June Patch Tuesday roundup

Writer James Russell Lowell summed it up best: “And what is so rare as a day in June? Then, if ever, come perfect days.” This is traditionally the month of weddings, school vacation, lazy summer days with flowers in full bloom. For IT professionals, it’s a month when we hope we’ll have a light patching load so we can get back outside and enjoy the sunshine. Microsoft didn’t make our lives as easy as we might have wished, but this Patch Tuesday’s slate of seven patches shouldn’t keep us slaving over a hot server too long into the summer night.

The bad news is that most of these updates are going to be relevant to your organization, since five of them apply to Windows and one to Office (the remaining patch is for Lync Server, which you may or may not be running on your network). The good news is that only two of them address critical threats. For all the hype we hear with each new version of Windows about “fewer reboots,” it seems that every month, most or all of the updates require a restart after application and this month is no exception to that.

We have three patches that fix remote code execution issues, two that address information disclosure vulnerabilities, one that patches a flaw that could be exploited to create a denial of service, and one that an attacker could use to tamper with the system.

For the official and complete low-down on these patches, be sure to check out the bulletin summary on the Microsoft web site.

CRITICAL

MS14-035 (KB2969262) Since this is a cumulative update for Internet Explorer, it includes previous hot fixes. This update applies to all supported versions of Internet Explorer, IE 6 through 11, on all supported versions of the Windows server and client operating system. Only the server core installations of Windows Server 2008/2008 R2 and 2012/2012 R2 are not affected (because they don’t run a web browser). The vulnerabilities are generally rated critical on Windows client systems and moderate or important on Windows servers.

Note that if you’re running IE 11 on Windows 8.1, RT 8.1 or Server 2012 R2, you have to install the April update 2919355 first, and if you’re running IE 11 on Windows 7 or Server 2008 R2, you have to install the April update 2929437 first. In addition to the vulnerability fixes, the update includes improvements to the IE XSS Filter that protects against cross site scripting.

The update addresses a whopping 57 vulnerabilities, two of which have already been publicly disclosed. Remote code execution is the most severe impact that could result from leaving these vulnerabilities unpatched; the user would need to view a specially-crafted web page in IE for this to be carried out.  The update fixes the problems by changing the way IE handles objects in memory, validates permissions and negotiates certificates in a TLS session.

MS14-036 (KB2967487) This critical update applies to a vulnerability in the Microsoft Graphics component, and applies to all supported versions of Windows client and server: Vista, Windows 7, Windows 8 and 8.1, RT 8 and 8.1, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including server core installations. It also affects Microsoft Office 2007 and 2010, as well as Microsoft Lync client 2010 and 2013 and the Microsoft Live Meeting Console. Office 2013 is not affected, nor or previous versions of Microsoft Communications software (Communicator, Communications Server, Speech Server) or Lync for Mac 2011, Lync Server 2010 and 2013, Lync Web Access and Lync 2010 Attendant. The vulnerabilities are rated critical for Windows, Live Meeting 2007, and Lync 2010 and 2013 client software. It’s rated important for Office 2007 and 2010.

Note that if you’re running Windows 8.1, RT 8.1 or Server 2012 R2, you have to install April update 2919355 first. There are multiple updates included in this security bulletin and you might not need to install all of them if you’re running Windows 8.1 or Server 2012 R2. See the bulletin details Update FAQ section to determine which you need to install.

This update addresses two vulnerabilities that were reported privately, which could be exploited to remotely execute code if a user opens a specially crafted file or visits a specially crafted web page. The update fixes the problem by changing the way Windows handles specially crafted files and the way GDI+ validates specially crafted image record types.

IMPORTANT

MS14-034 (KB2969261) This update addresses an embedded font vulnerability in Microsoft Word that affects Office 2007 SP 3 along with the Office Compatibility Pack SP 3. It does not affect Word/Office 2010, 2013 or 2013 RT, nor does it affect Office for Mac 2011. The affected versions of Word are affected whether they’re installed as standalone programs or as part of the Office suite.

