Hello everyone,

 

This is Greg Blaum, I’ll be providing the Microsoft Patch Tuesday newsletter moving forward. I came to McAfee earlier this year from Microsoft, where I worked for 20 years.

 

Welcome to the September 2014 Patch Tuesday update. This month is a relatively light month for security updates from Microsoft. Only one of these is rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The lone Critical vulnerability this month affects Internet Explorer on all currently supported Microsoft Operating System platforms. The other 3 Microsoft Security Bulletins this month are all rated Important.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

McAfee Coverage

MS14-052

2977629

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS14-137

MTIS14-138

Covered Products:

  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway
  • NSP

MS14-053

2990931

Vulnerability in .NET Framework Could Allow Denial of Service

Important

Denial of Service

MTIS14-138

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise

MS14-054

2988948

Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS14-138

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise

MS14-055

2990928

Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service

Important

Denial of Service

MTIS14-138

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

 


Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS14-052 (CVE-2013-7331, CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, & CVE-2014-4079 through CVE-2014-4111)

 

Herein lies the most critical of this month’s patches. This particular vulnerability affects multiple versions of Internet Explorer, from version 6 through version 11. Because of the wide version numbers of Internet Explorer that have this vulnerability, this affects a very large installed base of Internet Explorer users. Let’s break this one down a bit more:

 

  • Attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits this vulnerability. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
  • The mechanism of this attack is through the Microsoft XMLDOM ActiveX control. Once exploited, an attacker could potentially execute arbitrary code in the context of the current user account.
  • Once exploited, the attacker could gain the same rights as the current user. This is yet another instance that strengthens the argument for running as a standard user instead of having full administrative user rights.
  • Lastly, this vulnerability has been publicly disclosed and there are active attacks that attempt to exploit this vulnerability.


As you can see by the number of CVE’s that are listed, there are many individual threats that are wrapped together in this overall vulnerability. The McAfee Labs Threat Advisories break down the individual threats, which McAfee products are Covered Products, and which McAfee products are Under Analysis.

 

MS14-053 (CVE-2014-4072)

 

Here we have a vulnerability in the Microsoft .NET Framework that could potentially allow a denial of service attack. Specifically, an affected machine has to be configured as a web server with ASP.NET installed and registered with IIS. This vulnerability is present in quite a few different versions of the .NET Framework and on many different Windows versions. To exploit this vulnerability, an attacker would need to send a small number of specially crafted requests to a .NET server with ASP.NET installed. The performance of the server would degrade significantly enough to effectively result in a denial of service. It can be exercised by an anonymous unauthenticated user. Bottom line is that if you’re running a Windows IIS webserver with .NET Framework and ASP.NET installed, this is a vulnerability that you should investigate.

 

MS14-054 (CVE-2014-4074)

 

This security update addresses a vulnerability in the Windows Task Scheduler that is integrated with Microsoft Windows. An attacker could exploit this vulnerability to execute code and take complete control of a Windows system. However, readers should note that this can only be done by an attacker that has valid login credentials and can log on locally to a system that has not been patched. This limits potential exposure somewhat as it is not remotely exploitable and cannot be accomplished by an anonymous user that does not have valid credentials. It only affects the more recent versions of Windows: Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. If an administrator wants to mitigate against this, they could also turn off the Windows Task Scheduler service.

 

MS14-055 (CVE-2014-4068)

 

This security update addresses a vulnerability in Microsoft Lync Server (2010 and 2013 versions). An attacker could exploit this vulnerability by crafting a special call to the Lync Server, which would improperly handle this call and cause an exception. This vulnerability is limited to a denial of service attack, and the attacker would not receive any elevated permissions on the Lync Server. It should be noted that this only affects the Lync Server products, not the Lync clients that run on workstations and connect to the Lync Server. Fortunately, Microsoft received information about this vulnerability through coordinated vulnerability disclosure channels and they have not received any reports that this has been exploited in the wild.

 


NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories (MTIS14-137 and MTIS14-138) will be published to the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

 

You can also review the Microsoft Summary for September 2014 at the Microsoft site.

 

Until next month…stay safe!

-Greg