Skip to content ↓ | Skip to navigation ↓

Today’s Vulnerability and Exposures Research Team (VERT) Alert addresses 5 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-552 on Wednesday, March 12th. (See also: Microsoft Patch Priority Index for March 2014).

MS14-012

Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS14-013

DirectShow Memory Corruption Vulnerability CVE-2014-0301

MS14-014

Silverlight DEP/ASLR Bypass Vulnerability CVE-2014-0319

MS14-015

Win32k Elevation of Privilege Vulnerability CVE-2014-0300
Win32k Information Disclosure Vulnerability CVE-2014-0323

MS14-016

SAMR Security Feature Bypass Vulnerability CVE-2014-0317

MS14-012

This month’s patches start with a massive Internet Explorer patch that resolves 18 vulnerabilities including two vulnerabilities that were seen used in targeted attacks, one affecting IE 10 and one affecting IE 8. As with most months, it’s critical that this bulletin be applied as soon as possible and treated as the most critical patch released today.

MS14-013

The second bulletin this month fixes a single issue in DirectShow, specifically in qedit.dll. This vulnerability could lead to a drive-by attack, however Microsoft has said on the SR&D Blog[1] that we’re unlikely to see reliable exploits in the next 30 days.

MS14-014

MS14-014 resolves a single vulnerability in Silverlight 5 that could allow for DEP and ASLR bypass. Updates are available for both Silverlight on Windows and Silverlight on OS X

MS14-015

This bulletin resolves two issues, a privilege escalation that was privately reported and an information disclosure that was publicly reported. It’s interesting that the information disclosure is actually a denial of service on newer platforms, e.g. Windows Server 2012, Windows Server 2012 R2, Windows 8 and Windows 8.1.

MS14-016

The final bulletin this month is also the most interesting, a security account manager remote (SAMR) protocol bypass. This vulnerability was reported by the Samba team and allows a user to make API calls that bypass the account lockout validation process effectively allowing a user to brute-force passwords without the domain policy interfering.

Additional Information

Adobe has released an update for Flash (APSB14-08[2]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[3].

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (Published Exploits) to Risk Table

Automated Exploit
 MS14-012
Easy
Moderate
Difficult
Extremely Difficult
 MS14-015
No Known Exploit
 MS14-014 MS14-016 MS14-013
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

[3] http://technet.microsoft.com/en-ca/security/advisory/2755801

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management – a widely recognized security best practice among large corporations – easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock