We are halfway through the year this month. Microsoft is publishing seven bulletins this month bringing the half-year total to 36. This is quite a bit below last year’s pace which was 46. We have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL. Maybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.
The high priority item this month is Microsoft’s Internet Explorer (IE) Bulletin MS14-035. It addresses a record-breaking 59 distinct vulnerabilities and includes the fix for the 0-day CVE-2014-1770 in IE8. This issue is not under attack, but it was disclosed 2 ½ weeks ago by vulnerability broker ZDI. ZDI had notified Microsoft last October of the use-after-free flaw in the CMarkup object and, when Microsoft did not address it in May, went public with an advisory. The update is rated critical because the vulnerabilities allow Remote Code Execution without user interaction. The attack vector is a web page with malicious content, such as an innocent website that has come under control of the attackers, a page set up by attackers that exploits a popular theme (soccer’s World Cup for example) or just links to pages e-mailed to potential victims with short enticing leads.
Given the volume of work that we do through web browsers, apply this update first.
Our second highest priority is not from Microsoft, but from Adobe. Adobe’s Flash player has a critical update and since attacker’s frequently use Adobe Flash as their tool of choice we recommend installing APSB14-16 next. It is rated critical by Adobe for Windows and Mac. Windows XP users will remain exposed as Adobe is not testing and distributing this update for XP anymore. Google Chrome and IE10/11 users get their updates automatically through the browser that includes Flash, which is a good security enhancing feature. I recommend to everybody switching to these browsers for easier and better security.
Next is the Microsoft Word update MS14-034, which addresses one vulnerability in the program’s font handling (CVE-2014-2778). Microsoft rates it only “important” because user interaction is required – one has to open a Word file – but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files. Who wouldn’t open a document that brings new information about the company’s retirement plan. The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.
The last critical update is MS14-036, which is a new version of the library GDI+. GDI+ parses graphics formats. Graphics parsing requires complex logic and has frequently been associated with attack vectors. It affects Windows, Office and the Lync IM client because they all bring their own copy. There are no known exploits at this time, as opposed to the last update to GDI+ (MS13-096), which addressed a 0-day. You should apply this update as quickly as possible.
The remaining vulnerabilities are:
- MS14-033: an update to MSMXL that prevents the disclosure of the username.
- MS14-030: updates RDP to prevent a MITM vulnerability that can be used to tamper with the session data.
- MS14-031: updates the TCP/IP stack in Windows Vista and addresses a resource exhaustion issue that leads to a Denial of Service situation. Attackers can send specifically created packets with manipulated timestamps that prevent Windows from cleaning up kernel memory.
- MS14-032: a new version Lync Server that addresses a cross-site scripting issue.
In other non-Microsoft news, you have probably also seen the release of a new OpenSSL version. The vulnerabilities addressed do not have the same exploitability than last month’s Heartbleed (HB) issue. With HB, attackers could run their code from any machine that had network access to the target; this new set requires the attacker to be a man-in-the-middle (MITM) between the two parties that communicate, and both parties need to be running OpenSSL. This is a pretty specific situation that does not apply to the typical browser-based scenarios. As curious security searchers continue their HB-inspired audits of the code base, you should consider this a first wave of issues and be prepared to react to more disclosures of this type. By the way, all previous versions of OpenSSL are affected (0.9.8, 1.0.0 and 1.0.1).
For Windows XP users: The majority of these vulnerabilities apply to your operating system, including remote code execution against IE (MS14-035), Word (MS14-034) and GDI+ (MS14-036). You should update or replace all XP machines with supported versions urgently.
Stay tuned to this blog for more developments.