Microsoft today fixed a total of 29 vulnerabilities across six bulletins as part of a relatively light July 2014...
Patch Tuesday release, although a cumulative update for Internet Explorer addressed a hefty two dozen vulnerabilities alone.
The "critical" Internet Explorer (IE) update, MS14-037, is the latest in a string of Patch Tuesday releases in which Microsoft's Web browser has been the focal point for administrators; the company fixed a total of 59 IE vulnerabilities last month alone, and has so far patched several zero-day flaws in the browser this year.
Among the 24 IE flaws fixed this month, only one, CVE-2014-2783, had been disclosed publically before the release, though Microsoft said it was unaware of any exploits against it in the wild.
The security feature-bypass vulnerability was the result of IE not enforcing extended validation SSL certificate guidelines properly by honoring wildcard certificates. Though serious, the bug's overall effect was limited; to exploit it, an attacker would need to obtain a wildcard certificate from a certificate authority (CA) -- a move that would not be compliant with SSL certificate guidelines on the part of a CA.
The other 23 IE flaws were all privately disclosed memory-corruption vulnerabilities that affect all supported versions of Microsoft's browser.
Wolfgang Kandek, chief technology officer for Redwood City, California-based vulnerability management vendor Qualys Inc., said the IE patch should be the first priority this month for any organization with users running the browser.
However, Kandek said he is worried that since Microsoft has delivered patches for hundreds of IE vulnerabilities so far this year, attackers likely have plenty of avenues to compromise IE users.
"Last month was kind of a big cleanup, and this month is another critical one. I think that just speaks to the fact that there are critical vulnerabilities being found constantly and being funneled to Microsoft even though they don't pay for it," Kandek said. "So the interesting thing is to imagine how many are being given to people that [are] actually paying for it. I think we can assume there is a pretty healthy supply of [Internet Explorer] zero-day exploits going around."
Apart from the IE patch, only one other July bulletin, MS14-038, was rated "critical" by Microsoft. MS14-038 resolves a privately reported vulnerability found in most supported versions of Windows, which can be exploited by attackers tricking users into clicking malicious Windows Journal files. If successful, an attacker would gain the ability to execute code remotely, with Microsoft noting that machines running with limited account rights are less likely to be affected.
"This component has had vulnerabilities in the past and hopefully has already been disabled by most organizations where possible," said Marc Maiffret, chief technology officer for Phoenix-based BeyondTrust Inc. "Furthermore, since the attack takes place in a corrupted .jnt Windows Journal file, it is highly recommended to treat this file extension as you do executable extensions and block it at your Web and email gateways."
MS14-039, rated "important," addresses another vulnerability found in several versions of Windows; if exploited, it could allow a privilege-escalation attack. The flaw can be triggered by an attacker executing the onscreen keyboard -- a keyboard that is displayed visually on a user's screen -- in the context of a low-integrity process.
MS14-040, rated "important," fixes a flaw found across all supported versions of Windows and Windows Server. The vulnerability surfaces as the result of the Ancillary Function Driver (AFD) improperly processing user input, and could permit an attacker to run arbitrary code in kernel mode, allowing them to install programs, view and alter data, and create full admin accounts -- assuming they can gain access to legitimate logon credentials.
"This is a more classic [case of] privilege escalation than MS14-039 in that the successful exploitation of this vulnerability would allow an attacker to go from any locally logged on user to running code in kernel mode," Maiffret said. "This vulnerability is of course a worry given it can be paired with something like the Internet Explorer vulnerabilities from this month to allow for drive-by Web attacks that result in execution of code in the kernel."
MS14-041, rated "important," resolves a Windows vulnerability found in DirectShow, which is used for streaming media. The vulnerability arises due to DirectShow's improper handling of certain objects within a machine's memory. The severity of the flaw is limited by an attacker needing to first exploit another vulnerability in a low-integrity process, and then being limited by the account rights currently on a targeted machine.
MS14-042, the only patch rated as "moderate" this month, fixes a denial-of-service vulnerability in Microsoft Service Bus for Windows Server. The bug is the result of Service Bus mishandling certain Advanced Message Queuing Protocol messages, and could allow an attacker to stop Service Bus from responding to such messages.
Compared to recent Patch Tuesday releases that have featured fixes for huge numbers of vulnerabilities and several zero days, some administrators may not believe the July patches need to be applied swiftly. According to Russ Ernst, director of product management for Lumension Security Inc. in Scottsdale, Arizona, that's not the right attitude to take.
"When planning time away from the office this week, administrators should know every bulletin impacts nearly every supported Windows Server version," Ernst said. "It's the time of year where many people take vacation away from the office, but this won't be the month to push off patching."
Separately, Adobe Systems Inc. also issued a critical security update today for its Flash Player media software, making 188.8.131.52 the most updated version for Windows and Mac users. The patch included a fix for CVE-2014-4671, a Flash vulnerability that afflicted a number of high-profile Web domains, including various Google properties, Twitter, Instagram and Ebay.
"Unless you are running IE 10, IE 11 or Google Chrome," which update Flash automatically, Kandek said, "you should look this month's Adobe Flash fix as your second-highest priority."
Catch up on last month's Patch Tuesday release, which featured an IE update that fixed 59 total vulnerabilities.