Update: we have released QID 38602, a remote check for the OpenSSL issues. For a full list of QIDs (remote and authenticated) see QIDs for OpenSSL Security Advisory [05 Jun 2014]
Original: It’s the Thursday before June’s Patch Tuesday, and Microsoft’s Advance Notice just has gone live. In addition, there was an advisory about new fixes for OpenSSL, which comes quite soon after the Heartbleed vulnerability and the numerous exploits it enabled.
Microsoft is publishing seven bulletins this month, affecting all versions of Internet Explorer, Windows, some Office and server components. Two bulletins are rated “critical”, but three allow for Remote Code Execution.
Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 11 on Windows 8 and RT, and should be on the top of your patching efforts. We expect it to contain for last month’s 0-day in IE8, that came about because Microsoft ran afoul of ZDI’s 180 day fix time limit. Since Microsoft had to tactically address 0-days for two months in a row in April and May, they had to push the fix for the ZDI vulnerability. This one is top of the list for you to fix, since all the information has been out there for over two weeks.
Bulletin 2 is a bit strange, because it affects Windows, Office and Lync, the Microsoft IM client. It must be in a component that is present separately in all three software packages. In addition it is rated only “important” in Office, indicating that it is a file-based vulnerability. Our bet is on a graphics format vulnerability, but we will see next Tuesday. Keep an eye on this one.
Bulletin 3 is the last RCE type bulletin. It concerns a file format based vulnerability only in Microsoft Word 2007 (probably in Word 2003 as well – but that is not maintained anymore…). newer versions of Office are not affected.
The remaining bulletins affect Windows and Lync Server and are all rated “important”. Tune in for more specific info next Tuesday.
Now to OpenSSL. After the huge impact that Heartbleed (HB) vulnerability had on the overall security of the Internet, where an estimated 24% of all machines were affected, many security researchers started their independent audits of the OpenSSL code, some even forking their own version (LibreSSL). So it is no big surprise that new vulnerabilities have been found due to these efforts.
According to Ivan Ristic, our Director of Qualys SSL Labs and local SSL guru, the vulnerabilities are serious, but will have far less impact than Heartbleed. The main vulnerability (CVE-2014-0224) is a man-in-the-middle type scenario between two machines running OpenSSL that allows for the decryption of the data sent. In most of our typical communication (browser web server) we do not have 2 machines running OpenSSL, because the browser uses a different SSL library. So while there are certainly situations where OpenSSL talks to OpenSSL, for example in commandline tools, server to server communication and also in Android browsers (Chrome and native), which use OpenSSL, the conditions necessary for exploitation are quite a bit harder to find. In addition the vulnerability requires man in the middle positioning for exploitation which is limiting, but as better tools are developed, automation might enable easy mass-exploitation on wi-fi networks and similar environments. For example, password and session identifier harvesting from popular web sites could be easily automated in this scenario. So, update your OpenSSL with the newest and prepare for frequent updates in OpenSSL’s future as these are not the last bugs that will be found in this software package. BTW, differently from HB all versions of OpenSSL are affected, 1.0.1, 1.0.0 and 0.9.8 so even the laggards that were not impacted by HB need to update this time. The reporter of the vulnerability Masashi Kikuchi has published a blog post that goes into more technical detail – great read.