Skip to content ↓ | Skip to navigation ↓

Today’s Tripwire Vulnerability and Exposure Research Team (VERT) Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-548 on Wednesday, February 12th.

MS14-005

MSXML Information Disclosure Vulnerability CVE-2014-0266
MS14-006 TCP/IP Version 6 (IPv6) Denial of Service Vulnerability CVE-2014-0254
MS14-007 Microsoft Graphics Component Memory Corruption Vulnerability CVE-2014-0263
MS14-008 RCE Vulnerability CVE-2014-0294
MS14-009 POST Request DoS Vulnerability CVE-2014-0253
Type Traversal Vulnerability CVE-2014-0257
VSAVB7RT ASLR Vulnerability CVE-2014-0295
MS14-010 Internet Explorer Elevation of Privilege Vulnerability CVE-2014-0268
VBScript Memory Corruption Vulnerability CVE-2014-0271
Internet Explorer Cross-domain Information Disclosure Vulnerability CVE-2014-0293
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
MS14-011 VBScript Memory Corruption Vulnerability CVE-2014-0271
MS14-005

This month starts off with an information disclosure vulnerability that could allow an attacker to use MSXML content embedded in a website to read local files or the contents of authenticated websites. Microsoft has noted that some webpages may not render correctly after applying MS14-005 and suggests a workaround if you encounter this issue on a trusted website. Microsoft[1] and FireEye[2] first discussed this issue back in November of last year.

MS14-006

The single vulnerability fixed in MS14-006 is an IPv6 denial of service that causes a BSOD on Windows 8 and Server 2012 systems. The issue occurs when a large number of router advertisements are sent to a link-local multicast address.

MS14-007

The third update this month resolves an issue with Direct2D. This issue could lead to code execution via a drive-by vector in Internet Explorer.

MS14-008

The next bulletin this month fixes a single internally discovered issue with Forefront Protection for Exchange. It is rare to see Microsoft address internally discovered flaws and they state in their SR&D Blog Post[3] that this issue is unlikely to be exploited in the real world, so kudos to them for releasing an update and informing the world, it’s nice to see that sort of caution exercised by a large company.

MS14-009

The first patch to fix multiple vulnerabilities this month applies to Microsoft .NET. One of the vulnerabilities addressed is an ASLR bypass that was first described in 2012 on the Grey Hat Hacker blog[4]. Another is the Slowloris DoS attack detailed by RSnake[5] in 2009.

MS14-010

The second to the last bulletin of the month may cause confusion for some. It resolves a single vulnerability in VBScript on nearly all platforms. The exception is systems running Internet Explorer 9. Those systems will need to install the IE patch instead, this one doesn’t apply to them. This vulnerability could be exploited simply by visiting a website, so it should be patched as soon as possible.

MS14-011

The final bulletin of the month is Internet Explorer and, while we weren’t expecting to see it after last week’s advanced notice, given the number of vulnerabilities it patches, it’s definitely a welcome sight. This patch resolves 24 CVEs, including the IE 9 portion of MS14-010. Given the drive-by nature of these attacks, this is another bulletin where fast application is recommended.

Additional Information

Adobe released APSB14-06[6] with information on a new update for Adobe Shockwave. It is recommended that you update Shockwave as soon as possible.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
MS14-009
Moderate
Difficult
MS14-005
Extremely Difficult
No Known Exploit
MS14-007
MS14-010
MS14-011
MS14-006 MS14-008
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

[6] http://helpx.adobe.com/security/products/shockwave/apsb14-06.html

 

Related Articles:

 

Resources:

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.

 

Title image courtesy of ShutterStock