Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-570 on Wednesday, July 9th.

MS14-037

Extended Validation (EV) Certificate Feature Bypass Vulnerability CVE-2014-2783
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS14-038

Windows Journal Remote Code Execution Vulnerability CVE-2014-1824

MS14-039

On-Screen Keyboard Elevation of Privilege Vulnerability CVE-2014-2781

MS14-040

Ancillary Function Driver Elevation of Privilege Vulnerability CVE-2014-1767

MS14-041

DirectShow Elevation of Privilege Vulnerability CVE-2014-2780

MS14-042

Service Bus Denial of Service Vulnerability CVE-2014-2814

MS14-037

The first bulletin this month, as is usually the case, belongs to Internet Explorer. This month, we have 24 vulnerabilities resolved by this update. This should be at the top of everyone’s patch priority this month. If you can’t apply MS14-037, you should look into using another browser until this update can be applied.

MS14-038

The second bulletin this month fixes an issue with the seldom-mentioned Windows Journal application.  A malicious .jnt file could lead to code execution, so applying this patch is a must. Users should evaluate if Windows Journal is used in their environment. If it isn’t, then all protocol handlers and file-type associations should be deleted to mitigate future Windows Journal vulnerabilities.

MS14-039

The third bulletin this month is the first of three privilege escalations fixed in today’s patch drop. This one affects the on-screen keyboard and allowed an attacker with low privileges to run code in the context of the logged in user, this is a common theme today. This is a sandbox escape technique.

MS14-040

The second of three privilege escalations is fixed by MS14-040. This is the most important bulletin of the three to apply because rather than low privilege to user, this exploit allows the attacker to go from low privilege to SYSTEM.

MS14-041

The final privilege escalation this month allows users to go from low privilege to the logged in user, this is another sandbox escape, this time using DirectShow.

MS14-042

The final bulletin this month is the only remote issue… a denial of service in the Microsoft Service Bus when parsing malicious AMQP messages. Given that this is a denial of service in a seldom used application, it seems unlikely to be targeted but it is still a remote, so apply this update to affected systems is highly advised.

Additional Information

Adobe has released an update for Flash (APSB14-17[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2].

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS14-037
MS14-038
MS14-039
MS14-041
MS14-042 MS14-040
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged


[2] http://technet.microsoft.com/en-ca/security/advisory/2755801

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock