September has long been my favorite month, for a number of reasons. I always enjoy the cooler autumn weather and the fall foliage. It’s also my birthday month – although the excitement associated with adding another year to my age isn’t quite what it once was. I still like surprise parties and gifts, though.
Microsoft didn’t surprise me with a one-patch Tuesday, but they did gift me with a relatively light slate of security updates this month. I’ll take it – especially if these turn out to be the kind that install smoothly and don’t cause any major problems and don’t have to be revoked and re-released (crossing my fingers).
Of the four updates coming our way this time, only one is critical. The other good news is that none of these are Office updates; for some reason, patches for Office seem to be the ones that so often cause problems – although of course, anytime you modify the kernel or other integral Windows components, there’s always the potential for bad things to happen.
It would be great if we could keep the patch count low for the next few months as we all inevitably get busy with the holiday season, but I’m not going to count on it. Meanwhile, let’s delve into the details of these four updates and the vulnerabilities they address. For the official and complete low-down on these patches, be sure to check out the bulletin summary on the Microsoft web site.
MS14-052 (KB2977629) This month’s lone critical update is yet another cumulative update for Internet Explorer. We seem to get one of those just about every month, and that makes sense given that the web browser is the most used application on most systems and the favorite target of attackers. This one applies to all currently supported versions of IE (version 6 through version 11), running on all supported versions of Windows, including RT and RT 8.1. The exception, of course, is server core installations since they don’t have a web browser installed.
As usual, the critical rating applies to client operating systems, while the server operating systems – which run a more locked down version of IE by default – have a moderate severity rating. The update addresses a whopping thirty-seven different vulnerabilities, one of which was disclosed publicly with the rest having been reported privately. The most serious are remote code execution vulnerabilities that an attacker can exploit if the user views a malicious web page.
As most of these vulnerabilities pertain to memory corruption issues, the update fixes the problems by making changes to the way IE handles objects in memory, and also adds more permission validations. One of the vulnerabilities is an information disclosure issue, which is caused by the way the XMLDOM ActiveX control allows local resources to be enumerated; the update limits access to that loaded resource data. The update also includes improvements to the XSS Filter.
MS14-053 (KB2990931) This update addresses a vulnerability in the .NET Framework when ASP.NET is installed on the system. It impacts all versions of the .NET Framework, versions 1.1 SP1 through 4.5.2, with the exception of .NET Framework 3.5 SP1, running on almost all supported versions of Windows client and server operating systems, including server core installations. The only OS exception is the server core installation of Server 2008. Note that Server 2008 R2 is affected. In addition, only systems with ASP.NET installed are affected, and it is not automatically installed with .NET Framework. You must manually install and register ASP.NET, so that greatly lessens the scope of this vulnerability and is most likely the reason it’s rated important rather than critical.
On affected systems, an attacker could exploit the vulnerability to create a denial of service by sending specially crafted requests to a .NET web site. There is also a workaround for this issue for developers, which involves generating unique hash codes on a per-application-domain basis, but it’s limited in usage. See the bulletin for more details on this.
The vulnerability results from the way .NET Framework hashes requests and inserts the data into a hash table, which can cause a hash collision. Multiple collisions can impact the performance of the hash table, leading to the denial of service. The update fixes the problem by correcting the way the .NET Framework handles those specially crafted requests.
MS14-054 (KB2988948) This update addresses a vulnerability in a Windows component that we don’t often think about: Windows Task Scheduler. It only applies to newer versions of Windows, specifically Windows 8 and 8.1, RT and RT 8.1 and Server 2012 and 2012 R2. That does include the server core installation. Previous versions of Windows are not affected. It’s rated important for all affected systems.
The vulnerability is an elevation of privilege issue that can only be exploited by an attacker who is able to log on locally to an affected system with valid credentials and run a specially crafted application, which of course greatly limits the scope of impact. Attackers cannot exploit this vulnerability remotely over the network.
The vulnerability is caused by the way the Windows Task Scheduler conducts integrity checks on tasks. In the event that an attack is able to exploit it, the ramifications could be serious as the attacker would be able to run arbitrary code and install programs, create new accounts and change or delete data. One workaround is to turn off the task scheduler service, which can be done by editing the registry. Of course, this would prevent you from being able to run scheduled tasks, and would also affect any processes and applications that rely on Task Scheduler.
The update fixes the problem by changing the way integrity checks are conducted by Task Scheduler.
MS14-055 (KB2990928) This update will only be of interest to those who are running Lync communications servers. It addresses three vulnerabilities in the server software that were privately reported to Microsoft. It affects Lync Server 2010 and 2013 server components, but does not impact earlier versions of the communications server software (Microsoft Communications Server and Microsoft Communicator products). It also doesn’t affect the Lync client software for Windows, Lync mobile apps for various platforms, or Lync for Mac. The severity rating is listed as important, although not all of the vulnerabilities impact all of the affected software components.
Two severe of the three vulnerabilities could enable an attacker to create a denial of service by sending a specially crafted request to a Lync server. The remaining vulnerability can create an information disclosure issue. The update fixes the problems by changing the way Lync Server sanitizes user input and handles null references and exceptions.