Gajus - Fotolia
In a relatively light September 2014 Patch Tuesday release, Microsoft addressed a total of 42 vulnerabilities across four bulletins, primarily addressing issues in its long-beleaguered Web browser. The majority (37) of this month's fixes repair issues in Internet Explorer (IE), marking the eighth month in a row the Web browser has required patching. Over the past three months, Microsoft has issued updates for more than 100 vulnerabilities in IE.
Of the four bulletins, only the IE update (MS14-052) is deemed critical. It patches one publicly disclosed vulnerability, CVE-2013-7331, which could result in information disclosure, and 26 privately disclosed memory-corruption vulnerabilities in all versions of the browser (IE6 through IE11). The worst of these could result in remote code execution through a malicious webpage.
If left unpatched, attackers may be able to determine local pathnames and Intranet hostnames and IP addresses by examining error codes, as well as detect the presence of files on local drives. Microsoft noted that it is aware of a limited number of active attacks that have exploited CVE-2013-7331.
Amol Sarwate, director of vulnerability labs at Redwood City, Calif.-based vulnerability management vendor Qualys Inc., noted that these vulnerabilities "can be used by malware to check if antimalware products or EMET is installed on the target system so that it can change its attack strategy." Wolfgang Kandek, CTO for Qualys, said implementing these fixes quickly, specifically those for IE -- which is critical to most companies -- is the most important recommendation. Kandek added that remediating these issues within the week is critical, especially as one-day exploits have become an increasing concern in the wake of patch Tuesday releases.
Microsoft addresses denial-of-service vulnerabilities
This month's other three bulletins were ranked as important.
Bulletin two, MS14-053, is rated important, yet Sarwate believes it should be treated as critical if an organization uses the ASP.NET framework. "If left unpatched," Sarwate said, "remote unauthenticated attackers can send HTTP/HTTPS requests to cause resource exhaustion which will ultimately lead to a denial-of-service condition on the ASP.NET webserver."
MS14-054 fixes a privately reported elevation-of-privileges vulnerability in newer versions of Windows, including Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R3. Attackers with valid login credentials could potentially infiltrate local systems and install programs, view, change or delete data, or create accounts.
A second denial-of-service (DoS) installment, MS14-055, resolves three vulnerabilities on the two newest versions of Microsoft's Lync collaboration server, Lync Server 2010 and Lync Server 2013. The most serious vulnerability could allow attackers to send malicious SIP requests to the Lync server and cause DoS conditions.
"If you are running ASP.NET or send Lync meeting requests to third parties, then these updates are particularly important for your organization," said Tyler Reguly, manager of security research for Portland, Ore.-based Tripwire Inc. "In some cases, they may even be considered critical; denial of service is not something to be taken lightly."
Kandek stated that while the DoS vulnerabilities were not to be ignored and should be added to an organization's regular patching schedule, their criticality is rated lower as these vulnerabilities are "less interesting for attackers nowadays" due to the noise they create on a network.
Adobe issues Flash Player patch
Separately, Adobe Systems Inc. issued a critical bulletin today, APSB14-21, for Flash Player on all platforms. The patch addresses 12 vulnerabilities on Flash versions 220.127.116.11 and earlier that could potentially enable a system takeover. This update brings Flash Player to version 18.104.22.168 for Windows and Macintosh, and version 22.214.171.1246 for Linux.
Kandek noted that a Flash security update is no surprise as Adobe has released a patch for it each month this year.
The bulletin also includes moderate updates for Adobe Air on all platforms.
Separately, Adobe announced it was delaying the expected release of its APSB14-20 software security update for vulnerabilities in Adobe Reader and Adobe Acrobat until the week of Sep. 15 in order to address problems that surfaced during routine testing. When released, these updates are expected to fix issues in Adobe Reader X and XI, and Acrobat X and XI on both Windows and Macintosh.
Catch up on last month's Patch Tuesday release, which featured 37 vulnerabilities, 26 of which addressed IE issues.