Microsoft uncharacteristically included two late additions to its February 2014 Patch Tuesday release today, one to fix a number of Internet Explorer (IE) flaws and the other to address a critical vulnerability
An attacker can … figure out relatively quickly what the fixed portions are and where you can attack the older versions.
Wolfgang Kandek, CTO, Qualys Inc.
The Redmond, Wash.-based software giant gave notice Monday, just a day before the Patch Tuesday release, that the two late updates were coming. In total, the company issued seven bulletins that addressed 31 vulnerabilities as part of its monthly security update process.
The most pressing update to apply this month is MS14-010, which cumulatively patches 24 vulnerabilities across all versions of IE, only one of which had been publicly disclosed. The most severe of the IE vulnerabilities, if successfully exploited through the use of malicious webpages, would allow an attacker to remotely execute code and gain the same administrative rights as the user. Microsoft noted that limiting the account privileges of users would limit the effectiveness of such an exploit.
Wolfgang Kandek, chief technology officer for Redwood City, Calif.-based vulnerability management vendor Qualys Inc., said that he could not recall any other instance in which Microsoft included updates so late in the Patch Tuesday process. Considering the long list of vulnerabilities that have been discovered in Internet Explorer, Kandek said he would have been more surprised had the company not included a fix for IE this month, especially after not releasing any IE fixes last month.
Kandek said the nature of the IE flaws means it's a given that attackers will immediately look to take advantage of users and enterprises that don't apply this month's patches.
"The exploitability rating is typically a 1 for this type of vulnerability," Kandek said, "meaning an attacker can take the new code that Microsoft comes out with, compare it to the old code and figure out relatively quickly what the fixed portions are and where you can attack the older versions."
The other late arrival for this Patch Tuesday, MS14-011, addresses a critical vulnerability in the VBScript scripting language. The vulnerability can be found in all versions of Windows from XP onward and, much like the aforementioned IE flaws, can be remotely triggered by malicious code planted in a webpage.
Microsoft urged enterprises to apply both patches immediately, but Tyler Reguly, manager of security research at Portland, Ore.-based Tripwire Inc., advised organizations to show caution when rolling out Microsoft's two late-breaking updates.
"To go from five to seven bulletins says to me that initial testing was completed last-minute, so they decided to slip the patch in for testing, found an issue, and an engineer shipped a fix last minute," Reguly said. "Either way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise-wide."
Beyond the late inclusions, the February 2014 Patch Tuesday release featured two more critical updates.
MS14-007 addresses yet another remotely exploitable vulnerability in IE, affecting Windows versions 7, 8 and RT as well as Windows Server 2012. Found in the graphics application programming interface Direct2D, Kandek said attackers can exploit the flaw by luring users to a webpage hosting malicious code, with the specific tag for Scalable Vector Graphics.
The final critical update, MS14-008, fixes a vulnerability in Microsoft Forefront, the company's line of business-oriented security software for Exchange servers. The file format flaw can be exploited by unauthenticated attackers via a malicious email, according to Microsoft, allowing them to run arbitrary code.
Three additional bulletins included in the release were all deemed important and affect a wide range of Windows versions, with MS14-009 also affecting the .NET Framework.
Today also marks Microsoft's cutoff point for the use of the MD5 hashing algorithm for signing digital certificates used for server authentication, code signing and time stamping.
Six months ago, Microsoft issued Security Advisory 2862973, which warned organizations still using the long-broken MD5 in their environments that the algorithm would be deprecated. In speaking with SearchSecurity, several experts applauded the company's decision, but also warned organizations about the risks of implementing the SHA-1 algorithm in MD5's stead, recommending they seek other alternatives.