Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 4 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-579 on Wednesday, September 10th.

MS14-052

Internet Explorer Resource Information Disclosure Vulnerability CVE-2013-7331
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS14-053

.NET Framework Denial of Service Vulnerability CVE-2014-4072

MS14-054

Task Scheduler Vulnerability CVE-2014-4074

MS14-055

Lync Denial of Service Vulnerability CVE-2014-4068
Lync XSS Information Disclosure Vulnerability CVE-2014-4070
Lync Denial of Service Vulnerability CVE-2014-4071

 

MS14-052

This month’s Internet Explorer update resolves 37 vulnerabilities. While 36 of these are the typical memory corruption vulnerabilities that we’ve come to expect from Microsoft each month, one stands out as worthy of discussion. CVE-2013-7331 is a vulnerability that was exploited publicly back in February. This vulnerability uses the XMLDOM ActiveX control to determine the existence of files or intranet hosts via error codes.

MS14-053

The second bulletin this month patches a single vulnerability in the .NET Framework. While .NET is the affected product, the only known attack vector is ASP.NET, so upgrading IIS server hosting ASP.NET websites should be the top priority when triaging systems to update. The specific denial of service, which could lead to resource exhaustion, is caused by a hash collision. Microsoft has released an application configuration that can be applied to reduce the likelihood of a hash collision, however it is limited in the situations where it applies.

MS14-054

Up next, we have a privilege escalation vulnerability in Task Scheduler on Windows 8 and 8.1, as well as Server 2012 and Server 2012 R2. The vulnerability involves bypassing the integrity checks used by Task Scheduler to validate scheduled tasks.

MS14-055

The final bulletin this month contains three vulnerabilities affecting Lync Server. Two of these are denial of service issues while the other is an XSS. A remote unauthenticated attacker that gained access to a Lync meeting invite could send malicious packets that could crash the server.

 

Additional Information

Adobe has released an update for Flash (APSB14-21[1]) today. Since we have a Flash update, we also have an update for Microsoft Security Advisory 2755801[2].

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (Published Exploits) to Risk Table:
Automated Exploit
MS14-052
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS14-053 MS14-055 MS14-054
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

Related Articles:

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Title image courtesy of ShutterStock