Summary: This is a minor change to add flexibility in expanded platform support. There will be no downtime with this update, but you will need to make changes to policies and possibly some controls being used against Windows 2012 R2 or Windows 8.1.
While the Black Hat security conference is ongoing in Las Vegas (stay tuned to this blog for a rundown of our favorite presentations), Microsoft has published their Advance Notice for the month of August. That document gives us an idea of the size of next week’s Patch Tuesday: we will get nine bulletins affecting a wide variety of Microsoft software including Internet Explorer, Windows, Office, SQL Server and Sharepoint. Two of the bulletins are rated “critical,” as they allow for Remote Code Execution (RCE) and a third one for Microsoft Office OneNote also provides RCE capabilities.
July’s Advance Notice by Microsoft has just arrived. This month, Microsoft is publishing six bulletins in July, affecting all versions of Internet Explorer, Windows and one server components. Two bulletins are rated “critical,”, as they allow for Remote Code Execution (RCE), three are rated “important” as they allow for elevation of privilege inside on Windows.
The most critical patch to consider is Bulletin 1 is for all versions of Internet Explorer (IE), all the way from Internet Explorer 6, but only supported on Windows Server 2003 since XP has been retired, to the newest IE 11 on Windows 8.1 and R. This patch should be top of your list, since most attacks involve your web browser in some way. Take a look at the most recent numbers in Microsoft SIR report v16, which illustrate clearly that web- based attacks, which include Java and Adobe Flash are the most common.
Bulletin 2 is a critical update for Windows and all desktop versions of Vista, WIndows 7, 8 and RT are affected. On the server side all but the the oldest Windows server 2003 are affected. The update will require a reboot, which is something to include in your planning, especially on the server side.
Bulletin 3, 4, and 5 are all elevation of privilege vulnerabilities in Windows. They are affect all versions of Windows. They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user. Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers gets an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.
Lastly, Bulletin 6 is a Denial of Service vulnerability in the Service Bus for Windows. The Service Bus is a newer component of Windows in use in the Windows Azure environment for the development of loosely coupled applications. In our estimate few companies will have installed that component and on Azure, Microsoft will take of the patching for you.
Later Also this month Oracle is publishing their Critical Patch Update (CPU) July 2014. It is expected to come out on July 15 and typically contains fixes for hundreds of vulnerabilities. How applicable the patches are for your organization depends on your software inventory, but at least the update for Java will be important for most organizations.
Please stay tuned to this blog for next week’s release and further updates from Oracle.
Microsoft updated today the security advisory page for May and we are expecting eight security bulletins next Tuesday. Three of the bulletins address vulnerabilities that can be used by the attacker for Remote Code Execution (RCE) which are the highest priority type vulnerabilities.
Bulletin #1 is rated critical, addresses Internet Explorer (IE) and affects all currently supported versions from IE6-IE11. IE6, IE7 and IE8 are being patched for Windows Server 2003, but not for Windows XP, which had its End-of-Life date last month in April 2014 and will not receive any more regular updates. The Internet Explorer update should contain the cumulative fix for last months 0-day, already addressed by Microsoft in an out-of-band fashion last week in MS14-021 and the vulnerabilities disclosed during the year’s PWN2OWN competition at CanSecWest. This update should be high on your list, especially if you have not applied MS14-021 yet.
Bulletin #2 addresses critical vulnerabilities that also allow for RCE in Sharepoint server 2007, 2010 and 2013, plus a number of other server platforms. This should be high on your list, especially if you expose any of the listed platforms on the Internet.
Bulletin #3 is an update for Office 2007, 2010 and 2013. It is rated important and provides RCE to the attacker, indicating that the attacker vector is a malicious document that the target has to open in order to trigger the attack. Attackers would use a document like that in a social engineering attack, which aims at convincing the user to open the document, for example by making it appear as coming from the user’s HR department or promising information about a subject of interest to the user.
The remaining bulletins are fixes for Windows, .Net and Office that address local vulnerabilities, with the exception of Bulletins #7 that addresses a Denial-of-Service condition in Server 2008 R2 and 2012 R2.
In addition to Microsoft, Adobe has announced that they will publish a new version of Adobe Reader. Since the PDF format is frequently abused by attackers, you should include Adobe Reader on your priority list.
Update2: MS14-021 has now been published. Note that differently from a normal update it is not cumulative (i.e. it only addresses this particular vulnerability CVE-2014-1776, which is common for an out-of-band update such as this one) and it is recommended to install the latest cumulative update before applying MS14-021, i.e. MS14-018 for most versions of Windows, but MS14-012 for IE11 on Windows 7 and Windows 8.
While attacks continue to be targeted, we recommend installing this update as soon as possible, rather than waiting 2 weeks for next Patch Tuesday.
Update: Microsoft will release an out-of-band patch for Internet Explorer later today, and it will include an update for Windows XP. Good news for users of the operating system that went EOL last month. Stay tuned for more news.
Original: Microsoft just published security advisory 2963983 which acknowledges limited exploits against a 0-day vulnerability in Internet Explorer (IE). The vulnerability CVE-2014-1776 affects all versions of IE starting with version 6 and including version 11, but the currently active attacks are targeting IE9, IE10 and IE11. The attack vector is a malicious web page that the targeted user has to access with one of the affected browsers.
Tuesday, April 8, 2014 – today Microsoft came out with the bulletins for April Patch Tuesday. It is a small release with only four bulletins, MS14-017 to MS14-020, a light patch Tuesday for the second month in a row.
But the Microsoft bulletin is not the most important item this month (even though MS14-017 fixes the current Word 0-day), but rather two other items: the new HeartBleed bug that impacts OpenSSL, and the arrival of Windows XP end of life. I will tackle each in turn:
Tomorrow marks the end of support for Windows XP by Microsoft. There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP. There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft.
Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:
- The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
- This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.
Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.
Next week, Microsoft will deliver its last set of public security patches for Windows XP.
The end-of-life for XP which has been announced for a number of years now, means that computers running XP will be very attackable in the near future. Over 70% Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change in the near future. XP will be affected by a large percentage of the problems exposed in May, June and July, but there will be no remedy (except for companies that pay for extended support – an option that is at least US$ 100,000/year).
Today Microsoft released the bulletins for March Patch Tuesday. We have five bulletins, MS14-012 to MS14-016, a light patch tuesday by all comparisons, even with Adobe chiming in with an update that is non-critical. If it wasn’t for the Internet Explorer (IE) patch that addresses the 0-day that was found during last month’s Patch Tuesday, one could call it almost uneventful.