Skip to content ↓ | Skip to navigation ↓

Today’s Vulnerability and Exposure Research Team (VERT) Alert addresses 8 new Microsoft Security Bulletins. VERT actively worked on coverage for these bulletins in order to meet our 24-hour SLA and shipped ASPL-562 on Wednesday, May 14th.

MS14-022

SharePoint Page Content Vulnerabilities CVE-2014-0251
SharePoint XSS Vulnerability CVE-2014-1754
Web Applications Page Content Vulnerability CVE-2014-1813

MS14-023

Microsoft Office Chinese Grammar Checking Vulnerability CVE-2014-1756
Token Reuse Vulnerability CVE-2014-1808

MS14-024

MSCOMCTL ASLR Vulnerability CVE-2014-1809

MS14-025

Group Policy Preferences Password Elevation of Privilege Vulnerability CVE-2014-1812

MS14-026

TypeFilterLevel Vulnerability CVE-2014-1806

MS14-027

Windows Shell File Association Vulnerability CVE-2014-1807

MS14-028

iSCSI Target Remote Denial of Service Vulnerability CVE-2014-0255
iSCSI Target Remote Denial of Service Vulnerability CVE-2014-0256

MS14-029

Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS14-022

The first bulletin this month resolves multiple issues in SharePoint. It’s important to note that beyond the usual suspects, SharePoint Server and Office WebApps, a couple of non-standard applications are affected by this issue including: SharePoint Designer and the SharePoint SDK. One of the three vulnerabilities is a cross-site scripting issue while the other two have to do with the way in which user input in sanitized. Improper sanitization can lead to code execution in the context of the W3WP service account.

MS14-023

This month’s Office bulletin resolves two issues with Microsoft Office. One of these issues only affects users of the Chinese (Simplified) Grammar Checker. The second update allows an attacker to steal access tokens for certain Microsoft Online services. Attackers that successfully steal tokens could use them to gain access to information stored in the users online account.

MS14-024

The third bulletin this month is listed as a fix for ‘Microsoft Common Controls” but when you look at the details, you realize that it’s a second patch for Microsoft Office, this isn’t immediately clear from the bulletin name. This update doesn’t resolve a vulnerability in the traditional sense, instead it enables ALSR for the MSCOMCTL library. Microsoft indicated on the Security Research & Defense blog[1] that at least 4 in-the-wild exploits have used these ASLR bypasses in the past, which is a pretty good reason to apply this update as quickly as possible.

MS14-025

One of the more interesting bulletins this month, MS14-025 closes a hole used by many popular exploit toolkits to obtain credentials via Group Policy Preferences files. When you set a password in a GPP file, this password is encrypted using AES and stored in an XML file on SYSVOL. The key to use for decryption is published on MSDN. This makes it very easy to abuse this “feature”. Microsoft has released a blog post[2] with additional details. This should be considered a high priority fix this month and it’s worth noting that this update only stops you from configuring additional GPP configurations, you will need to track down and remove existing configurations, and Microsoft is releasing a script to assist with this.

MS14-026

This update is probably the lowest priority update for the majority of users. It affects servers with .NET Remoting enabled that use TypeFilterLevel checks. This is a rare situation to find a system in since .NET Remoting is not a popular feature.

MS14-027

This is an interesting bug in the way that ShellExecute calls are handled. A large number of malware families make use of this technique, so it’s an important update to apply, however it’s not going to lead to access to your system, this is simply an elevation of privilege attack.

MS14-028

There’s not a lot to say here, other than the affected platform list is somewhat unique. Server 2008 R2, Server 2012 and Server 2012 R2 are all affected but Server 2008 is only affected if you install Windows Storage Server 2008. It’s interesting to note that, due to its architecture, Windows Storage Server 2008 is not being patched. That means that users of Storage Server 2008 should be hyper-vigilant in defending against this vulnerability via the mitigations and workarounds provided by Microsoft.  Ultimately thought, the outcome is only a denial of service, which limits the impact should a system be targeted.

MS14-029

The final bulletin of the month applies to Internet Explorer and while it replaces the previous OOB update, it is not a cumulative update. This means that new systems will also require last months update to find IE fully patched. This is also the first IE update to not include Windows XP.

Additional Information

Adobe has released an update for Flash (APSB14-14[3]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[4]. Additionally, Adobe has released new updates for Adobe Reader[5]

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
MS14-023 MS14-025
MS14-027
Easy
Moderate
Difficult
Extremely Difficult
MS14-029
No Known Exploit
MS14-024 MS14-022 MS14-028 MS14-026
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

[5] http://helpx.adobe.com/security/products/acrobat/apsb14-15.html

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock