VERT Alert: April 2014 Microsoft Patch Tuesday Analysis

Today’s Vulnerability and Exposure Research Team (VERT) Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-556 on Wednesday, April 9th.
Microsoft Office File Format Converter Vulnerability | CVE-2014-1757 | |
Microsoft Word Stack Overflow Vulnerability | CVE-2014-1758 | |
Word RTF Memory Corruption Vulnerability | CVE-2014-1761 | |
Internet Explorer Memory Corruption Vulnerability | MULTIPLE | |
Windows File Handling Vulnerability | CVE-2014-0315 | |
Arbitrary Pointer Dereference Vulnerability | CVE-2014-1759 |
MS14-017
The first bulletin released today fixes three vulnerabilities affecting Microsoft Word and the Word Family of products (including SharePoint with Word-related services enabled). Included in this list is the public CVE-2014-1761 for which Microsoft had previously released an advisory[1]. Given that the vulnerability is being used in limited attacks, this is likely the first update users will want to apply.
MS14-018
The second update today fixes six Internet Explorer issues. As always, with Internet Explorer it’s better to patch now rather than later. These vulnerabilities will likely find their way into Exploit Kits and Exploit Frameworks rather quickly.
MS14-019
The third bulletin this month is a little more interesting to look at and understand, however, it is not critical. A bug in the CreateProcess call could potentially allow a .cmd or .bat file to execute if an attacker can drop a malicious file in the current working directory. Microsoft has released a written explanation on this issue[2].
MS14-020
The final bulletin this month patches a vulnerability in Microsoft Publisher. If you’re not running Publisher, and most people aren’t, this is a bit of a freebie this month. If you are running Publisher, you may find solace in the fact that not many people target Microsoft Publisher vulnerabilities.
Additional Information
Adobe has released an update for Flash (APSB14-09[3]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[4].
Additionally, VERT would like to communicate information on the OpenSSL Heartbleed[5] vulnerability that is making headlines around the world today. The vulnerability allows information to be leaked via TLS requests, which could lead to the disclosure of SSL Private Keys. While immediate thoughts go to web servers, you should also consider your mail servers, VPN servers, and anything else that uses TLS with OpenSSL.
This, thankfully, means that OpenSSH is not affected. In addition to deploying the latest updates or disabling services, when possible, until they can be updated, you may wish to consider revoking current SSL certificates, generating new public/private keys, and obtain new signed certificates. While this is not a requirement, keys that have already leaked could be used to decrypt future traffic making them as dangerous as the vulnerability itself.
As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table
Automated Exploit
|
MS14-017 | ||||||
Easy
|
|||||||
Moderate
|
|||||||
Difficult
|
|||||||
Extremely Difficult
|
MS14-019 | ||||||
No Known Exploit
|
MS14-018 MS14-020 |
||||||
Exposure
|
Local
Availability |
Local
Access |
Remote
Availability |
Remote
Access |
Local
Privileged |
Remote
Privileged |
[2] http://blogs.technet.com/b/srd/archive/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file.aspx
Related Articles:
- Your Biggest Threats are Coming from Inside
- CyberLens: The New Tool Suite for Critical Infrastructure Security
- System Hardening: Defend Like an Attacker
- Adapting Vulnerability Management to Address Advanced Persistent Threats
Resources:
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock