For the June edition of Patch Tuesday, we have been presented a new record with the largest number of individual vulnerabilities for a single bulletin. Though we have set a record this month for vulnerabilities, as we look at the number of bulletins this year we are more than 20% lower than we were last June. To continue with today’s updates, Microsoft has officially released 5 patches addressing 66 individual vulnerabilities.
Of the five releases, Microsoft identifies two as “critical.” The remaining patches are labeled “important” by Microsoft. This month’s patches are as follows:
- MS14-030 Vulnerability in Remote Desktop Could Allow Tampering (2969259)
- MS14-031 Vulnerability in TCP Protocol Could Allow Denial of Service (2962478)
- MS14-032 Vulnerability in Microsoft Lync Server Could Allow Information Disclosure (2969258)
- MS14-033 Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)
- MS14-034 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)
- MS14-035 Cumulative Security Update for Internet Explorer (2969262)
- MS14-036 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)
Looking over the patches, I would like to highlight the following two critical updates:
The first update I would like to highlight is one of the critical patches affecting multiple versions of Internet Explorer. This update resolves 59 CVEs found in all supported versions of IE 6-11. This includes a patch for the “CMarkup Use-After-Free RCE Vulnerability” in Internet Explorer 8 (CVE-2014-1770). Of the 59 CVEs, two have been publicly disclosed but to our knowledge have not been used in any exploits. With a properly crafted website or phishing email, an adversary may obtain complete remote access with the same privileges of the current logged on user. Immediate patching should be priority number one on all systems running IE 6-11.
The second critical patch addresses a vulnerability in the library GDI+. This update resolves two CVEs in multiple Microsoft products including all supported Windows, Office, and Lync. The two vulnerabilities take advantage of library GDI+ vulnerabilities which would allow an attacker with a properly crafted website or phishing email to obtain complete remote access with the same privileges of the current logged on user. Immediate patching should be priority number one on all systems running Microsoft software.
Aggregate coverage (combining host- and network-based countermeasure together) is 3 out of 7. McAfee Vulnerability Manager has the ability to scan and detect all 7 vulnerabilities. Specifically, coverage for each of the two most critical related vulnerabilities (MS14-035 and MS18-036) are covered by the following McAfee endpoint security software and McAfee Enterprise Firewall:
- BOP (Buffer Overflow Protection ww/ VSE)
- App Control
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email or listening to AudioParasitics, the official McAfee Labs podcast.
For additional useful “security” information, please make note of the following links: