Skip to content ↓ | Skip to navigation ↓

It’s Patch Tuesday once again, and Microsoft is fixing nearly three-dozen CVEs, with the most critical being some last minute additions to mitigation cycle, according to experts from Tripwire’s Vulnerability and Exposure Research Team (VERT).

Internet Explorer

IE takes the lead in fixes this round with over 20 CVEs, and is definitely includes the most critical of the updates.

“Given the late additions to this patch cycle companies will want to make sure to take a careful look and test carefully before rolling it out to everyone” said Lamar Bailey, director of security research for Tripwire. “The VBScipt update is the next critical but this specific patch is for everyone without IE9; if you are using IE9 you will get the patch in your IE update.”

Tripwire security researcher Craig Young noted that with more than 20 CVEs in this month’s IE update, there are plenty of opportunities for drive-by downloads via watering hole attacks.

“The range of problems fixed this month can be combined to gain complete administrative access by tricking a user into visiting a malicious site,” Young said. “Without any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today.”

Forefront Protection for Exchange

Bailey also pointed out that MS14-008 is a particularly interesting update because while the issue is critical, it may not be possible to actually get to the vulnerable code.

“This vulnerability only affects Forefront Protection for Exchange and not to be confused with other Forefront products,” Bailey said. “Microsoft has taken a scalpel and cut out the vulnerable code so this will not be an issue going forward.”

Tyler Reguly, Tripwire’s manager of security research, added that while a lot of people will be taking notice of the Forefront Protection for Exchange patch this month, the attention will be fleeting.

“When Microsoft, who are the people with the source code, tell us they can’t trigger the vulnerability in any meaningful way, I am inclined to believe them,” Reguly said. “I suspect we’ll wake up tomorrow and – beyond pressing ‘apply’ – we’ll forget this patch was even released.”

ASLR Bypass

Then there is MS14-009, which fixes an ASLR bypass in .NET along with a few other things, and continues the trend we have seen recently in ASLR bypasses.

“Bypassing ASLR is high on attackers lists and I am glad to see Microsoft taking this attack vector seriously,” said Bailey. “We can look forward to seeing more of these fixes in the future.”

Deprecation of MD5

Young went on to highlight that some users may be in for a surprise this month if they didn’t prepare for the impending deprecation of MD5 as a suitable hashing algorithm for their certificates.

“Microsoft announced this back in August so users running into problems now have no one but themselves to blame per advisory 2862973,” said Young.

Bulletins Change

Reguly notes that the biggest discussion point with Microsoft’s patch drop this month is probably the change in bulletins.

“To go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,” Reguly said. “Either way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.”

Patch for Slowloris

The most interesting thing released this month is a patch for Slowloris in .NET, according to Reguly.

“This attack drew attention when RSnake Hanson wrote about it 5 years ago, but updates to his research showed reports of the concept going all the way back to 2005,” Reguly said. “While no one discussed ASP.NET in that work, it’s interesting to see a nine year old concept patched because it leads you to ask… Why now?”


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock