As reported at the end of last week in this month’s advance notification from Microsoft, if you have been celebrating each month upon seeing a number of Microsoft security updates that could be counted on the fingers of one hand, the party’s over. April’s four security bulletins has doubled to eight for May, and that’s not counting the out-of-band patch that was released on May 1. Still, that falls far short of some previous months, so let’s be thankful that we aren’t looking at a number in the teens.
Only two of this month’s Patch Tuesday releases are rated as critical (as was the May 1 emergency update). The remaining six are classified as important. There have been known attempts to exploit at least three of the new vulnerabilities, although according to Microsoft the attacks thus far have been limited in scope.
Some of the vulnerabilities, such as the one that affects Microsoft Office’s grammar checking component only in the Chinese language version of Office, present a risk only to a limited number of machines/users and exploit code is less likely since the attackers’ target audience would be restricted to only those that run that version.
Others, such as the pair of memory corruption vulnerabilities in Internet Explorer that are addressed by the last bulletin in the list, are far more likely to be exploited and will impact many more computers and users. Let’s take a look at each of this month’s security bulletins and the vulnerabilities that are addressed by each. For more detailed information, you can check out the Bulletin Summary on Microsoft’s TechNet web site.
- MS14-022/KB2952166 This update affects supported versions of Microsoft SharePoint Server, including versions 2007, 2010 and 2013, as well as Microsoft Office Web Apps versions 2010 and 2013. Other SharePoint related software, such as the 2013 client components SDK and SharePoint Designer 2007, 2010 and 2013, are also affected so this is pretty broad-reaching for any organizations and individuals who use SharePoint.The update addresses three separate vulnerabilities that were privately reported. The most serious could allow for remote execution of code, which is the reason for the critical rating. One vulnerability also presents an elevation of privileges issue in SharePoint Server 2013 (but not earlier versions). The good news is that an attacker would need to be able to authenticate to the SharePoint server in order to exploit the vulnerabilities, so the biggest risk is to SharePoint sites that allow anonymous access (which must be explicitly enabled; it’s disabled by default).The update fixes the problem by changing how SharePoint server sanitizes page content that has been specially crafted.
- MS14-029/KB 2962482 This update affects all supported versions of Internet Explorer running on all supported versions of Microsoft Windows client and server software. The only Windows operating system that is not affected is the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2. The critical rating applies to IE running on Windows client operating systems, while the rating is downgraded to moderate for Windows server operating systems.The problem is related to memory corruption that occurs when a specially crafted web page is viewed in IE, and the exploit could allow the attacker to gain the same level of rights and privileges as the user who is currently logged on, and potentially execute remote code. The update fixes the problem by changing the way IE handles objects in memory.Note that if you’re running IE 11 on Windows 8.1 or 8.1 RT or on Server 1012 R2, you must install the update in KB 2919355 before you install this update. This is not a cumulative update so IE users also need to install the most recent cumulative update to be fully protected.
- MS14-023/KB2961037 This update affects supported versions of Microsoft Office for Windows (2007, 2010, 2013 and 2013 RT). It does not affect Microsoft Office for Mac or the Office Compatibility Pack SP3, nor does it impact the Microsoft Word Viewer. There are two vulnerabilities addressed by the update, both of which were reported privately. There is potential for remote code execution if the currently logged on user has administrative rights, However, only computers that have the Chinese (Simplified) grammar checker enabled are at risk.In addition to having the Chinese grammar checker, the user would have to open an Office file from an untrusted location or WebDAV share. Due to this combination, the practical risk is relatively low. Workarounds include disabling loading of libraries from WebDAV and remote network shares or you can disable the WebDAV service entirely.The update fixes the problems by changing the Chinese grammar checker so that it will properly verify file paths before loading external libraries and modifying how Office handles specially crafted responses.
- MS14-024/KB2961033 This update addresses a vulnerability in MSCOMCTL ASLR that affects
all supported versions of Microsoft Office for Windows. That includes Office 2007, 2010, 2013 and 2013 RT. It does not affect Office for Mac. The vulnerability was previously reported privately. An attacker would exploit the vulnerability by convincing a user to view a specially crafted web page, resulting in a bypass of the Address Space Layout Randomization security feature.The update fixes the problem by modifying MSCOMCTL common control library (a component included in Office software. The risk is mitigated by the set of requirements for a successful exploit and the risk is lower on the server operating systems because the default setting for IE is to run in restricted mode.
- MS14-025/KB2962486 This update for a vulnerability in Group Policy preferences affects specific versions of Windows client and server software, including Vista, Windows 7, Windows 8/8.1, Server 2008/2008 R2, and 2012/2012 R2. The following operating systems are not affected: Server 2003 SP2, Windows RT/RT 8.1 and server core installations of Windows Server.This vulnerability was previously disclosed publicly and an exploit can occur if you use Active Directory Group Policy preferences to distribute passwords in a domain when certain Group Policy preferences extensions are used. This could result in elevation of privilege.The update fixes the problem by removing the ability to configure and distribute passwords that use the vulnerable extensions. However, existing Group Policies may need to be removed by admins if they are configured to use the affected Group Policy preferences.
- MS14-026/KB2958732 This update for a vulnerability in .NET Framework affects most versions of the Microsoft .NET Framework running on most Microsoft client and server operating systems. This includes the .NET Framework 3.5.1 through 4.5.1 except when running on the server core installations of Windows Server 2008 R2 and Server 2012/2012 R2 The following are not affected: .NET Framework 3.0 SP2, 3.5 SP1 and 4.5.2. If in doubt, see the full security bulletin text.The problem occurs when an unauthenticated user sends specially crafted data to a computer running an affected version of .NET Framework if the application uses .NET Remoting. This limits the scope of the risk.The update fixes the problem by changing the .NET Framework to enforce security controls for application memory.
- MS14027/KB2962488 This update for a vulnerability in the Windows Shell Handler affects all supported versions of Windows client and server operating systems. This also includes the server core installations of Windows Server.The problem is caused by a problem with the ShellExecute code that could be used by an attacker to elevate his/her privileges by running a specially crafted application. However, the attacker would need to have valid logon credentials and have access to log on to the system locally in order to exploit the vulnerability, which limits its risk.The update fixes the problem by changing the way the ShellExecute API handles file associations in certain cases.
- MS14-028/KB2962485 This update for a pair of vulnerabilities in the iSCSI component affects only certain versions of the Windows Server operating system. These include Windows Storage Server 2008, Server 2008 R2 SP1, Server 2012 and 2012 R2, including the server core installation option. Also included is iSCSI Software Target 3.3 on Server 2008 R2 X64 SP1. It does not affect Windows client operating systems, Server 2003, Server 2008 (except for Windows Storage Server 2008), or the server core installation of Server 2008 R2.
The problem is caused by a flaw in the iSCSI target role and it must be enabled for an exploit to occur. If it is, and an attacker sends large numbers of iSCSI packets that are maliciously crafted over the network. This can result in a denial of service (DoS). The update fixes the problem by changing the way the operating system handles iSCSI connections.
There is a workaround that involves placing iSCSI on its own isolated network; in addition, you can configure the firewall to restrict access to TCP port 3260 to only allow access to authorized iSCSI client IP addresses.