Skip to content ↓ | Skip to navigation ↓

Today’s Vulnerability and Exposure Research Team (VERT) Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-556 on Wednesday, April 9th.

MS14-017

Microsoft Office File Format Converter Vulnerability CVE-2014-1757
Microsoft Word Stack Overflow Vulnerability CVE-2014-1758
Word RTF Memory Corruption Vulnerability CVE-2014-1761

MS14-018

Internet Explorer Memory Corruption Vulnerability MULTIPLE

MS14-019

Windows File Handling Vulnerability CVE-2014-0315

MS14-020

Arbitrary Pointer Dereference Vulnerability CVE-2014-1759

 

MS14-017

The first bulletin released today fixes three vulnerabilities affecting Microsoft Word and the Word Family of products (including SharePoint with Word-related services enabled). Included in this list is the public CVE-2014-1761 for which Microsoft had previously released an advisory[1]. Given that the vulnerability is being used in limited attacks, this is likely the first update users will want to apply.

MS14-018

The second update today fixes six Internet Explorer issues. As always, with Internet Explorer it’s better to patch now rather than later. These vulnerabilities will likely find their way into Exploit Kits and Exploit Frameworks rather quickly.

MS14-019

The third bulletin this month is a little more interesting to look at and understand, however, it is not critical. A bug in the CreateProcess call could potentially allow a .cmd or .bat file to execute if an attacker can drop a malicious file in the current working directory. Microsoft has released a written explanation on this issue[2].

MS14-020

The final bulletin this month patches a vulnerability in Microsoft Publisher. If you’re not running Publisher, and most people aren’t, this is a bit of a freebie this month. If you are running Publisher, you may find solace in the fact that not many people target Microsoft Publisher vulnerabilities.

Additional Information

Adobe has released an update for Flash (APSB14-09[3]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[4].

Additionally, VERT would like to communicate information on the OpenSSL Heartbleed[5] vulnerability that is making headlines around the world today. The vulnerability allows information to be leaked via TLS requests, which could lead to the disclosure of SSL Private Keys. While immediate thoughts go to web servers, you should also consider your mail servers, VPN servers, and anything else that uses TLS with OpenSSL.

This, thankfully, means that OpenSSH is not affected. In addition to deploying the latest updates or disabling services, when possible, until they can be updated, you may wish to consider revoking current SSL certificates, generating new public/private keys, and obtain new signed certificates. While this is not a requirement, keys that have already leaked could be used to decrypt future traffic making them as dangerous as the vulnerability itself.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
MS14-017
Easy
Moderate
Difficult
Extremely Difficult
MS14-019
No Known Exploit
MS14-018
MS14-020
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

[5] http://heartbleed.com/

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock