Time flies when you’re having fun, and we must be having a wonderful time because Patch Tuesday is here again already. The good news is that, as noted in our advance notification blog post, it’s another light one, with only four patches. Two are critical and two are important, and all either definitely or might require a system restart. Various flavors of Windows, Internet Explorer and Microsoft Office are the affected software programs.
The bad news is that all four of these vulnerabilities are of the type that can allow remote code execution, which of course is particular seriously because an attacker can do so many different things by running arbitrary code on a system – up to and including taking complete control of that system. If the user who is currently logged on is an administrator, the attacker can literally “own” the system. If not, attackers often attempt to gain elevated privileges after they’re “in.” When the attacker has elevated privileges (either through an administrative account, a system account or other avenues), he/she can often disguise the attack so the real admins don’t know what’s happening.
The most dangerous subcategories of remote code execution exploit are the “drive-by downloads” that can infect a computer simply because a user visits a web site, and the ones that are distributed via file types that are routinely sent and opened, such as Office documents. That’s the case with the two critical vulnerabilities here, whereas the two that are rated important require the user to open files that are significantly less commonly handled by the average user.
These four security updates address a total of eleven vulnerabilities, with six of those vulnerabilities being addressed by one update – the critical patch for Internet Explorer. For the “full scoop,” check out the bulletin summary on the TechNet web site or attend the webcast on Wednesday, where you can ask questions of Microsoft security experts.
Meantime, here are the updates:
MS14-017 (KB2949660) These vulnerabilities affect all supported versions of Microsoft Office, including Office 2003 SP 3, Office 2007 SP3, Office 2010 SP1 and SP2, Office 2013 and 2013 RT with or without SP1, and Office for Mac 2011. Both 32 and 64 bit versions are affected. Other affected software includes Word Viewer, the Office Compatibility Pack SP3, Word Automation Services (WAS) in SharePoint Server 2010 and 2013, and Office Web Apps 2010 and 2013. In other words, if it includes Microsoft Word in any form or fashion, it may need to be patched.
Note, however, that for SharePoint, the update applies only to a specific component that runs on standalone SharePoint installations, and if you are running SharePoint in a server farm, the Word Automation Service is not enabled by default. In addition, Some configurations of Word 2010 are not included and won’t be offered the update.
The update addresses three vulnerabilities, one publicly reported and two privately, that could be exploited to gain the same rights as the logged on user and remotely execute code in that context. The critical rating applies to all of the affected software. The problem is that way Office parses specially crafted Word files and the update fixes the problem by correcting that process.
MS14-018 (KB2950467) These memory corruption vulnerabilities affect Internet Explorer versions 6, 7, 8, 9 and 11, running on Windows XP, Vista, 7 and 8.1 and RT 8.1, as well as Server 2003, 2008, 2008 R2, and 2012 R2. Interestingly, IE 10 running on Windows 7, 8 and RT or on Server 2008 R2 x64 SP1 or Server 2012, is not affected. Of course, the server core installations of Windows Server are also not affected since they don’t run a web browser.
The update addresses six vulnerabilities, all of which were reported privately. An attacker could use them to run remote code when the user views a web site that contains the malicious code. The critical rating applies to all affected software. Note that for IE 11, you should install the latest cumulative update (described in MS14-012) prior to installing this update, to avoid compatibility issues.
The vulnerabilities exist because of the way IE handles objects in memory. The update fixes the problem by modifying that process.
MS14-019 (KB2922229) This file handling vulnerability affects all supported versions of the Windows operating system, including Windows XP, Vista, 7, 8, 8.1, RT and RT 8.1, along with Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 (and this does include server core installations and Itanium-based systems). The rating is important for all affected software.
The update addresses just one vulnerability that was publicly disclosed, which an attacker could exploit to run arbitrary code remotely if he/she can convince a user to run maliciously crafted .bat or .cmd files from a trusted/semi-trusted network location. The typical user today in the corporate environment doesn’t routinely run .bat and .cmd files, thus the lower severity rating. However, an attacker might be able to persuade users to click on a link to the malicious files. There has been no indication that this exploit has been used in the wild.
This vulnerability exists because of the way Windows processes .bat and .cmd files that are run from an external network (improper restriction of the path). The update fixes the problem by changing this process.
MS14-020 (KB2950145) This arbitrary pointer dereference vulnerability affects two supported versions of Microsoft Office application Microsoft Publisher: Pub 2003 SP3 and Pub 2007 SP3. Later versions (Pub 2010 ad 2013) are not affected. Microsoft Office 2013 RT and Office for Mac don’t include Pub and are not affected. Any version of Windows running an affected version of Publisher is at risk, but normally it would be run on workstations, not on server operating systems.
Microsoft Pub is a desktop publishing program that is used by relatively few users, compared to more popular Office applications such as Word, Excel, PowerPoint and Outlook. Publisher is included generally in higher-end editions of Office but has a low market share among desktop publishing alternatives, and the desktop publishing market as a whole is in decline. All of this explains the lower severity rating for this vulnerability.
The update addresses one vulnerability that was privately reported by an anonymous researcher working with VeriSign iDefense Labs and could allow remote code execution. To exploit the vulnerability, the attacker would need to get a user to open a maliciously crafted .PUB file in one of the affected versions of Publisher. It can’t be directly exploited through email, although it could be done by getting a user to open an attached .PUB file. Being careful not to open .PUB files from untrusted sources will help users avoid this exploit.
The problem stems from the way the Publisher Converter component of the software handles objects in memory when it’s parsing .PUB files and this can allow memory to become corrupted. The update fixes the problem by modifying the conversion process.