Microsoft released six security bulletins to patch 29 CVEs on Windows and Internet Explorer; two are rated critical, three are rated important and one is rated as moderate. Microsoft’s Dustin Childs recommends first deploying security fixes for Windows Journal (MS14-038) and Internet Explorer (MS14-037).
Both of the patches rated as critical are to close Remote Code Execution (RCE) holes, but neither can be exploited without a user helping attackers out by visiting a maliciously crafted website. “None” is the number of active attacks Microsoft said it is currently seeing for these two.
MS14-037 resolves one publicly disclosed vulnerability and 23 privately reported vulnerabilities in Internet Explorer; it’s rated critical for IE 6 – IE 11 on Windows clients and rated moderate for IE 6 – IE 11 on Windows servers. Microsoft again urged consumers to use IE 11, adding that “Internet Explorer 11 is much more secure than our older versions, which is why we encourage customers to upgrade.”
MS14-038 deals with a vulnerability in Windows Journal; the patch closes a privately reported hole in all supported versions of Microsoft Windows, from Vista to Windows 8.1.
"The critical vulnerability described in MS14-038 is a great example of how unused software can be abused by attackers," stated Craig Young, a security researcher at Tripwire. "In this case Windows Journal, which is installed by default but isn’t commonly used, can lead to arbitrary code execution." He added via email, “Even if Journal is not used in your organization, it is crucial that all systems with Windows Journal are patched immediately as this file-format vulnerability can be exploited with just a simple file preview.”
However Microsoft added, “It’s worth noting that Windows Server versions do not have Windows Journal installed by default. That’s by design. You are always at less risk when you have fewer applications installed, so server systems ship with many optional components disabled. If you haven’t reviewed the applications installed on your server recently, now is a good time to do so. Reducing the attack surface will have a positive impact on the overall security of the server.”
The three patches rated important all deal with potential elevation of privilege (EoP) vulnerabilities.
MS14-039 resolves a privately reported bug in Microsoft's on-screen keyboard; all supported releases of Windows, except Windows Server 2003, are affected.
MS14-040 fixes on privately reported vulnerability in Ancillary Function Driver (AFD) that affects all supported versions of Windows.
MS14-041 fixes a one privately reported flaw in DirectShow; “The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.”
MS14-042 is the “odd one” to fix a moderate denial of service vulnerability in Microsoft Service Bus for Windows Server. “The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system. Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system.” Ross Barrett, senior manager of security engineering at Rapid7, suggested, “If you have this component you will probably care to patch this before script kids start knocking over your site.”
Microsoft revised 3 security advisories
This new package changes the default behavior for Restricted Admin mode on Windows 8.1 and Windows Server 2012 R2. This advisory deals with different strategies for combating credential theft, which is a hot topic today. Patrick Jungles (lead author) and team have a new whitepaper discussing ways to defend against pass-the-hash style attacks, and there is a new web resource that covers various techniques and tactics to help prevent different types of credential theft attacks. Implementing these tactics before they are needed is another way to positively impact the overall security posture in an enterprise.
The Update for Disabling RC4 in .NET TLS was “revised to announce a Microsoft Update Catalog detection change for the updates requiring installation of the 2868725 prerequisite update. If you have already successfully installed this update, then you don’t need to take any further action.”
Security Advisory 2755801 now has the latest update for Adobe Flash Player in Internet Explorer.
As a reminder, if you have not updated Windows 8.1 or Server 2012 R2 with Microsoft’s all-important Update patch, you have until August 12 to do so. Otherwise, you will not be able to receive future Microsoft security patches.
Nearly 300 free Microsoft ebooks
Lastly, Microsoft released a plethora of free ebooks, which cover Windows 8.1, Windows 8, Windows 7, Office 2013, Office 365, Office 2010, SharePoint 2013, Dynamics CRM, PowerShell, Exchange Server, Lync 2013, System Center, Azure, Cloud, SQL Server, and more. There are 130 Microsoft-flavored ebooks in that release, plus others previously released pushing the total offerings to nearly 300.
Happy patching and reading!