Today, for September’s Patch Tuesday Microsoft released a light load of four security bulletins which fix a total of 42 unique vulnerabilities. In addition, Adobe released a critical patch for Adobe Flash that deserves to be prioritized highly. A second patch for Adobe Reader and Acrobat has been withdrawn from release due to problems in testing and is expected to be published next week.
The bulk of these fixes, 37 in total, are for Internet Explorer bulletin MS14-052 which is rated as ‘Critical.’ The bulletin fixes zero day vulnerability CVE-2013-7331, which can be used to leak information about the targeted machine. CVE-2013-7331 allows attackers to determine remotely through a webpage the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes. This capability has been used in the wild by malware to check if anti-malware products or Microsoft’s Enhanced Mitigation Toolkit (EMET) is installed on the target system and allows the malware to adapt its exploitation strategy. The remaining 36 vulnerabilities that are addressed by MS14-052 all allow for Remote Code Execution (RCE) and are the reason for the Critical rating by Microsoft. Attackers would exploit these vulnerabilities by crafting a special webpage and host the webpage either at an otherwise innocent site that they gained control over or at special sites setup to attract traffic, typically through Search Engine Poisoning. Address this bulletin as quickly as possible.
Our next priority lies in the patch for APS14-21 for Adobe Flash. It is rated ‘Critical’ and allows for RCE. Similar to a vulnerability in a browser, the attack would be executed through a malicious webpage with secondary vectors through Microsoft Office documents. Adobe Flash is quite popular with malware developers as a delivery vehicle. Recent research has shown that the maintainers of Angler exploit kit are using Flash exploits (addressed in Adobe’s April Flash update APS14-13) to inject malware into the browser without writing any files to disk. This capability is stealthier than a normal infection and bypasses a number of the common anti-malware measures. Patch Flash next and keep an eye open for next week’s Adobe Reader update.
The next Microsoft security bulletin MS14-053 is only rated as ‘Important’ but, in our opinion, should be treated as ‘Critical’ if you have ASP.NET framework installed with your IIS webserver. If left unpatched, remote un-authenticated attackers can send HTTP/HTTPS request to cause resource exhaustion, which will ultimately lead to denial-of-service condition on the ASP.NET webserver.
MS14-054 fixes an important local elevation of privilege issues which could allow malware to elevate its privilege to system privilege enabling it to do more damage on the target system.
MS14-055 fixes an issue in Lync server which provides infrastructure for instant messaging, VoIP, audio, video and web conferencing. If left unpatched, remote unauthenticated attackers can send a malicious SIP request which will cause a denial-of-service condition on the Lync server.
In other unrelated news, Apple now emails you when you sign into icloud.com using the web interface. The iCloud web interface had been used to download iPhone backups and to get access to the “selfies” in the user’s photostream, by using phished or brute-forced username/password combinations. This is a good additional security measure for attentive users, but it is an after-the-fact alert only. I am sure there will be more measures coming out, and, in particular, I would like to see the existing 2FA authentication capabilities extended to the iCloud web interface.
To conclude, it’s a light patch cycle, but there are still plenty of security issues around with new, daily information coming in on the current data breaches. Stay safe and prioritize the critical for IE and Flash and ASP.NET and IIS if applicable in your environment.