After initially announcing five bulletins (two critical, three important) last week, Microsoft added two new bulletins, both critical, and both related to Internet Explorer (IE), to the lineup. Last week, packaging problems prevented their inclusion in the pre-announcement, but these issues were resolved over the weekend, giving us a total of seven bulletins addressing 32 vulnerabilities for February 2014.
This month’s top Microsoft bulletin is definitely MS14-010 for IE, which addresses 24 vulnerabilities. The bulletin is rated critical and affects all versions of IE, from IE6 on Windows XP to IE11 on Windows RT. Attacks against the vulnerabilities addressed would come through the most common attack vector: malicious webpages. MS14-007 is the next in our priority list, at least if you are running Windows 7 or later. The patch fixes an issue in the graphics library DirectWrite. The attack would come through the browser in a malicious webpage that uses the <SVG> tag for Scalable Vector Graphics, a good reminder that new technology is usually not free of implementation vulnerabilities.
Speaking of attacks that come through the web, last week Adobe released an out-of-band patch for an Adobe Flash 0-day vulnerability. The attack was detected by Kaspersky and affects all current versions of Adobe Flash on Windows and Mac OS X. If you have Adobe Flash installed directly, please make sure that you fix this vulnerability as quickly as possible.
The two remaining critical Microsoft bulletins are MS14-011, addressing a vulnerability in VBScript, the scripting engine used in IE, again with an attack vector of malicious webpages, and MS14-008, addressing a file format vulnerability in Forefront for Exchange, a legacy anti-spam product for Microsoft Exchange.
MS14-005 for MSXML, MS14-006 for Windows and MS14-009 for .NET are all rated “important” because they do not allow remote code execution, but are limited to fixing Information Disclosures and Denial of Service conditions. The Information Disclosure vulnerability fixed in MS14-005 had previously been used in attacks last year that were countered by bulletin MS13-090, which disabled the ActiveX component that was vital to the attack. MS14-005 now closes the auxiliary flaw to complete the fix. MS14-009 fixes a number of known vulnerabilities, for example the well-known Slowloris HTTP DoS attack.
Microsoft also made the advisory KB2862973, which deprecates the MD5 algorithm in certificates, now an automatic download in Windows Update. The KB was released six months ago in August for manual installation and testing. MD5 deprecation in certificates has become an industry best practice for SSL. In Qualys’ SSL Labs tests, an MD5 certificate leads to a failing grade of F since the January 2014 release.
In addition to last week’s release of Flash, Adobe also released an update to their Shockwave Player. Take a look at APSB14-06 if you run Shockwave.
Overall, we are back to normal after a quiet January Patch Tuesday: Seven bulletins from Microsoft and one from Adobe, with the three highest priority fixes being: Adobe Flash, IE and Windows 7 and 8 – DirectWrite.