Microsoft addressed a total of 23 vulnerabilities as part of its March 2014 Patch Tuesday release, with the most pressing update being a fix for an Internet Explorer (IE) zero-day vulnerability that has been actively exploited in the wild.
Wolfgang KandekCTO, Qualys Inc.
The IE zero day was originally discovered by researchers at Milpitas, Calif.-based FireEye Inc. nearly a month ago, with Microsoft confirming soon after that it affected IE versions 9 and 10. Attackers exploited the vulnerability CVE-2014-032 as part of a watering-hole attack targeting visitors to the U.S. Veterans of Foreign Wars (VFW) website.
Microsoft had already included a temporary workaround to mitigate the vulnerability as part of Security Advisory 2934088, but security bulletin MS14-012, which fixed a total of 18 vulnerabilities in IE, permanently resolved the issue. Wolfgang Kandek, chief technology officer for Redwood City, Calif.-based vulnerability management vendor Qualys Inc., advised enterprises to apply the critical IE patch as soon as possible.
Kandek said that the IE exploit was the first time he had seen an attack that attempted to detect the presence of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a free security tool that applies Windows-based protections such as Address Space Layout Randomization (ASLR) to third-party applications. In the case of the VFW website attack, the exploit would not be triggered in instances where EMET was detected.
Microsoft has often touted EMET as a tool that can be used to mitigate zero-day exploits until the vendor provides a security patch, though researchers at Cupertino, Calif.-based security vendor Bromium raised questions about the effectiveness of the tool when they revealed how all of its protections could be bypassed.
Kandek was undeterred by Bromium's research, though, noting that EMET is both free and carries a sterling track record.
"I believe it was effective in preventing all 13 of the zero days we had last year, so that's probably the reason why the most recent one tested for it," Kandek said. "Given that this malware tests for this tool, I think that is the best recommendation [it could receive]. You should really have this tool if you want to escape attacks."
Apart from the cumulative IE update, security bulletin MS14-013 was the only other patch in the March batch that the Redmond, Wash.-based software giant deemed critical. The update addresses a privately reported vulnerability found in the application programming interface (API) for its DirectShow media-streaming architecture. The vulnerability can be exploited remotely if DirectShow parses malicious image files, and it affects every version of Windows from XP onward, as well as several versions of Windows Server.
Security bulletin MS14-014, rated important, addresses a privately reported vulnerability in Microsoft Silverlight, which can be exploited if a user visits a website hosting malicious Silverlight content. Microsoft notes that users must be lured to such websites, possibly via phishing emails or banner advertisements on the Web.
Security bulletin MS014-015 patches two vulnerabilities, one public and one private, in a range of Windows and Windows Server versions. For attackers to successfully exploit either vulnerability, they would need to have local access to a system in order to run a malicious application, with the most severe result being an escalation of privileges.
Security bulletin MS014-16 patches one privately disclosed vulnerability found in the security accounts management API in Windows XP and Vista, as well as several versions of Windows Server.
"This vulnerability could be abused to perform a brute-force password attack while flying beneath the radar of the account lockout policy," said Chris Young, security researcher at Portland, Ore.-based Tripwire Inc. "Although this vulnerability is somewhat unique compared to the typical bulletins, it does not have the impact of the other bulletins this month."
Kandek described this Patch Tuesday batch as largely uneventful apart from the cumulative IE update. Kandek said the most important trend to take away from this month's release is the fact that all five security bulletins issued by Microsoft included vulnerabilities found in the aging Windows XP operating system.
Though Microsoft recently extended support for its Security Essentials antimalware package to XP users, April 8, 2014 will mark the last Patch Tuesday to include updates for XP. Kandek warned users and organizations that have yet to switch to a newer OS that attackers will be able to exploit systems still running XP with ease after next month.
"In March, all of the fixes have an XP equivalent. Why should that all of a sudden stop in May? There's no reason to expect the vulnerabilities found in May will not be present in XP," Kandek said. "The attackers are going to look at these vulnerabilities and check what Microsoft fixed, so they'll compare Windows 7 before and after [Patch Tuesday]. They will look into Windows XP for the same vulnerability, and most likely, it will be there."