Microsoft started the new year with four relatively light bulletins -- none deemed "critical" -- included in its January 2014 Patch Tuesday security update, highlighted by a patch for a Windows XP zero-day flaw that's being actively exploited in the wild.
The XP vulnerability was originally noted by the Redmond, Wash.-based software giant in security advisory 2914486 on Nov. 27, 2013, leaving little time for the company to address the issue in its December 2013 Patch Tuesday release.
Dustin Childs, group manager for Microsoft Trustworthy Computing, wrote last month that a permanent resolution was in the works, and true to his word, a patch arrived today.
The zero day, which also affects Windows Server 2003, targets the NDProxy that manages the telephony application programming interface (TAPI) in the Windows XP operating system. If successfully exploited, the vulnerability would give attackers a path to manipulate data on the system and create accounts with administrator rights.
Despite the potential severity of a successful exploit of the XP vulnerability, Microsoft only deemed the fix, part of bulletin MS14-002, as "important," not critical. As of now, the only known exploits for the XP zero day in the wild involved attackers first taking advantage of a completely separate, recently addressed vulnerability in Adobe Reader, which may have led Microsoft to lower the significance of the bulletin.
Wolfgang Kandek, chief technology officer of Redwood City, Calif.-based vulnerability management vendor Qualys Inc., had advised enterprises last month to simply update Adobe Reader if they wanted to avoid being victimized by the XP zero day, but he also advised companies to apply this patch as soon as possible.
"It's still a useful vulnerability for an attacker. It's certainly not bound to the PDF attack," Kandek said. "Once you get on the machine, which could be through other vulnerabilities … it can be used in any way then to escalate and become administrator on the machine."
Kandek also emphasized that Windows XP will reach the end of its maintenance cycle in April, leaving enterprises little time to complete a transition away from the venerable OS if they haven't yet started that process. Microsoft will not only cease releasing security patches for XP in three months, but it will also end updates to its antimalware package, Security Essentials for XP machines. For those organizations that haven't completely shifted from XP, Kandek advised they isolate any machines running XP from both the Internet and any sort of corporate or office network, as other malware-infected machines on a network will look for others that may be vulnerable to particular exploits.
As for the other issues in this month's Patch Tuesday batch, bulletin MS14-001 addresses a privately disclosed vulnerability found in several versions of Microsoft Office and SharePoint Server. The vulnerability could be remotely exploited if a malicious file is opened by the affected software, giving the attacker the same user rights as the current user. Kandek described this as the most important vulnerability to patch this month.
MS14-003 fixes a privately reported kernel vulnerability found in Windows 7 and Windows Server 2008. An attacker would need a user to run a malicious application with a successful exploit resulting in privilege escalation. Attackers do need to have either valid logon credentials or local access to a machine to exploit this vulnerability.
MS14-004 resolves a privately reported vulnerability in Microsoft Dynamics AX, the company's enterprise resource planning software. If authenticated, attackers can utilize a denial-of-service attack against Dynamics AX Application Object Server instance.
Foreshadowing next month's patch release, Childs wrote on the Microsoft Security Response Center blog that the company will release an update restricting use of the MD5 hash algorithm in digital certificates used on numerous operating systems. The change seeks to eliminate a vulnerability that could allow an attacker to spoof content, execute phishing attacks, or conduct man-in-the-middle attacks.
Separately, Adobe Systems Inc. also released two January 2014 software security updates today, both of which are "critical." APSB14-01 addresses issues in Adobe Reader and Acrobat that attackers could remotely utilize via a malicious PDF to take control of a system. APSB14-02 patches a remotely exploitable vulnerability in Flash that could be triggered by malicious Web content, also giving an attacker control of the system. Kandek recommended both of these updates be applied immediately.