As you already know if you read this month’s Advance Notification blog post, July is neither a particularly heavy nor a particularly light month for Microsoft patches. We’re looking at six security bulletins covering 29 separate vulnerabilities, with two of them rated as critical. Three are designated as important and the final one has been classified as moderate.
The bad news is that the two critical patches are of the type that an attacker can use to remotely execute code on the target computer. This presents a very serious security risk because, if constructed to do so, such malicious code could have many different types of negative impact, up to and including a complete takeover of control of the system. The good news is that in both cases, the attacker would have to convince a user to visit a malicious web site in order to exploit these vulnerabilities. The even better news is that, at the time of the update’s release, Microsoft was not aware of any cases where these vulnerabilities were being exploited in the wild.
The two critical updates affect Internet Explorer and Windows Journal, respectively. Both of these are application components that are built into all supported versions of Windows, so they will be of concerned to everyone who runs Microsoft operating system software – whether client or server – on their computers. The three important patches likewise affect components that are built into Windows, whereas the one that’s rated moderate impacts a component in the Windows Server OS.
Let’s take a look at each of these security bulletins individually. For more detailed information, you can check out the Bulletin Summary on Microsoft’s TechNet web site.
MS14-037/KB 2975687 This update is a cumulative patch for the Internet Explorer web browser and it applies to all supported versions of IE (versions 6 through 11) running on all supported versions of Windows client and server (Vista, Windows 7, 8, 8.1, RT, RT 8.1, Server 2003, 2008, 2008 R2, 2012 and 2012 R2. The only operating systems that are exempt are the server core installations of Windows Server, and that’s because they don’t run a web browser.
The update addresses a whopping 24 different vulnerabilities, one of which had been publicly disclosed with the other twenty-three having been reported to Microsoft privately. The most serious of the vulnerabilities can result in remote code execution. The majority of the vulnerabilities relate to IE memory corruption issues, and there is also a vulnerability caused by improper enforcement of the guidelines for Extended Validation (EV) SSL certificates that creates a way for attackers to bypass the security of that feature.
The update fixes the problems by changing the way IE handles objects in memory and also modifying the handling of certificate negotiation when establishing TLS sessions.
MS14-038/KB2975689 This update pertains to Windows Journal and affects all supported versions of the Windows client operating system (Vista, Windows 7, 8, 8.1, RT, RT 8.1). It also affects some versions of Windows Server, including Server 2008, 2008 R2, 2012 and 2012 R2 with the exception of the server core installations and the Itanium editions. It also does not affect Server 2003 SP2. The critical rating applies to all affected operating systems.
The update addresses a single remote code execution vulnerability in Journal that was privately reported to Microsoft. The attacker would need to convince a user to open a specially crafted malicious Journal file in order to exploit this vulnerability. If Journal is not installed on a computer, the update is unnecessary and won’t be offered through Windows Update. Journal is not installed by default on Windows Server 2008, 2008 R2, 2012 and 2012 R2. It is installed only when Ink and Handwriting Services are enabled or Desktop Experience is enabled.
The update fixes the problem by changing the way the Windows Journal application parses Journal files (.JNT files). A workaround for this problem is to not open .JNT files, or to only open those that come from completely trusted sources.
MS14-039/KB2975685 This update pertains to a vulnerability in the onscreen keyboard that is part of the Windows operating system.It affects almost all supported versions of Windows client and server operating systems, including Vista, Windows 7, 8, 8.1, RT, RTR 8.1, Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. The only supported version of the OS that is not affected by this one is Server 2003 SP2 (32 and 64 bit as well as Itanium edition).
The update addresses one privately reported vulnerability that could allow elevation of privilege if an attacker uses the vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
The update fixes the problem by changing the way programs communicate with other programs that have a different integrity level. There are no mitigations or workarounds reported for this vulnerability.
MS14-040/KB 2975684 This update pertains to a vulnerability in the ancillary function driver (AFD) that is a component of all supported versions of Windows and runs in kernel mode as afd.sys. This means an exploit could allow an attacker to run code in kernel mode. All of the current operating systems are affected, including Vista, Windows 7, 8, 8.1, RT, RT 8.1, Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including the server core installations.
The update addresses one privately reported vulnerability that could result in an elevation of privilege. However, the attacker would have to have valid credentials to be able to log onto the system locally, and then run a specially crafted malicious program in order to exploit this vulnerability. Servers are thus less likely to be impacted since they are usually more physically protected with local logon access limited.
The update fixes the problem by changing the method by which the Ancillary Function Driver (AFD) validates input before passing the input from user mode to the Windows kernel.
MS14-041/KB2975681 This update pertains to a vulnerability in the DirectShow component of Windows. It affects most Windows client operating systems and some versions of Windows Server. Specifically, the following are affected: Vista, Windows 7, 8, 8.1, Server 2003, 2008, 2008 R2, 2012 and 2012 R2 (with the exception of the server core installation). The following are not affected: Windows RT and RT 8.1, Server 2003 (32 bit, 64 bit and Itanium editions) and server core installations of other server versions.
The update addresses a single vulnerability that was reported privately to Microsoft and that could be used by an attacker to achieve an escalation of privilege and possibly capture control of the computer by executing a specially crafted malicious program under the context of the user who is currently logged onto the system. DirectShow is a component that’s used to stream multimedia content
The update fixes the problem by changing how the DirectShow feature handles objects in memory.
MS14-042/KB2972621 This update pertains to a vulnerability in the Microsoft service bus 1.1, running on Windows server systems that use the Server 2008 R2, 2012 and 2012 R2 operating systems. Windows client operating systems and earlier versions of Windows Server are not affected.
The update addresses one vulnerability that has been publicly disclosed. An attacker could use it to create a denial of service attack by creating and running a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system. However, the attacker would need to be authenticated remotely, and Microsoft Service Bus must first be downloaded, installed, and configured, and then its configuration details (farm certificate) shared with other users. It is not a part of Windows Server by default. That’s why this one is only rated moderate in severity.
The update fixes the problem by changing the handling of AMQP messages. Note that Microsoft recommends testing this update before you roll it out on the production network.