Skip to content ↓ | Skip to navigation ↓

Today’s Vulnerability and Exposures Research Team (VERT) Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-566 on Wednesday, June 11th.

MS14-030

RDP MAC Vulnerability CVE-2014-0296

MS14-031

TCP Denial of Service Vulnerability CVE-2014-1811

MS14-032

Lync Server Content Sanitization Vulnerability CVE-2014-1823

MS14-033

MSXML Entity URI Vulnerability CVE-2014-1816

MS14-034

Embedded Font Vulnerability CVE-2014-2778

MS14-035

TLS Server Certificate Renegotiation Vulnerability CVE-2014-1771
Information Explorer Information Disclosure Vulnerability CVE-2014-1777
Multiple Elevation of Privilege Vulnerabilities in Internet Explorer MULTIPLE
Multiple Memory Corruption Vulnerability in Internet Explorer MULTIPLE

MS14-036

Unicode Scripts Processor Vulnerability CVE-2014-1817
GDI+ Image Parsing Vulnerability CVE-2014-1818

MS14-030

The first vulnerability patched this month was discovered and reported to Microsoft by Tripwire. The vulnerability was discovered while enhancing our Microsoft Remote Desktop detection capabilities and was most evident on Windows 8.1. The issue exists in the signature verification of the generated MAC. According to Microsoft, users that can’t immediately install the update can enable NLA (network level authentication) to mitigate the vulnerability.

MS14-031

The second bulletin this month resolves an issue in the Microsoft Windows TCP/IP stack. A specially crafted packet TCP packet with malformed TCP Options can cause a denial of service on Windows Vista and newer operating systems.

MS14-032

Up next we have an XSS in Microsoft Lync Server 2010 and 2013. An attacker with a valid Lync meeting ID that convinces a user in a web session to click a link could perform a cross-site scripting attack. It’s important to note with this bulletin, that the update is a cumulative update for Lync Server.

MS14-033

Microsoft XML Core Services (MSXML) versions 3.0 and 6.0 contain an information disclosure vulnerability. An attacker that persuades a user to browse to a malicious website could cause MSXML to load a file. A specifically crafted file could reveal information about the file path to the attacker. The risk with this information disclosure is that the path could contain the user’s username.

MS14-034

This month’s Office vulnerability is a welcome change, the latest versions of Office – 2010 and 2013 – are not affected and only Word 2007 and the Compatibility Pack are affected. The issue is an embedded font parsing vulnerability that could lead to code execution. Note that while it’s often only the older binary file format (.doc) that is vulnerable, in this case the newer XML format (.docx) is also affected.

MS14-035

The big update this month is MS14-035. After missing out on a cumulative update last month, it feels like Microsoft is making up for lost time with this month’s IE update – patching 59 vulnerabilities. So it’s hard to say which vulnerabilities were destined for this month and which were destined for last month, either way it’s an impressive list of issues with a few notable characters that we should call out. CVE-2014-1762 is a leftover from pwn2own at CanSecWest. CVE-2014-1770 is the vulnerability that was disclosed recently by ZDI after Microsoft violated their 180-day patch release policy. Finally, CVE-2014-1771 had been publicly disclosed.

MS14-036

The final bulletin this month is really two bulletins wedged into one. Half of the bulletin affects GDI+ while the other half affects Uniscribe/DirectWrite (Unicode Font Rendering). This is something that Microsoft has done in the past, which can create confusion. Bringing together multiple bulletins simple to reduce bulletin count can be messy and this is a great example, we are left with multiple bulletin replacements and multiple patches per operating system. Use care when patching your systems.

Additional Information

Adobe has released an update for Flash (APSB14-16[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2]. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table:

Automated Exploit
Easy
Moderate
Difficult
MS14-035
Extremely Difficult
MS14-031
No Known Exploit
MS14-033 MS14-034
MS14-036
MS14-030
MS14-032
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

[2]http://technet.microsoft.com/en-ca/security/advisory/2755801

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock