Welcome to an exciting patch cycle for the month of May. On May 1st, we started the month with an out of band emergency patch (MS14-21) to address vulnerabilities found in the wild for IE. Though Microsoft officially ended support for XP on April 8th, they were kind enough to include that OS in their update. Those of you still running Windows XP systems in your environment are highly recommended to speak with your McAfee sales team about Application Control. Application Control can provide your EOL systems protection against an unpatched vulnerability. Continuing with today’s updates, Microsoft has officially released 8 patches addressing 13 individual vulnerabilities.
Of the eight releases, Microsoft identifies two as “critical” in addition to the critical patch released earlier this month. The remaining patches are labeled “important.” This month’s patches are as follows:
- MS14-021 Security Update for Internet Explorer (2965111) Released Out-of-Band May 1st
- MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
- MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)
- MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)
- MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)
- MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)
- MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)
- MS14-028 Vulnerability in iSCSI Could Allow Denial of Service (2962485)
- MS14-029 Security Update for Internet Explorer (2962482)
Looking over the patches, I would like to highlight the following three critical updates:
The first update I would like to highlight is one of the critical patches affecting multiple versions of IE 6-11. This is the first patch this year to be released out of the normal Microsoft patching cycle because of its known exploits in the wild. The vulnerability is specific to a use-after-free memory corruption vulnerability in VGX.DLL. Successful exploitation can give an attacker the ability to remotely run arbitrary code. The good news is Microsoft not only expedited a patch but was also kind enough to include an update for the recently end-of-life XP. For further information about this vulnerability, please check out the McAfee labs blog: CVE-2014-1776-blog
The second critical patch addresses a vulnerability in multiple versions of Internet Explorer. This update resolves two CVEs in Internet Explorer versions 6-11. These take advantage of memory corruption vulnerabilities found in IE. With a properly crafted website or phishing email, an adversary may obtain complete remote access with the same privileges of the current logged on user. Attacks have been seen recently so immediate patching should be the priority on all systems running IE 6-11.
(CVE-2014-0251, CVE-2014-1754, CVE-2014-1813)
The third critical patch addresses a vulnerability in multiple versions of Share Point Server. This update resolves three CVEs in all versions of Share Point including designer, web apps, foundation and server from 2007 to 2013. All of these take advantage of memory corruption vulnerabilities. With a properly crafted content page, an adversary may obtain complete remote access. Immediate patching should be priority number one on all servers running Share Point.
Aggregate coverage (combining host- and network-based countermeasure together) is 8 out of 13. McAfee Vulnerability Manager has the ability to scan and detect all 13 vulnerabilities. Specifically, coverage for each of the three most critical related vulnerabilities (MS14-029, MS14-022 and MS14-021) are covered by the following McAfee endpoint security software and McAfee Enterprise Firewall:
- BOP (Buffer Overflow Protection ww/ VSE)
- App Control
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email or listening to AudioParasitics, the official McAfee Labs podcast.
For additional useful “security” information, please make note of the following links: