Hello everyone,

 

This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for October 2014.

 

Welcome to the October 2014 Patch Tuesday update. This month we have a total of eight security updates from Microsoft. Three (3) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The three (3) Critical vulnerabilities this month affect Internet Explorer, .NET Framework, and Windows. The remaining five (5) Microsoft Security Bulletins this month are all rated Important.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

McAfee Coverage

MS14-056

2987107

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS14-158

Covered Products:

  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway
  • NSP

MS14-057

3000414

Vulnerabilities in .NET Framework Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS14-158

Covered Products:

  • Vulnerability Mgr
  • NSP
  • BOP
  • Host IPS
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • BOP
  • Application Control

MS14-058

3000061

Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS14-158

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise
  • BOP
  • Host IPS
  • NSP
  • Application Control

MS14-059

2990942

Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass

Important

Security Feature Bypass

MTIS14-158

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise
  • NSP

MS14-060

3000869

Vulnerability in Windows OLE Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS14-158

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise
  • NSP
  • BOP

MS14-061

3000434

Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS14-158

Covered Products:

  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS14-062

2993254

Vulnerability in Message Queuing Service Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS14-158

Covered Products:

  • Vulnerability Mgr

 

Under Analysis:

  • Firewall Enterprise
  • NSP

MS14-063

2998579

Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS14-158

Covered Products:

  • Vulnerability Mgr

Under Analysis:

  • Firewall Enterprise
  • NSP

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS14-056 (CVE-2014-4123, CVE-2014-4124, CVE-2014-4126 to CVE-2014-4130, CVE-2014-4132 to CVE-2014-4134 , CVE-2014-4137 & 4138, and CVE-2014-4140 & 4141)

 

We’ve grown accustomed to the inclusion of a cumulative security update for Internet Explorer in the patch Tuesday updates. This one resolves fourteen (14) vulnerabilities in Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have this vulnerability, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

 

  • Similarly to last month, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
  • The vulnerabilities listed are classified as Elevation of Privilege, Memory Corruption, and Security Feature Bypass.
  • If the Elevation of Privilege vulnerabilities are exploited, the attacker could gain the same rights as the current user. This is yet another instance that strengthens the argument for running as a standard user instead of having full administrative user rights.
  • The fourteen (14) vulnerabilities that are patched with this security update were all privately reported to Microsoft.

 

As you can see by the number of CVE’s that are listed, there are many individual threats that are wrapped together in this individual bulletin. The McAfee Labs Threat Advisories break down the individual threats, which McAfee products are Covered Products, and which McAfee products are Under Analysis.

 

MS14-057 (CVE-2014-4073, CVE-2014-4121, and CVE-2014-4122)

 

This Critical update addresses three (3) different vulnerabilities in multiple versions of the Microsoft .NET Framework. Since machines can have several different versions of the .NET Framework installed on any given system, there are multiple packages that can be applied to address these vulnerabilities. The following security impacts are included in this update: Remote Code Execution, Elevation of Privilege, and Security Feature Bypass. Here’s a quick rundown on the vulnerabilities included in this update:

 

  • .NET Framework Remote Code Execution Vulnerability (CVE-2014-4121) – The most serious of the .NET Framework vulnerabilities. An attacker that exploits this vulnerability could take complete control of the affected system, giving them the rights to install code and make system-wide changes.
  • .NET ClickOnce Elevation of Privilege Vulnerability (CVE-2014-4073) - The result of the .NET Framework’s ClickOnce feature inadvertently processing data prior to verification. An exploit of this vulnerability could result in the ClickOnce installer process running with elevated privileges.
  • .NET ASLR Vulnerability (CVE-2014-4122) - A Security Feature Bypass bug that exists when the .NET Framework does not use the Address Space Layout Randomization (ASLR) security feature. Attackers would need to combine an exploit of this vulnerability in conjunction with another vulnerability and convince a user to visit a site that contains specially craft content. Again, having good web browsing habits, good email hygiene, and using proper security tools can help mitigate this risk.

 

The .NET Framework Remote Code Execution Vulnerability and the .NET ClickOnce Elevation of Privilege Vulnerability make Windows Servers running any of the affected versions of the .NET Framework at risk. Windows Server administrators should aggressively update machines running affected versions of the .NET Framework. The .NET ASLR Vulnerability is primarily a web-browsing scenario which would mostly affect workstations.

 

MS14-058 (CVE-2014-4113 and CVE-2014-4148)

 

This security update is for two (2) separate vulnerabilities that exist in kernel-mode drivers in Microsoft Windows. For both of these vulnerabilities, an attacker would need to convince a user to open a specially crafted document or visit a compromised or untrusted website. This is a common theme throughout this month’s vulnerabilities, so we’ll reinforce the need for good web browsing habits, good email hygiene, and use of proper security tools.

 

  • Win32k.sys Elevation of Privilege Vulnerability (CVE-2014-4113) – Caused by a kernel-mode driver improperly handling objects in memory. Workstations are the primary systems at risk.
  • TrueType Font Parsing Remote Code Execution Vulnerability (CVE-2014-4148) – Caused by a kernel-mode driver improperly handling TrueType fonts. If exploited, an attacker could potentially run code in kernel mode. This is a pretty serious one, as getting into kernel mode could enable the attacker to install a rootkit, which can then open the machine up to a host of other infections as the rootkit calls out to a command-and-control server and awaits further instructions. Again, workstations are the primary systems at risk.

 

Both of these vulnerabilities were privately reported to Microsoft and there are limited attacks that attempt to exploit these vulnerabilities.

 

MS14-059 (CVE-2014-4075)

 

Here we have a vulnerability to the ASP.NET MVC (Model View Controller). If you’re interested in what the MVC does, here’s an article that discusses it. Just like some of the other vulnerabilities, this one requires an attacker to lure a user to click on a specially crafted link or visit a compromised website with code that exploits this particular vulnerability. Specifically, this vulnerability is in cross-site scripting (XSS) and could allow an attacker to inject client-side script into a web-browser. Since this vulnerability is part of ASP.NET, Windows servers running ASP.NET should have this patch applied. This vulnerability was publicly disclosed, but Microsoft has not received indications prior to the security bulletin release that would indicate customers have been attacked.

 

MS14-060 (CVE-2014-4114)

 

This is a Remote Code Execution vulnerability that exists in Windows OLE (Object Linking and Embedding). This one is rather unique, in that the vulnerability exists in Windows OLE, but the method of delivery would be through a specially crafted file that contains an OLE object. Microsoft Office is the first thing we think of when we think of embedded OLE objects in documents, but there are many other products from other vendors that have this capability. There have been limited attacks seen via Microsoft PowerPoint files, and they can get past the User Account Control (UAC) prompts. Due to its nature, this one will primarily affect workstations that are used to open documents.

 

MS14-061 (CVE-2014-4117)

 

This security update is for a vulnerability in Microsoft Word, Office Web Apps Server, and Word Automation Services. There are particular versions of these products that are vulnerable, and the latest 2013 versions of any of these are NOT vulnerable. Users that are still on Word 2007 and 2010 versions will need this update. It is a remote code execution vulnerability that results when Microsoft Word doesn’t properly handle objects in memory. As a result, the system memory could become corrupted and allow an attacker to execute arbitrary code. If you’re still on Word 2007 or 2010, or have SharePoint 2010 with the Word Automation Services enabled, you should investigate this vulnerability and get it patched.

 

MS14-062 (CVE-2014-4971)

 

This vulnerability is an Elevation of Privilege in the Microsoft Message Queuing Service on Windows Server 2003 SP2. It is very specific on the versions that are vulnerable and only if you’ve added the Microsoft Message Queuing (MSMQ) service. Given that Windows Server 2003 is getting a bit long in the tooth and is rapidly approaching its end-of-life, we expect this vulnerability to have limited impact.

 

MS14-063 (CVE-2014-4115)

 

Lastly, this security update is for an Elevation of Privilege bug in the Windows FASTFAT system driver on FAT32 disk partitions. It is applicable to Windows Server 2003, Windows Vista, and Windows Server 2008. The method for this vulnerability is through a function call by the FASTFAT driver that results in a buffer under-allocation issue. By under-allocating the buffer, this potentially allows an attacker to write information to normally reserved parts of the Windows operating system. It was privately reported to Microsoft.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Bonus Vulnerability Coverage: I’m always eager to give readers a little bit extra, so here’s a bonus vulnerability. Although not technically listed as a Microsoft Security Bulletin, Microsoft also released Microsoft Security Advisory 2755801 with an update to address vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. This update addresses CVE-2014-0558, CVE-2014-0564, and CVE-2014-0569. Details are also available in Adobe Security bulletin APSB14-22.  The McAfee Labs Security Advisory for this vulnerability is MTIS14-159.

 

Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.


 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisory MTIS-158 can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:


 

You can also review the Microsoft Summary for October 2014 at the Microsoft site.

 

Until next month…stay safe!

-Greg