Microsoft has released six bulletins today, addressing a total of 29 vulnerabilities, plus three security related security advisories. Two of the bulletins are critical and can be used to get to Remote Code Execution (RCE). Overall a pretty normal Patch Tuesday even adding in the update for Flash that Adobe is coming out with. But July has also the release of the Oracle Critical Patch Update which will give IT administrators an additional 100+ updates to look at and decide how to apply them to their infrastructure taking exploitability and reachability of their devices into account.
This month’s biggest update is also the highest priority one: MS14-037 addresses 24 vulnerabilities in Internet Explorer (IE), almost all user-after-free type vulnerabilities and is valid for all versions (6-11) of Microsoft’s browser. There are no 0-days open for IE, which would dictate the shortest turn-around possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation. Its exploitability index is “1”, which means MIcrosoft rates it as relatively easy (less than 30 days of time) to reverse engineer the vulnerabilities and develop an exploit.
Unless you are running IE10, IE11 or Google Chrome you should look this month’s Adobe Flash fix as your second highest priority. Google Chrome, IE10 and IE11 embed Adobe Flash and update it automatically, so in that case you and your users do not have to do that . Everybody else, Internet Explorer 9 and lower, Firefox and Mac OS X users should update their Flash installation manually. Details can be found in APS14-17 on Adobe’s website.
Next is MS14-038, which fixes a single file-format vulnerability in Windows Journal. I actually had to look up what Windows Journal is, because I had never heard of it. Journal is “notepad” for handwritten notes and first made its appearance in Windows XP Tablet Edition, so this is a vulnerability that really does not apply to a normal Windows XP system. However after XP, it has been included by default in all subsequent Windows versions: Vista, 7 and 8 and can be attacked through a specially formatted input file. The attack vector can be through web-browsing, email or IM or any other means that can be used to send you a .JNT file. Given its obscurity and the potential for more file format problems it is probably a reasonable measure to disable the file extension .JNT
The next three vulnerabilities are in all in Windows, are rated as “important” and provide local escalation of privileges:
- MS14-039: an update to the OnScreen Keyboard which allows the attacker to escape the IE sandbox. Any attack would be very visible as the onscreen keyboard would come up and certainly cause some consternation.
- MS14-040: updates the driver AFD.sys and fixes an escalation of privilege.
- MS14-041: a fix to DirectShow, which addresses another IE sandbox escape.
The last Microsoft bulletin MS14-042 fixes a Denial-of-Service problem in the Windows Service Bus (WBS). WBS is a rather new component in WIndows and most likely only rarely installed. It is an interesting reminder though that our architectures are not becoming simpler. We are constantly adding components to our systems, which bring their own vulnerabilities into the fold.
For Windows XP users: The majority of these vulnerabilities apply to your operating system, except the WIndows Journal application and Windows Service Bus weaknesses. The Internet Explorer vulnerabilities can certainly be exploited on XP as well as the Flash problem. XP users should evaluate urgently using a supported browser if they cannot move away from the operating system.
Stay tuned to this blog for more information on the Oracle CPU that is coming next week.