June brings a huge Patch Tuesday for Internet Explorer updates with a total of 59 CVEs being resolved, including patches for with Lync, Lync Server, and Remote Desktop in the mix, a TCP vulnerability and a fix for an IE 8 bug which was reported through HP’s Zero Day Initiative back in October 2013.
“Although no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,” said Craig Young, security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT).
It’s been two months since the last cumulative IE update, and Tyler Reguly, manager of security research for VERT says we’re likely seeing last months IE update and this month’s IE update released together, as last month there was only a non-cumulative update that seemed almost like it was intended to be Out of Band.
In another blast from the past, Microsoft has updated the TCP stack to account for a resource exhaustion attack somewhat reminiscent of the Sockstress.
“This vulnerability allows attackers to establish TCP connections with maliciously crafted window sizes leading to service unavailability,” said Young. “This is a particularly serious vulnerability because it can be exploited by a remote attacker with the goal of taking down a specific service or potentially taking a server completely offline.”
This month we’re also seeing a patch for Remote Desktop to mitigate a vulnerability that could allow attackers in position to perform a man-in-the-middle attacks to modify RDP content (analysis here).
“This is the first server-side Remote Desktop vulnerability released since 2012 and the first one ever released for Windows 8, and it was discovered and reported by Tripwire,” Reguly noted. “While it’s not the most critical vulnerability fixed this month, it’s nice to see your research lead to patches that are delivered to customers.”
An embedded font issue affecting certain Office products is also interesting because it is one of the few issues of these types which affect the newer, open XML format rather than being limited to the legacy binary format.
“In the past Microsoft has advised users to disable the binary format as a mitigation for attacks against this format. Unfortunately in this case disabling the binary format does not prevent exploitation,” young said.
Then there is MS14-034, which affects only Office 2007, and is a good reminder that Microsoft’s Security Development Lifecycle really does work.
“It would be nice to see them shorten their support Windows, forcing consumers and enterprises to upgrade more frequently. This would remove older, more vulnerable software from the picture,” said Reguly.
- To Pen Test or Not to Pen Test: That is the Question…
- So You Like Pain and Vulnerability Management?
- Traceroute is Not a Vulnerability
- NETGEAR Wireless Router Configuration Guide
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock