Light Patch Tuesday fixes six issues, two critical
Microsoft has released the patches and it is a relatively light month. Six issues in total, 2 Critical, 3 Important, 1 Moderate. OS administration teams will be busy, application administrators get the month off.
One of the critical issues is the MS14-037 IE fix. After the 59 patched in MS14-035 we have a mere 24 this round, which is double or triple what I expected based on the recent trends. This patch is a cumulative roll up, meaning it encompasses previous patches and will supersede them. Of the 24 CVEs, 23 are privately disclosed or internally discovered Remote Code Execution (RCE) issues.
The 24th (CVE-2014-2783) is a publicly disclosed security feature bypass in which IE does not properly validate a certificate chain where wildcard values appear in the certificate. This would allow an attacker to potentially compromise certificate validation with a specifically crafted attack.
The other critical (MS14-038) affects Windows OSes from Vista to latest, excluding Server Core builds. This issue is in Windows Journal, so it’s not installed by default in any Server OS, but would be pulled in if the user has installed the “desktop experience” or “ink and handwriting” services. These two, MS14-037 & MS14-038, are the top patching priorities.
MS14-039, MS14-040, & MS14-041 fix the issues disclosed in this year’s pwn2own contest via the Zero Day Initiative’s responsible disclosure process. They are all local, elevation of privilege issues by which an unprivileged user or process may gain greater access. They have demonstrably been used in chained attacks to achieve compromise and, given the nature of their disclosure, must be known to have exploit code in existence. Now that ZDI’s embargo has been fulfilled, that exploit code may become publicly available.
The odd one out this month is MS14-042 the “Moderate” Denial of Service in “Microsoft Service Bus for Windows Server”. This affects the AMQP implementation which is part of the Microsoft Web Platform package and is not installed by default with any OS version. This vulnerability would allow an authenticated user to cause a DoS. Technically this a publicly known issue since it was reported via an MSDN forum post. Any home user, and most enterprises, can safely ignore this one, but if you have this component you should patch.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.