It’s wise to ask what if [insert scary insecurity scenario] happened. But forget about “what if” hypothetical mentality and worst-case cybersecurity scenarios for a minute, Microsoft’s Dustin Childs advised before launching into the reality of the here and now for the critical MS14-035 Internet Explorer patch; it resolves 59 items, including CVE-2014-1770, which was publicly disclosed by HP TippingPoint’s Zero Day Initiative (ZDI) after Microsoft failed to fix the flaw for over 180 days.
If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it? Similarly, does a vulnerability make a sound if it never gets exploited? When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack. In other words, it doesn’t matter if that falling tree makes a noise; we still have an action to take. Why? Because one day in the future, it’s possible what we’re delivering today could get exploited if not addressed. However, we’re not in the future; we’re in the land of the here and now. And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people. Until something actually occurs it is still theory; we’re taking the theoretical and making practical updates against future “what ifs.”
Just the same, Wolfgang Kandek, CTO of Qualys, said, “This one is top of the list for you to fix, since all the information has been out there for over two weeks.”
Microsoft released one other patch rated critical, MS14-036, to fix more remote code execution (RCE) vulnerabilities, but in Microsoft Graphics Component this time.
“This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync.” The summary states, “The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
In total, the seven patches released in June address 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers. Both critical rated patches require a restart.
Here are the five other security updates rated as important:
MS14-034 is to fix a privately reported RCE flaw in Microsoft Office. “The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.”
MS14-030 patches a privately reported vulnerability in Windows remote desktop that could allow tampering. “The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.”
MS14-031 is the only denial-of-service vulnerability patched in June. The vulnerability in Windows was privately reported and “could allow denial of service if an attacker sends a sequence of specially crafted packets to the target system.”
MS14-033 resolves a privately reported vulnerability in Microsoft Windows that “could allow information disclosure if a logged on user visits a specially crafted website that is designed to invoke Microsoft XML Core Services (MSXML) through Internet Explorer. To exploit, an attacker would have to trick a user into visiting his/her website such as via email, IM or a link posted on a social networking site.”
MS14-032 fixes another information disclosure flaw, but in Microsoft Lync Server this time. “The vulnerability could allow information disclosure if a user tries to join a Lync meeting by clicking a specially crafted meeting URL.” The hole was privately reported and the security patch is “rated important for all supported editions of Microsoft Lync Server 2010 and Microsoft Lync Server 2013.”
Don’t expect any updates for Windows XP, but Windows Embedded POSReady 2009 will have patches, as will any devices with the registry hack that tricks Windows Update into delivering security updates. As noted previously, the embedded OS is based on Windows XP Service Pack 3 and will receive patches until April 2019. Seriously, though, if you are still clinging to XP then I’m seriously worried about you. Ditch it now.
As a reminder, Windows 8.1 devices will not receive security updates unless users previously installed the Windows 8.1. Update that Microsoft initially released in April. If you didn’t install that update and therefore won’t be getting more patches, feel free to play disastrous “what if” cybersecurity scenarios as one may be coming to a device near you soon.