Microsoft today addressed 66 total vulnerabilities across seven bulletins -- 59 in Internet Explorer alone -- in...
a mammoth June 2014 Patch Tuesday release, which included a fix for an Internet Explorer 8 vulnerability that the company was made aware of more than seven months ago.
Originally uncovered in October 2013, Hewlett-Packard Co.'s Zero-Day Initiative (ZDI) publically disclosed the Internet Explorer (IE) 8 vulnerability, CVE-2014-1770, last month after Microsoft failed to address it within six months -- the amount of time ZDI typically allows a vendor to fix a flaw before issuing a public disclosure. ZDI actually provided the Redmond, Washington-based software giant a small amount of leeway past the six-month cutoff date to patch the vulnerability -- a flaw in the way the browser handles CMarkup objects -- but Microsoft still failed to provide a fix.
In a blog post detailing this month's Patch Tuesday updates, Dustin Childs, group manager for the Microsoft Trustworthy Computing group, defended the vendor's decision to delay the IE 8 patch, noting it was unaware of any exploits taking advantage of the vulnerability and thus the actual effect on IE users was minimal.
"If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it? Similarly, does a vulnerability make a sound if it never gets exploited?" Childs asked. "Until something actually occurs, it is still theory; we're taking the theoretical and making practical updates against future 'what ifs.'"
Wolfgang Kandek, chief technology officer for Redwood City, California-based vulnerability management vendor Qualys Inc., agreed with Microsoft's decision to delay the IE 8 patch. He noted that Microsoft has been forced to address other Internet Explorer zero days in recent months that were being actively exploited.
Additionally, Kandek said the information disclosed by ZDI on the flaw was minimal, making it unlikely that an attacker could cobble together an exploit based on those details alone.
"You can count on every software product having vulnerabilities in it at any given point in time. It's a question of how many people know about it, and who knows about it" when deciding how quickly to release a patch, said Kandek, who added that users should apply the IE fix as soon as possible because attackers will now be able to reverse-engineer the flaw.
Besides the Internet Explorer 8 fix, Microsoft patched a record-breaking 59 browser vulnerabilities as part of its cumulative MS14-035 IE update this month -- a move that again may have been dictated by important IE patches delivered in recent months.
"It's been two months since our last cumulative update and we're likely seeing last month's IE update and this month's IE update released together," said Tyler Reguly, manager of security researcher at Portland, Oregon-based Tripwire Inc. "Last month we saw a non-cumulative update that felt almost like it was intended to be an out-of-band update."
Beyond the IE update, this month's Patch Tuesday featured only one other bulletin, MS14-036, which was deemed "critical" by Microsoft. The bulletin fixes two privately reported, remotely exploitable vulnerabilities in the GDI+ graphics library found across numerous versions of the company's Windows, Office and Lync software that can be triggered via a malicious file or webpage. The flaws don't allow for privilege escalation, according to Microsoft, so companies are advised to configure user accounts with minimal access rights.
Five other bulletins were deemed "important" by Microsoft.
First, MS14-030 resolves a vulnerability that could allow attackers to tamper with active Remote Desktop Protocol (RDP) sessions in Windows version 7 and 8, as well as Windows Server 2012.
MS14-031 addresses a "particularly serious" denial-of-service vulnerability found in various versions of Windows and Windows Server. It could allow an attacker to send maliciously crafted TCP connections to a server, according to Reguly, possibly resulting in an attacker knocking a server offline altogether.
MS14-032 fixes another Microsoft Lync vulnerability that relies on a user clicking a malicious meeting URL, potentially allowing an attacker to obtain sensitive information from the session.
MS14-033 patches a vulnerability largely affecting various versions of Windows that relies on an attacker luring a logged on IE user to a specifically crafted webpage, again resulting in information disclosure.
Finally, MS14-034 resolves an Office 2007 vulnerability that can be remotely exploited if a user opens a malicious file, giving an attacker the same account rights as the current user.
Experts told SearchSecurity that most enterprises should turn their immediate focus to applying the sizable Internet Explorer update, but Russ Ernst, director of product management with Scottsdale, Arizona-based Lumension Inc., noted that companies still running Windows Server 2003 -- which was patched as part of MS14-036 and MS14-031 -- should consider starting the long-term planning for the inevitable upgrade.
"We are coming up on just a year out now" from its July 2015 end-of-life date, said Ernst, "and because any changes to your data center environment will likely require a significant amount of planning and work, it isn't too soon to get that plan started.
Separately, Adobe Systems Inc. today released security updates for a number of its software products, with the most notable patch -- rated a "1", the most critical on Adobe's scale -- coming for the company's Flash Player. Adobe advised Windows and Mac users to hastily update to the latest Flash Player version, 18.104.22.168, though the company said it was unaware of any active exploits for the vulnerabilities mentioned.
Kandek said the Flash update should be the second highest priority for most enterprises today behind Microsoft's cumulative IE update, and advised users to consider switching to browsers -- including Google's Chrome and IE versions 10 and 11 -- that allow Adobe to deliver Flash updates to the browser automatically.