Patch Tuesday, June 2014 delivers seven advisories, of them, two critical, five important – one of which is the seldom seen “tampering” type.
The remarkable item in this month’s advisories is MS14-035, the Internet Explorer patch affecting all supported versions. That in itself is not unique, we see one of these almost every month, but this time the patch addresses 59 CVEs, that is 59 distinct vulnerabilities in one patch! Microsoft asserts that while two of the vulnerabilities (CVE-2014-1770 & CVE-2014-1771) have been publically disclosed, none are known to be under active exploitation.
That said, CVE-2014-1770 was disclosed through the Zero-Day Initiative (ZDI) and exploit code is known to exist and will likely become public in the near future. This is the top patching priority.
MS14-036 affects a large number of systems and components including all supported Windows versions, Office versions, plus Lync Server and the older Live Meeting, however, according to Microsoft this isn’t the top patching priority, not even behind MS14-035. Microsoft has suggested that the likelihood of exploitation here is very low and that the attack vector is theoretical, but maybe not practical.
Instead, Microsoft has identified MS14-034 as the other top patching priority. This vulnerability is an information disclosure in MS Word, it’s an “open-and-own” scenario where a user who opens a malicious file, such as an emailed document, would be immediately exploited.
The other 4 vulnerabilities are of relatively low concern, but not to be ignored:
MS14-030 is a MITM scenario on RDP sessions which would allow an attacker to intercept and modify an RDP session if they were present in the communications flow at the start of the session.
MS14-031 is a Denial of Service which could be triggered by a specially crafted sequence of TCP packets.
MS14-033 is another information disclosure which would cause the leakage of path information (potentially including usernames) from the forced loading of malicious XML, this could be used to further entice users to give up their password or other information.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.