2014 seems to have gone by in a flash, and we’re already in the home stretch now, well into October and even here in Texas enjoying some cooler weather. It’s always a busy time for me, so when I saw that this month was bringing us eight security bulletins from Microsoft (not nine as previously reported), I had mixed feelings. It would have been nice to have only four updates again like September, but it could have been far worse.
Of course, just one problematic patch can cause untold grief, so here’s hoping all of these install smoothly and don’t have any adverse effects on anyone’s systems. It might be only a perception, but it seems the most troublesome patches recently have been those for Microsoft Office, so I’ll be keeping my eye on MS14-061, which applies to a vulnerability in both the local version of Microsoft Word and Office Web Apps.
Only three of the eight patches are rated critical and those three pertain to remote code execution vulnerabilities. In the “important” category, we have two more remote code execution vulnerabilities, two elevation of privilege vulnerabilities and a security feature bypass.
Enough of the fluff; let’s move on to the details of these nine updates and the vulnerabilities they address. For the official and complete low-down on these patches, be sure to check out the bulletin summary on the Microsoft web site.
MS14-056 (KB2987107) This is a cumulative update for all supported versions of the Internet Explorer web browser, something that comes along almost every month. That’s a good thing, since the web browser is one of the most frequently used applications and the one that’s most heavily targeted by attackers. This update applies to all currently supported versions of IE (version 6 through version 11), running on all supported versions of Windows, including RT and RT 8.1. The exception, of course, is server core installations since they don’t have a web browser installed.
As usual, the critical rating applies to client operating systems, while the server operating systems – which run a more locked down version of IE by default – have a moderate severity rating. The update addresses a mere fourteen different vulnerabilities (in contrast to the thirty-seven that were addressed by last month’s cumulative update for IE), all of which were reported privately. The most serious are remote code execution vulnerabilities that an attacker can exploit if the user views a malicious web page.
The update addresses these vulnerabilities by changing the way that Internet Explorer handles objects in memory, by adding additional permission validations to Internet Explorer, and by helping to ensure that affected versions of Internet Explorer properly implement the ASLR security feature.
MS14-057 (KB3000414) This is another update for Windows and the .NET Framework, which was patched last month as well. That one was only rated important; this one is critical. It applies to versions, 2.0, 3.5, 3.5.1, and 4.X on all supported versions of Windows client and server operating systems, including Windows RT/RT8.1 and server core installations.
The update addresses three vulnerabilities that were reported privately. They include remote code execution, elevation of privilege and security bypass. The latter two vulnerabilities are rated important but the first is rated critical, making this a critical patch. This update addresses these vulnerabilities by improving how the Microsoft .NET Framework communicates with the ClickOnce installer process, by changing the way it handles specially crafted requests, and by helping to ensure that affected versions of Microsoft .NET Framework properly implement the ASLR security feature.
MS14-058 (KB30000061) This is a vulnerability in the kernel-mode driver in Windows, and it affects all supported versions of Windows client and server operating systems, including Windows RT/RT 8.1 and server core installations.
The update addresses two vulnerabilities that were privately reported. The most severe could result in remote execution of code, and unlike many vulnerabilities that have a less severe rating for the server operating systems, this one is rated critical all the way across the board. The remote code execution vulnerability could be exploited by getting a user to either go to a web site with embedded TrueType fonts or opening a maliciously crafted document.
The update addresses these vulnerabilities by modifying the way that the Windows kernel-mode driver handles objects in memory as well as the way it handles TrueType fonts.
MS14-059 (KB2990942) This is a vulnerability in the ASP.NET MVC (Model View Controller) developer tools that affects versions 2, 3, 4, 5 and 5.1 of the software. This tool is used by developers to create web ASP.NET sites.
The vulnerability is a security feature bypass that could be exploited through a specially crafted web site or a web site that allows publication of user-provided content (such as ads). The update addresses the vulnerability by correcting how ASP.NET MVC handles the encoding of input.
Microsoft notes that installing this update should not affect the functionality of web sites created with the tool, but that some manual coding may present double encoded characters. This would need to be corrected by removing the manual encoding.
MS14-60 (KB3000896) This is a vulnerability in Windows OLE (Object Linking and Embedding), a technology framework that has been in Windows since version 3.1 and was the precursor of COM (Component Object Model). It affects Microsoft Vista, Windows 7, Windows 8/8.1, RT and RT 8.1, Windows Server 2008, 2008 R2, 2012 and 2012 R2. The rating is important for all of the affected operating systems.
This vulnerability could be exploited if the user opens a file that includes a maliciously crafted OLE object. This would allow the attacker to obtain the same privileges and the user who is logged on and potentially execute remote code. The update addresses the vulnerability by changing the way that OLE objects are activated in Windows.
Also note that there are a number of workarounds that can protect against an exploit if you cannot install the patch right away. These include disabling the WebClient service, blocking TCP ports 139 and 445, and blocking the launching of executables via Setup Information files.
MS14-061 (KB3000434) This is the Office-related vulnerability that I mentioned above; it’s a single vulnerability in Word and Office Web Apps that an attacker could exploit to carry out remote code execution. It applies to Office 2007 SP3, Office 2010 SP1 and SP 2 (32 and 64 bit), Office for Mac 2011, and the Office Compatibility Pack SP3, as well as SharePoint Server 2010 SP1 and SP2 and Microsoft Office Web Apps 2010 SP1 and SP2. Other versions of Office are not affected.
To exploit this vulnerability, the attacker would need to convince a user to open a Word document that is specially crafted. If successful, the attacker would obtain the same rights as the currently logged on user. The update addresses the vulnerability by correcting the way that Microsoft Office parses specially crafted files.
If you are unable to install the update right away, the simple workaround is to not open (and educate users not to open) an Office files from untrusted sources or received unexpectedly.
MS14-062 (KB2993254) This is a vulnerability in the Message Queuing Service in Windows. It applies to Windows Server 2003 SP2 including 32 bit, x64 and Itanium operating systems and is rated important for all of them.
Note that the Messaging Queuing Service is not installed by default on any operating system so your servers are vulnerable only if this component has been explicitly enabled. If an attacker is able to exploit it, though, it could result in an elevation of privilege which could result in the attacker having full access to the system.
The update addresses the vulnerability by modifying how the Message Queuing service validates input data before passing the data to the allocated buffer. A workaround in lieu of installing the patch is to disable the Message Queuing Service, which can be done for individual machines or via Group Policy.
MS14-063 (KB2998579) This is a vulnerability in the FAT32 Disk Partition Driver in Windows that was reported privately. It affects the older supported operating systems: Windows Vista, Windows Server 2003 and Server 2008, and this includes the server core installation. Later versions of the Windows OS are not affected.
The problem stems from the way the FASTFAT system driver in Windows interacts with FAT32 formatted partitions. If an attacker is able to exploit the vulnerability, he could execute arbitrary code with elevated privileges. The good news is that the attacker would have to have physical access to the system in order to carry out an exploit.
The update addresses the problem by changing the way memory is allocated when a specific function is called.