Update: Microsoft has modified the bulletin MS14-045 for Windows and excluded the patch for the font handling vulnerability CVE-2014-1819. The patch can cause the system to lockup (BSOD) and present problems with fonts that are not installed in the default location. Microsoft recommends uninstalling KB2982791 at this time. For more information take a look at the KB article itself. We are interested to know how widespread these problems are. Were you affected? Do you install important level patches immediately or do you wait for a cool-off period? These questions are important especially when you consider the availability of 1-day exploits, where attackers reverse engineer patches to find new attack vectors:
This example is taken from the capability description of commercial exploit tool (Gamma’s FinFly) but it illustrates the capabilities that a good attack team has.
Original: It is August Patch Tuesday, the week after Black Hat and DEF CON and we are getting nine bulletins from Microsoft with a total of 41 vulnerabilities addressed plus a new version of Adobe Flash. In addition Microsoft is introducing some new capabilities for automatic ActiveX blocking and announced the phase out of old browsers. All in all, a pretty busy Patch Tuesday with 2 patches that address 0-day vulnerabilities that are seeing attacks in the wild – Internet Explorer and Adobe Flash.
Our highest priority is on MS14-051 for Internet Explorer. The bulletin addresses 29 vulnerabilities, and the most critical ones can be exploited to reach Remote Code Execution (RCE) and complete control of the targeted platform. Microsoft is aware of targeted attacks against vulnerability CVE-2014-2817 and rates this bulletin a “0” on the Exploitability Index, which is new value on this scale. EI=0 is an indication that attackers are exploiting at least one of the vulnerabilities. As a whole the vulnerabilities affect all supported versions of Internet Explorer from IE6 to IE11. Attackers would trigger these vulnerabilities through a webpage that hosts the malicious code, which is the most common attack scenario besides phishing. Apply this bulletin first.
Our second priority for this Patch Tuesday comes from Adobe with the rated “critical” update APSB14-19 for Adobe Reader. It addresses one vulnerability that is seeing limited targeted attacks in the wild. If we follow Microsoft’s new standard for the Exploitability Index, this would deserve a 0, the most urgent rating. Adobe rates it a "1", their most critical rating at the moment. Address as quickly as possible if you run Adobe Reader on Windows. Mac OS X users are not affected. Adobe also released APSB14-18 for Flash, which addresses seven vulnerabilities and includes fixes for problems that can be used to take control over the targeted machine. We recommend applying the update as quickly as possible, at least for anybody that does not have embedded Flash updates, i.e. older Internet Explorer, Firefox and Safari users. Google Chrome and Internet Explorer 10/11 users get the benefit of having Flash embedded and so get auto update functionality.
Back to Microsoft and Internet Explorer: this month’s IEs is getting a new whitelist mechanism, which limits the versions of ActiveX libraries that IE allows to run in the Internet Zone. The initial idea is to forbid the execution of older Java versions in order to close down a very popular recent attack vector. By default the whitelists are not applied in the “Trusted Sites” or “Local Intranet” zones, which will continue to allow older Java and minimize disruption. The blocking functionality will only be enabled in the September IE release, until then actions are limited to logging which you can use to judge the impact of this new mechanism. We like this whitelisting idea, which provides a light-weight and out-of-band (updates are applied every 12 hours) mechanism to close down the outdated ActiveX attack vector and expect to see more ActiveXs to be included in future releases. Take a look at Microsoft’s post which has more technical details.
Microsoft also announced their end-of-life plans for older browsers on their platforms. On Patch Tuesday January 2016 they will stop supporting all backlevel (i.e. not latest version) browsers for all current operating systems. In practice this means that IE11 will be the only supported browser, with exceptions for IE9 on Vista and Server 2008 and IE10 on Server 2012. Microsoft recommends using “Enterprise Mode” on IE11 for anybody that requires legacy functionality and this announced shutdown is certainly a good reason to start moving away from these old browsers.
The next bulletin in our list is MS14-043, an update to Microsoft Windows to address a vulnerability in a media library. Attackers can get RCE through media files embedded Microsoft Office documents and a attack through simple web browsing is possible as well.
MS14-048 is this month’s last RCE type vulnerability. It affects the OneNote application in Microsoft Office 2007, which allows the installation and execution of an arbitrary file through a path traversal vulnerability. We expect few installations – OneNote is not one of the core Office products and 2007 is the oldest version of Office currently available. If you run 2007 you should certainly check into this bulletin, or better work on upgrading to a newer Office version which brings significant security benefits.
The remaining vulnerabilities are a mixed bag and address a DoS problem in SQL Server (MS14-044), a SharePoint issue in MS14-050, a Kernel problem in win32k.sys in MS14-045 and 2 ASLR bypasses in MS14-046 and MS14-047.
Overall, as already mentioned, a pretty busy Patch Tuesday. Focus on the IE bulletin and take your time to evaluate the new whitelisting mechanism. If you are interested in a good description of a typical attack against a company, take a look at the details of the Gamma/Finfisher hack and go through the motions to see how your perimeter would have held up.