Note that if you’re unable to install the update, there is a workaround for this embedded font vulnerability, which is simply to not open Word files from sources that you don’t know to be completely trustworthy.

The update addresses just one privately reported vulnerability, which could result in remote code execution if the user opens a specially crafted file in an affected version of Word. The update fixes the problem by changing the way Office parses such specially crafted files.

MS14-033 (KB2966061) This update is for an entity URI vulnerability in Microsoft XML Core Services (MSXML) and affects all supported versions of Windows client and server: Vista, Windows 7, Windows 8 and 8.1, RT 8 and 8.1, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including server core installations, running MSXML version 3.0 or version 6.0.  It does not affect MSXML version 5.0.  This update is rated as Important for Windows client operating systems and low on Windows servers.

Note that Windows Server 2003 systems require an update to MSXML version 6.0 before installing the update. Also note that if you are unable to install the update, there is a workaround that involves setting the kill bit to prevent MSXML 3.0 binary behaviors from being used in IE. This workaround requires editing of the registry. For more information, see the MSXML Entity URI Vulnerability – CVE-2014-1819 section in the security bulletin details. Another workaround is to disable active scripting or configure IE to prompt you before running active scripting. Alternately, you can set IE’s Internet and local security zone settings to High and block ActiveX controls and active scripting.

This update addresses one privately reported vulnerability that could be exploited to allow information disclosure, if the user visits a specially crafted web site. The update fixes the problem by changing the way MSXML Core Services enforces user access controls.

MS14-032 (KB2969258) This update is for a content sanitation vulnerability in Microsoft Lync Server that affects the Web Components Server in Lync Server 2010 and 2013. It does not affect the Lync client software or any versions of Microsoft Communicator or Communications Server, nor Lync components such as Attendee, Attendant and Group Chat. It is rated important for both versions.

Note that the vulnerability addressed by this update is not related to the vulnerability in Lync client software that is addressed by MS14-036 described above.

This update addresses one privately reported vulnerability that could result in information disclosure if a user attempts to join a Lync meeting by clicking a specially crafted meeting URL.  The update fixes the problem by changing the way Lync Server handles and sanitizes content.

MS14-031 (KB2962478) This update is for a Denial of Service vulnerability in the TCP protocol in Windows that affects most supported versions of Windows client and server, including Windows Vista, Windows 7, 8, 8.1, RT and RT 8.1, as well as Windows Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect currently supported versions of Windows Server 2003. It is rated important for all affected systems.

Note that there are no workarounds for this vulnerability.

This update addresses one privately reported vulnerability that could be used by an attacker to send a sequence of specially crafted packets and cause a denial of service (DoS). The update fixes the problem by changing the way the TCP/IP stack in Windows handles such specially crafted packets.

MS14-030 (KB2969259) This update is for an RDP MAC vulnerability in the Remote Desktop feature of Windows that affects Windows 7, 8 and 8.1 as well as Windows Server 2012 and 2012 R2, including the server core installations.  It does not affect Windows Vista, Windows RT or RT 8.1, Windows Server 2003, 2008 or 2008 R2. It is rated important for all affected versions of Windows. Systems that do not have Remote Desktop Protocol enabled are not at risk.

Note that Windows 7 has two prerequisites: before installing this update, you need to install updates 2574819 and 2592687.  Also note that if you are unable to install the update, there is a workaround: enable Network Level Authentication for remote desktop sessions. This will block unauthenticated attackers from exploiting the vulnerability (however, if the attacker has credentials for a valid user account on the target system, he/she could still exploit the vulnerability).

This update addresses one privately reported vulnerability that an attacker could use to tamper with the targeted system if accessing the same network segment as the targeted system during an active Remote Desktop session. The attacker would have to send specially crafted RDP packets to the targeted system. The update fixes the problem by increasing the strength of the encryption used by Remote Desktop.