March Patch Tuesday roundup

You know the saying: Beware the Ides of March. In IT departments, it’s time to beware the security vulnerabilities of March – but as reported in our Advance Notification post last week, we once again have only a handful of Microsoft security bulletins to concern ourselves with this month.  Of the five security bulletins, only two of them are rated as “critical” and the other three are classified as “important”.

Critical bulletins generally address vulnerabilities that don’t require any action on the part of the user to execute as well as most remote code execution vulnerabilities. Those which can only pose a risk to data or system processing if the user does something – for example, follows a link to visit a malicious web site, opens a malicious file, etc. – are often rated as important. However, other factors such as the extent of exposure and the possible consequences are also taken into consideration.

Unlike some months, when the scope of the various bulletins is spread out over many different Microsoft products, some with only a limited market, four of this month’s vulnerabilities are in various versions of Windows itself (and IE, which comes already installed in U.S. versions of Windows), as well as the Silverlight browser plug-in, which has a fairly wide installed base.

Often, a single security bulletin fixes multiple vulnerabilities. Four of these five patches address only one or two vulnerabilities each. However, the IE patch is cumulative and addresses eighteen remote code execution vulnerabilities in the web browser.

For the full and official documentation on each of these, please check out the details on the TechNet web site.

CRITICAL

MS14-012 (KB2925418) This is a cumulative update for Internet Explorer that affects all supported versions of IE 6, 7, 8, 9, 10 and 11) installed on all supported versions of the Windows operating system (XP, Vista, Windows 7, Windows 8, Windows 8.1, Windows RT and Server 2003, 2008, 2008 R2, 2012 and 2012 R2). The only operating systems not affected are the server core installations, which do not have a web browser installed.

There was speculation that the zero day JavaScript exploit that affects only IE 9 and 10 might not be addressed, but the good news is that it is in fact included in this patch’s list of vulnerabilities (CVE-2014-0322).

The critical rating applies to the client versions of Windows, whereas the rating for server operating systems is moderate. For those who are unable to install the update for some reason, there are a number of workarounds for some of the vulnerabilities listed in the security bulletin.

Seventeen of the vulnerabilities addressed were privately reported with only one having been disclosed publicly. The problems stem from the way IE handles objects in memory and the update fixes it by changing the memory handling.

MS14-013 (KB2929961) This update closes a hole that could allow remote code execution through a vulnerability in the Microsoft DirectShow component of Windows, which is a multimedia framework and API. It affects most versions of Windows, including XP, Vista, Windows 7 and Windows 8, along with Server 2003, 2008 and 2008 R2 (except the Itanium editions), and 2012 and 2012 R2. It does not affect aforementioned Itanium-based computers running Server 2008/2008 R2, nor Windows RT.  It also does not affect server core installations of Server 2008/2008 R2 and 2012/2012 R2; only server operating systems with the Desktop Experience enabled are impacted. The severity rating is critical for affected versions, both client and server.

The update addresses a single vulnerability that was privately reported by an anonymous researcher working with VeriSign’s iDefense Labs. Because of the way DirectShow parses JPEG graphics files, an attacker could execute code remotely after convincing a user to open a maliciously constructed JPEG image. The update fixes the problem by changing how such image files are parsed.

IMPORTANT

MS14-015 (KB2930275) This update addresses two vulnerabilities in the Windows kernel-mode driver, one of which could be used by an attacker to elevate privileges on the machine while the other could allow information disclosure. This update affects all supported versions of Windows (XP, Vista, Windows 7, Windows 8/8.1, Windows RT, Server 2003, 2008/2008 R2, and 2012/2012 R2), including the server core installations.

The important rating applies to all operating systems across the board and is based on the fact that in order to exploit the vulnerabilities, the attacker first has to have valid credentials to log onto the targeted system and must be on site to log on locally, so this would have to be perpetuated by an insider (someone with access to the premises where the computer is physically located).

Both vulnerabilities stem from the way the kernel-mode driver handles objects in memory and the update corrects the improper handling issues to fix the problem.

MS14-016 (KB2934418) This update relates to a vulnerability in the Windows SAMR (Security Account Manager Remote) protocol and it affects older Windows clients and all supported versions of Windows Server, with the exception of 2008/2008 R2 Itanium-based machines. Specifically, it affects most XP, Vista, Server 2003, Server 2008/2008 R2 (except Itanium editions), and Server 2012/2012 R2, including server core installations. It does not affect Windows 7, 8, 8.1 and RT or Itanium-based Server 2008/2008 R2 machines. It also does not affect systems that do not have ADAM, Active Directory or AD LDS installed.

The important rating applies to all affected operating systems, both client and server.

The vulnerability stems from the way Windows validates the user lockout state and could allow an attacker to bypass the security lockout feature; which means the attacker would not be locked out when trying multiple times to guess the password for a user account. The update corrects the problem.

MS14-014 (KB2932677) This update addresses a vulnerability in the Silverlight technology that is Microsoft’s platform for video and other rich Internet applications and is installed as a web browser plug-in for both Windows and Mac OS X computers. It affects Silverlight version 5 prior to build 5.1.30214.0 on all supported versions of Windows client and server operating systems (XP, Vista, Windows 7, Windows 8/8.1, Server 2003, 2008/2008 R2, and 2012/2012 R2) as well as Mac OS X operating systems. Windows RT doesn’t run Silverlight. Systems that don’t have Silverlight installed and enabled are not affected.

The exploit is another security feature bypass that could circumvent the DEP (Data Execution Protection) and ASLR (Address Space Layout Randomization) that are built into Internet Explorer, in order to remotely execute code. It’s only rated important because the attacker would have to convince the user to visit his malicious web site or a site containing maliciously crafted banner ads or other user-uploaded content.

The update fixes the problem by changing some of the functionality to maintain DEP and ASLR integrity in the Silverlight technology.