VERT Alert: April 2014 Microsoft Patch Tuesday Analysis

Today’s Vulnerability and Exposure Research Team (VERT) Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-556 on Wednesday, April 9th.

MS14-017

The first bulletin released today fixes three vulnerabilities affecting Microsoft Word and the Word Family of products (including SharePoint with Word-related services enabled). Included in this list is the public CVE-2014-1761 for which Microsoft had previously released an advisory[1]. Given that the vulnerability is being used in limited attacks, this is likely the first update users will want to apply.

MS14-018

The second update today fixes six Internet Explorer issues. As always, with Internet Explorer it’s better to patch now rather than later. These vulnerabilities will likely find their way into Exploit Kits and Exploit Frameworks rather quickly.

MS14-019

The third bulletin this month is a little more interesting to look at and understand, however, it is not critical. A bug in the CreateProcess call could potentially allow a .cmd or .bat file to execute if an attacker can drop a malicious file in the current working directory. Microsoft has released a written explanation on this issue[2].

MS14-020

The final bulletin this month patches a vulnerability in Microsoft Publisher. If you’re not running Publisher, and most people aren’t, this is a bit of a freebie this month. If you are running Publisher, you may find solace in the fact that not many people target Microsoft Publisher vulnerabilities.

Additional Information

Adobe has released an update for Flash (APSB14-09[3]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[4].

Additionally, VERT would like to communicate information on the OpenSSL Heartbleed[5] vulnerability that is making headlines around the world today. The vulnerability allows information to be leaked via TLS requests, which could lead to the disclosure of SSL Private Keys. While immediate thoughts go to web servers, you should also consider your mail servers, VPN servers, and anything else that uses TLS with OpenSSL.

This, thankfully, means that OpenSSH is not affected. In addition to deploying the latest updates or disabling services, when possible, until they can be updated, you may wish to consider revoking current SSL certificates, generating new public/private keys, and obtain new signed certificates. While this is not a requirement, keys that have already leaked could be used to decrypt future traffic making them as dangerous as the vulnerability itself.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table