Welcome to the second Microsoft Patch Tuesday of 2014. This month’s release has the unusual twist of two last minute critical patches that were just announced yesterday. This is the first time patches have been added at the last minute. Today, Microsoft has officially released 7 patches addressing 32 individual vulnerabilities.
Continuing with today’s seven releases, four are identified by Microsoft as “critical.” The remaining patches are labeled “important” by Microsoft. This month’s patches are as follows:
- MS14-005 Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)
- MS14-006 Vulnerability in IPv6 Could Allow Denial of Service (2904659)
- MS14-007 Vulnerability in Direct2D Could Allow Remote Code Execution (2912390)
- MS14-008 Vulnerability in Microsoft Forefront Protection for Exchange Could Allow Remote Code Execution (2927022)
- MS14-009 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607)
- MS14-010 Cumulative Security Update for Internet Explorer (2909921)
- MS14-011 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (2928390)
Looking over the patches, I would like to highlight the following four critical updates:
The first update I would like to highlight is one of the critical patches that was added to our list yesterday. This update resolves 24 CVEs in Internet Explorer versions 6-10 in which only 1 of the 24 is known to be publicly released. Of the 24 CVEs, 22 take advantage of memory corruption vulnerabilities found in IE. With a properly crafted website or phishing email, an adversary may obtain complete remote access to a system including the ability to elevate the privileges of the current logged on user. There is no doubt why Microsoft rushed to make this update part of the month’s allotment of patches. Immediate patching should be priority number one on all systems running IE 6-10.
This is the second highlighted patch that Microsoft added yesterday. The patch addresses a critical vulnerability in the VBScript scripting language that can be remotely triggered by malicious code planted in a webpage that allows the attacker the ability to execute remote code. All Windows desktop and Windows Server systems running VBScript 5.6-5.8 are affected and should be patched immediately. This patch should be the top priority of your patching cycle this month if you have these versions of VBScript in your environment.
The third update I would like to highlight consists of a patch for a vulnerability found in Windows versions 7, 8 and RT as well as Windows Server 2012. This patch addresses another remotely exploitable vulnerability in IE found in the graphics application programming interface Direct2D. An adversary can exploit the flaw by attracting users to a webpage hosting malicious code with the specific tag for “Scalable Vector Graphics.” Then, the adversary will be allowed the same access as the current logged on user. Though there are no known exploits of this vulnerability, I would still recommend patching this as soon as possible.
The final update we will look at this month is for a vulnerability found in Microsoft Forefront 2010 for Exchange servers. This vulnerability involves zero user interaction and only requires the attacker to send a malicious email. Once the email has been scanned by Forefront, the attacker’s code would be executed under the same rights as the Microsoft Forefront Protection service account. If you are running Forefront 2010, we recommend immediate patching. Also, it should be noted that McAfee offers an ePO-managed product for securing exchange servers from malicious content called McAfee Security for Microsoft Exchange (MSME). Contact your local sales team for more information about MSME.
Aggregate coverage (combining host and network-based countermeasure together) is 28 out of 32. McAfee Vulnerability Manager has the ability to scan and detect all 32 vulnerabilities. Specifically, coverage for each of the four most critical related vulnerabilities (MS14-010, MS14-011, MS14-008 and MS14-007) is covered by the following McAfee endpoint security software and McAfee Enterprise Firewall:
- BOP ( Buffer Overflow Protection ww/ VSE)
- App Control
Further research is being performed 24/7 by McAfee Labs and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.