VERT Alert - September 9, 2014

Today’s VERT Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-579 on Wednesday, September 10th.

 

MS14-052

Internet Explorer Resource Information Disclosure Vulnerability

CVE-2013-7331

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

MS14-053

.NET Framework Denial of Service Vulnerability

CVE-2014-4072

MS14-054

Task Scheduler Vulnerability

CVE-2014-4074

MS14-055

Lync Denial of Service Vulnerability

CVE-2014-4068

Lync XSS Information Disclosure Vulnerability

CVE-2014-4070

Lync Denial of Service Vulnerability

CVE-2014-4071

MS14-052

This month’s Internet Explorer update resolves 37 vulnerabilities. While 36 of these are the typical memory corruption vulnerabilities that we’ve come to expect from Microsoft each month, one stands out as worthy of discussion. CVE-2013-7331 is a vulnerability that was exploited publicly back in February.  This vulnerability uses the XMLDOM ActiveX control to determine the existence of files or intranet hosts via error codes.

MS14-053

The second bulletin this month patches a single vulnerability in the .NET Framework. While .NET is the affected product, the only known attack vector is ASP.NET, so upgrading IIS server hosting ASP.NET websites should be the top priority when triaging systems to update. The specific denial of service, which could lead to resource exhaustion, is caused by a hash collision. Microsoft has released an application configuration that can be applied to reduce the likelihood of a hash collision, however it is limited in the situations where it applies.

MS14-054

Up next we have a privilege escalation vulnerability in Task Scheduler on Windows 8 and 8.1 as well as Server 2012 and Server 2012 R2. The vulnerability involves bypassing the integrity checks used by Task Scheduler to validate scheduled tasks.

MS14-055

The final bulletin this month contains three vulnerabilities affecting Lync Server. Two of these are denial of service issues while the other is an XSS. A remote unauthenticated attacker that gained access to a Lync meeting invite could send malicious packets that could crash the server.

 

Additional Information

Adobe has released an update for Flash (APSB14-21[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2].

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
    MS14-052        
Easy
             
Moderate
             
Difficult
             
Extremely Difficult
             
No Known Exploit
      MS14-053 MS14-055 MS14-054

 
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged