Microsoft fixes a smaller set of software product code this month for “Critical” vulnerabilities, and a handful for “Important” fixes with MS014-030 through MS014-036. But whoa, almost 60 remote code execution flaws exist in the six versions of Internet Explorer and the Microsoft components that render fonts on your system! Not only is that a very long list of memory corruption issues, but one of the IE bug reports, credited to Peter Van Eeckhoutte, is over 180 days old. The fix and testing effort must have been a large one over the past few months.
Microsoft releases two critical Bulletins today for Internet Explorer (on Windows client systems, but important on servers) and GDI+, and five important Bulletins for Microsoft Word, the network stack (TCP), their IM system Lync, and the MSXML component used by Internet Explorer.
The IE 0day reported 180 days ago is yet another “use-after-free” vulnerability enable by IE code’s handling of javascript CMarkup objects. While the bug’s finder thought that the vulnerability affected Internet Explorer 8, Microsoft’s CVE-2014-1770 fixes in MS014-035 are rated Critical for RCE across IE 6,7,8,9,10 and 11 on Windows clients, and rated moderate on Windows servers. It has been publicly reported, and raises risk of exploitation Itw. So far, we have not identified related 0day being used, but we will continue to review our data.
MS014-035 also follows the flood of discussion on the heartbleed vulnerability with another TLS Bulletin. A team of researchers, including one from Microsoft Research, published a substantial paper titled “Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS”. It details a variety of encrypted network session MiTM attacks enabled by TLS implementations from Microsoft, Google, Apple, and Mozilla. This Bulletin is Microsoft’s fix for their own code – the others use implementations of GnuTLS, OpenSSL, and GNU SASL.
Also interesting in this month’s critical rated vuln is the variety of software affected by the two TrueType font handling bugs patched with MS014-036 – USP10 (the same dll implementing “Uniscribe”), GDI+, gdi32, DirectWrite, the Microsoft Office 2007 and 2010 software (but not Office for Mac 2011), the Live Meeting 2007 Console, and Lync 2010 and 2013 software. That is a broad distribution of user-mode code. I suppose these are a couple more reasons to keep reading all of your email in plaintext.
Lastly, it is very important for enterprise admins to pay attention to Microsoft’s ongoing work fighting decade old Pass-the-Hash techniques, as demonstrated by last night’s discussion of the APT Shanghai group report, also known as MsUpdater or Putter Panda and the three week old charges against the APT Beijing group that includes Ugly Gorilla and Comment Crew members.
Separate from the regular update cycle, KB2871997 was released a couple of weeks ago. It applies to most versions of their Windows platform in enterprise environments – Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, but unfortunately not all. The new features provide a “Protected Users” group by replacing past authentication schemes with Kerberos for selected users, restricted admin RDP mode, and LSA credential cleanup. They provide guidance on checking for WDigest use in DC/server logs, and while attackers’ toolsets contain capabilities to alter or delete events from these logs, it is very important to monitor for indications of anomalous WDigest activity.
Microsoft Updates June 2014 – Almost 60 IE and GDI+/TrueType RCE