October 2014 Patch Tuesday from Microsoft focuses mainly on desktop software like Windows, Office, Word and IE with the attack vector targeting end-users. Several of the vulnerabilities are in use by attackers in the wild and should receive an extra urgent treatment by both enterprises and end-users alike. iSight Partners are reporting their research on a malware campaign that has been active for 5 years. They have dubbed the campaign “Sandworm”, due to a number of Dune references in the Command and Control URLs. One of the iterations of the campaign during the summer of 2014 has used a 0-day vulnerability in Windows (CVE-2014-4114) triggered through a malicious Powerpoint file. Microsoft is addressing the flaw today in MS14-060.
In addition FireEye has documented cases where a 0-day font vulnerability addressed in MS14-058 in being used in the wild in targeted attacks.
Overall five of the eight bulletins allow for remote code execution (RCE) attacks, a higher than usual number. Microsoft had originally announced nine bulletins, but the vulnerability in Office rated as moderate in Bulletin #4 will be held back.
There is also a server side bulletin, which addresses a problem in the ASP.NET application server.
We have grouped this month’s bulletins into three categories:
Category 1: Bulletins with active targeted attacks in the wild AND no warning or prompt given to the user during the course of the exploit. This includes:
- MS14-058: This Kernel mode driver bulletin fixes 2 vulnerabilities. CVE-2014-4148 is a RCE issue which can be exploited if the victim visits a website that has malicious true type fonts (TTF) or using an office document as the exploit vector.CVE-2014-4113 is an elevation of privilege (EoP) issue in the same driver. Both vulnerabilities are actively exploited in the wild in targeted attacks. See FireEye’s blog post for a technical explanation.
- MS14-056: This Internet explorer bulletin fixes 14 issues, with the majority rated as critical. There are targeted attacks in the wild exploiting CVE-2014-4123. This CVE is an ActiveX broker sandbox escape issue and is not an RCE. There are a number of other CVEs in this bulletin that are RCE issues.
Category 2: Bulletins with either active targeted attacks OR no warning or prompt given to the use during the course of the exploit. This includes:
- MS14-060 (Sandworm): This OLE bulletin fixes a vulnerability (CVE-2014-4114) that has been actively targeted in the wild and may lead to malicious programs being executed on victim machines. Using a UAC setting to ‘Always Prompt’ helps mitigate the impact of this vulnerability.
- MS14-057: This .NET framework bulletin fixes 3 vulnerabilities. The most critical vulnerability is CVE-2014-4121 which affects URI parsing underflow with certain Asian Unicode characters. There is no active attack related to this bulletin.
- MS14-061: this bulletin fixes a vulnerability in Microsoft Word, which can be used by the attacker for RCE.
Category 3: Bulletins where impact is limited to EoP, where physical access is required or lower impact vulnerabilities fall here. This includes:
- MS14-062: This kernel mode driver fixes a local EoP issue and only affects Windows Server 2003.
- MS14-063: This fastfat.sys bulletin fixes a vulnerability which requires the ability to physically plug a USB stick to the victim computer.
- MS14-059: This ASP.NET MVC framework vulnerability is a cross-site scripting (XSS) issue which can be mitigated by the XSS filter in IE.
Adobe is releasing an update to their Flash player with advisory APSB14-22, which addresses three RCE type vulnerabilities. Installations that run the newer Internet Explorer 10 and 11 get this update automatically. Users of older browsers or on other operating systems should apply this critical update manually.
In keeping with the desktop theme of this month, Java will also get an update released by Oracle. The update will address 25 CVEs with 22 usable for RCE. We do not know how many are under attack in the wild, but with a larger number like that it is certainly worth updating.
Overall this Patch Tuesday packs quite a punch with many critical issues. Combined with the massive Oracle Critical Patch Update (CPU) for October 2014 that is scheduled to be released later during the day, these updates will keep system administrators up late tonight. Stay tuned for the next post on Oracle CPU this afternoon.