Patch-UpdatesAfter I reported on last month’s light sprinkling of Microsoft security patches (four, none critical), I received a number of comments from readers along the lines of “Yes, but watch out for a big one next month.” I was happy to say last Thursday that their dire predictions didn’t come true, as the initial advance notification listed only five patches for February.

Well, it seems we aren’t getting off quite that easily, after all. A couple more have been added, for a total of seven. Four of these are remote code execution vulnerabilities that are all rated critical. The remaining three are important patches for elevation of privilege, information disclosure and denial of service vulnerabilities. It’s still by no means an overwhelming load; it certainly doesn’t begin to approach the record-breaking release of 17 patches covering 64 vulnerabilities back in April 2011.

As I reported in our advance notification post for this month, four of the originally announced patches affect components of the Windows operating systems, and so do the two additional ones, with one of the new ones being a cumulative update for Internet Explorer.

For the official and complete low-down on all of this month’s patches, check out the bulletin summary on the Microsoft web site.  Also note that the bulletins are listed out of numerical order because of the addition of the two critical patches.

CRITICAL

MS14-010 (KB2909921) This is a cumulative security update for Internet Explorer that affects IE 6, 7, 8, 9, 10 and 11 running on all supported versions of Windows client and server operating systems, with the exception of the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2 (which don’t have IE installed).

This update addresses one vulnerability that had already been disclosed publicly and a whopping twenty-three privately reported vulnerabilities in IE, the most serious of which can allow an attacker to remotely execute code by convincing the user to view a malicious web page in IE.  Vulnerabilities that are addressed include elevation of privilege, cross-domain information disclosure and multiple memory corruption issues. The critical rating applies to IE on all operating systems except Windows 7 and Server 2003, where it is rated moderate for IE 6 and 7 only. My advice is to treat this as a critical update regardless of IE version and OS.

The vulnerabilities are caused by the way IE handles objects in memory and the update fixes the problem by changing this and by adding more permission validations to IE. If you are unable to install the update, there are workarounds that include blocking ActiveX controls and scripting. Instructions are included in the bulletin.

MS14-011 (KB2928390) This vulnerability in the VBScript scripting engine affects versions 5.6, 5.7 and 5.8 of VBScript running on all supported versions of Windows. However, there is no security impact to server core installations.

This update addresses one memory corruption vulnerability in VBScript that was reported privately, and could allow an attacker to remotely execute code by convincing a user to view a malicious web site with IE.  The critical rating applies to all versions of the Windows client operating system; it is rated moderate on Windows server operating systems.

The vulnerabilities are caused by the way the VBScript scripting engine handles objects in memory and the update fixes the problem by changing that. If you are unable to install the update, there are workarounds that include blocking ActiveX controls and scripting. Instructions are included in the bulletin.

MS14-007 (KB2912390) This vulnerability in the Direct2D component affects Windows 7, 8, 8.1 and RT and Windows Server 2008 R2, 2012 and 2012 R2 (except server core installations). It does not affect Windows XP, Vista, Server 2003 or 2008.

This update addresses one vulnerability that was privately reported by Omair, working with HP’s Zero Day Initiative, which could allow an attacker to remotely execute code by convincing a user to view a malicious web page with IE. The critical rating applies to all client and server versions of Windows that are affected.

The vulnerability is caused by the way Direct2D handles objects in memory and the update fixes the problem by changing this. Direct2D is a vector graphics API that is included in newer versions of Windows (Windows 7 and later).

MS14-008 (KB2927022) This vulnerability in Microsoft Forefront Protection for Exchange Server affects Forefront Protection for Exchange (FPE) 2010. Forefront Protection 2010 for SharePoint, Office Communications Server and Endpoint are not affected, nor is Exchange Online Protection or Forefront Client Security. Only FPE 2010 version 11.0.727.0 is affected.

This update addresses one vulnerability that was privately reported and could allow an attacker to remotely execute code if a malicious email message is scanned by FPE.  The code would be run in the same security context as the service account on the system running FPE.

The vulnerability is caused by vulnerable code in FPE and the update fixes the problem by removing that code. There are no mitigations or workarounds reported.

IMPORTANT

MS14-009 (KB2916607) This vulnerability in the .NET Framework affects supported versions of the .NET Framework versions 1.0, 1.1, 2.0, 3.5, 3.5.1, 4, 4.5, and 4.5.1 running on all supported versions of the Windows client and server operating systems, including server core installations on Windows Server 2008 R2, 2012 and 2012 R2. It does not affect .NET Framework 3.0 SP1 or 3.5 SP1 and does not affect the Windows Server 2008 server core installation.

This update addresses three vulnerabilities, one that was reported privately by James Forshaw of Context Information Security, along with two that were publicly disclosed. The most serious of these could allow an attacker to elevate privileges if a user is convinced to visit a malicious web site or a site to which malicious content has been uploaded. The update is rated important for all affected products.

The vulnerabilities are caused by the way affected versions of the .NET Framework terminate stale or closed HTTP requests that were started by clients. The update fixes the problem by improving the way a safe method for execution is determined and by properly implementing ASLR (Address Space Layout Randomization).  There are workaround for two of the vulnerabilities, with instructions included in the bulletin.

MS14-005 (KB2916036) This vulnerability in Microsoft XML Core Services (MSXML) affects XML Core Service version 3.0 running on all supported versions of the Windows client and server operating systems, including server core installations. It does not affect XML Core Services v. 4.0, 5.0 and 6.0. XML Core Services is the set of components that are used to enable certain scripting and development tools to build XML-based applications. Some versions of Microsoft XML Core Services are included with Microsoft Windows and others are installed with non-operating system software from Microsoft or third-party providers. Some are available as separate downloads

This update addresses one publicly disclosed vulnerability that could result in information disclosure if an attacker convinces a user to view a malicious web page in IE. The update is rated important for Windows client operating systems and low for Windows server operating systems.

The vulnerability is caused by the way MSXML verifies URL same-origin policies. The update fixes the problem by correcting this. There is a workaround that involves setting the kill bit in the registry. Instructions are included in the bulletin.

MS14-006 (KB2904659) This vulnerability in the IPv6 networking protocol affects this component in Windows 8, RT and Server 2012 (including server core installation). It does not affect Windows XP, Vista, 7, 8.1, RT 8.1 or Server 2003, 2008, 2008 R2, or 2012 R2.

The update addresses one publicly disclosed vulnerability that could result in a denial of service attack if an attacker sent a large number of maliciously designed IPv6 packets to the targeted computer. Note, however, that the impact is mitigated by the fact that the attacker must do this from a computer that belongs to the same subnet. Thus the rating is important for all affected systems.

The vulnerability is caused by the way the affected operating systems validate TCP/IP requests. The update fixes the problem by correcting this. There is a workaround that involves disabling the router discovery protocol. Instructions are included in the bulletin.