Weeks after delivering an out-of-band patch for an Internet Explorer zero-day, Microsoft has issued another critical security update for all supported versions of its Web browser.
All told, the Redmond, Washington-based vendor's May 2014 Patch Tuesday release provided permanent fixes for 13 vulnerabilities spread across eight security bulletins -- two of which were deemed critical by Microsoft -- but the Internet Explorer (IE) security update is likely to demand the most attention from enterprise security teams.
Depending on your SharePoint usage, MS14-022 may be as important or more important than the IE updates.
security researcher, Tripwire Inc.
According to Microsoft's guidance in security bulletin MS14-029, the IE fix addresses a total of two remotely exploitable vulnerabilities, CVE-2014-0310 and CVE-2014-1815. Microsoft noted that it is aware of limited attacks that exploit the latter flaw. Both vulnerabilities can be exploited via either a maliciously crafted or compromised website; if successful, an attacker would gain equivalent user rights as the current user.
For those enterprises that can't deploy the IE update, Microsoft said that disabling Active Scripting component-based scripting support in IE, or at least forcing it to provide a prompt before running, should effectively mitigate any exploit attempts, though the software giant cautioned that many websites rely on Active Scripting for added functionality.
Adding an unusual wrinkle, this month's IE update is non-cumulative, meaning enterprises must apply MS14-018 before rolling out MS14-029.
The IE update notably includes the critical out-of-band patch -- MS14-021 -- that Microsoft released earlier this month. Originally addressed in Security Advisory 2962983, the patch addressed a zero-day "use-after-free" memory vulnerability first discovered by researchers from FireEye Inc. Milpitas, California-based FireEye discovered the flaw was being actively exploited, prompting Microsoft to take immediate action – including providing an unexpected fix for users of its no longer generally supported Windows XP operating system.
For those expecting critical patches to arrive on XP machines in the future though, Dustin Childs, group manager for Microsoft Trustworthy Computing, indicated that repeat measures are unlikely.
"For those wondering, Windows XP will not be receiving any security updates today," said Childs in a blog post. "For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move."
Wolfgang Kandek, chief technology officer for vulnerability management vendor Qualys Inc., said that Microsoft's decision to provide XP users with the out-of-band patch so close to XP's end-of-life date was "good for Internet security," but indicated that organizations need to move away from the fundamentally unsecure XP platform as soon as possible.
Kandek had also expected Microsoft to address the IE vulnerabilities that first surfaced at this year's Pwn2Own hacking competition, held nearly two months ago. Surprisingly, those flaws have yet to be patched, despite the other major browser vendors moving relatively quickly to plug the holes uncovered by VUPEN Security and other Pwn2Own participants.
Still, Kandek indicated that the IE update should be priority No. 1 for most organizations, especially for those persisting with XP machines.
"The Internet Explorer vulnerability applies to Windows Server 2003, a very close cousin to XP, so you can expect it will apply to XP as well," said Kandek, who has previously commented that attackers will reverse-engineer all future Patch Tuesday releases to find holes in XP. "If you need to use the Internet on an XP machine, I would use a browser that is still supported [like Google's Chrome or Mozilla's Firefox]. But it's really not a good idea to keep using an XP machine for normal office processes."
Beyond the IE update, Microsoft only issued one other critical security bulletin in May -- MS14-022 -- which addressed three privately reported vulnerabilities, two of them found across multiple versions of the vendor's SharePoint line of collaboration software. The most severe of the flaws can be exploited remotely by an attacker sending maliciously crafted content to a vulnerable server.
No workarounds are available for these vulnerabilities, and according to Craig Young, security researcher at Portland, Oregon-based Tripwire Inc.; enterprises running SharePoint servers should look to implement the May 2014 Patch Tuesday update immediately.
"In the case of SharePoint servers configured to allow anonymous uploaders, this should be considered an unauthenticated, remote-code execution vulnerability. However, locked down SharePoint servers are not in the clear because they are still exposed to insider threats in which a valid authorized user attacks the server," said Young. "Depending on your SharePoint usage, MS14-022 may be as important, or more important than the IE updates."
The remaining six bulletins in the May Patch Tuesday release are all rated "Important" and address eight vulnerabilities across a variety of Microsoft products, including various versions of Windows, Office and the .NET framework.
Microsoft's Childs advised users to focus on applying security bulletin MS14-024 -- a fix for a privately reported vulnerability in the MSCOMCTL common controls library found in supported versions of Office -- before the other non-critical bulletins. Attackers can exploit the flaw by tricking users into visiting malicious webpages and, if successful, allows them to bypass Address Space Layout Randomization (ASLR), a vital security feature for several of Microsoft's modern products.
Microsoft warned that on its own, the MSCOMCTL vulnerability does not allow arbitrary code execution, but the ability to bypass ASLR could be invaluable to attackers when used in conjunction with other bugs.
"By closing the loop here, Microsoft has provided IT with a leg up against the bad guys in other still-unknown attacks," said Russ Ernst, director of product management for Lumension. "They consider it at the top of their deployment priority for this reason."