5]

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
    MS14-023     MS14-025
MS14-027
 
Easy
             
Moderate
             
Difficult
             
Extremely Difficult
    MS14-029        
No Known Exploit
MS14-024   MS14-022
 
MS14-028  
 
MS14-026
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged