For April’s edition of Patch Tuesday, we are presenting the final patches for the beloved Windows XP. Those of you still running Windows XP systems in your environment are highly recommended to speak with your McAfee sales team about Application Control. Application Control can provide your EOL systems protection against an unpatched vulnerability. In addition to XP, Microsoft has also ended support for Exchange 2003 and Office 2003. To continue with today’s updates, Microsoft has officially released 4 patches addressing 11 individual vulnerabilities.
Of the four releases, Microsoft identifies two as “critical.” The remaining patches are labeled “important” by Microsoft. This month’s patches are as follows:
- MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
- MS14-018 Cumulative Security Update for Internet Explorer (2950467)
- MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
- MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)
Looking over the patches, I would like to highlight the following two critical updates:
(CVE-2014-1757, CVE-2014-1758, CVE-2014-1761)
The first update I would like to highlight is one of the critical patches affecting multiple versions of Microsoft Word found in the Office suite. This update resolves three CVEs found in all supported versions of Microsoft Office including 2003-2013, 2013 RT, and Office 2011 for Mac. Of the three CVEs, one has been publicly disclosed and exploited in the wild. This vulnerability takes advantage of RTF (Rich Text Format) parser. With a properly crafted RTF document, an adversary may either execute remote code that will allow them to install programs and copy, delete, and move data or create new accounts for future access. This is undoubtedly an important update and immediate patching should be priority number one on all systems running any version of Office including Macs and Windows Tablets.
(CVE-2014-0235, CVE-2014-1751, CVE-2014-1752, CVE-2014-1753, CVE-2014-1755, CVE-2014-1760)
The second critical patch addresses a vulnerability in multiple versions of Internet Explorer. This update resolves six CVEs in Internet Explorer versions 6-11. All of the six vulnerabilities take advantage of memory corruption vulnerabilities found in IE. With a properly crafted website or phishing email, an adversary may obtain complete remote access with the same privileges of the current logged on user. Immediate patching should be priority number one on all systems running IE 6-11.
Aggregate coverage (combining host- and network-based countermeasure together) is 10 out of 11. McAfee Vulnerability Manager has the ability to scan and detect all 11 vulnerabilities. Specifically, coverage for each of the two most critical related vulnerabilities (MS14-017 and MS14-018) are covered by the following McAfee endpoint security software and McAfee Enterprise Firewall:
- BOP (Buffer Overflow Protection ww/ VSE)
- App Control
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email or listening to AudioParasitics, the official McAfee Labs podcast.
For additional useful “security” information, please make note of the following links:
You can also review a Microsoft Summary for April at the Microsoft site.