For September, Microsoft released four security bulletins to fix 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework. Only one is rated as Critical, and it resolves 37 vulnerabilities including a remote code execution flaw, so let’s start by bolting down that zero-day door in Internet Explorer.
Critical fix for Internet Explorer
MS14-052 should be at the top of your deployment list. According to Amol Sarwate, Director of Vulnerability Labs at Qualys, “The bulletin fixes a zero day vulnerability CVE-2013-7331 in IE which allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes. This can be used by malware to check if anti-malware products or EMET is installed on the target system so that it can possible change its attack strategy.”
“This IE bulletin marks the eighth Patch Tuesday in a row that includes patches for Internet Explorer,” remarked Trustwave SpiderLabs. “It’s likely that several of these CVEs have been already been exploited in the wild or will be weaponized soon. To protect yourself from these threats, you will want to apply this update as soon as possible.”
Microsoft patches rated as Important
Microsoft recommends deploying MS14-054 next as it fixes a privately reported local elevation of privilege problem in Windows with an exploitability index of one. “This security update is rated Important for all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.”
Microsoft also gave MS14-053 a “two” as the deployment number, but Sarwate said of the denial of service vulnerability patch, “In our opinion, it should be treated as Critical if you have ASP.NET framework installed with your IIS webserver. If left unpatched, remote un-authenticated attackers can send HTTP/HTTPs request to cause resource exhaustion which will ultimately lead to deal-of-service condition on the ASP.NET webserver.”
MS14-055 resolves three privately reported vulnerabilities in Microsoft Lync Server, which could an attacker could exploit for denial of service. “It fixes an issue in Lync server which provides infrastructure for instant messaging, VoIP, audio, video and web conferencing,” Sarwate said. “If left unpatched, remote unauthenticated attackers can send a malicious SIP request which will cause a denial-of-service condition on the Lync server.”
Microsoft Trustworthy Computing Group Manager Dustin Childs added:
In addition to this month’s security bulletins, we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management was revised to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution was revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, which was provided when this advisory was originally released. If you have already installed this update, you do not need to take any action. Finally, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.
While you’re at it, you might as well grab the Adobe security updates and close the door on those vulnerabilities.