Tuesday, January 14, 2014

Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability


The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.

The first bulletin, MS14-001, is for Word and Office Web Apps, this bulletin covers 3 CVEs (CVE-2014-0258, CVE-2014-0259 and CVE-2014-0260.  They are memory corruption vulnerabilities in Word, which could result in remote code execution.

MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability (CVE-2013-5065) that was being exploited in the wild in tandem with the Adobe Reader vulnerability (CVE-2013-3346). Here an attacker would convince the user to open a maliciously crafted PDF that would exploit the use after free in Adobe Reader to gain code execution. Once that was done, the malicious code would exploit a vulnerability in the NDProxy driver, where an out of bounds access to a table of function pointers would attempt to execute code in userland, which allows an attacker to gain system privileges.

The next bulletin MS14-003 provides another fix for a kernel mode driver vulnerability that could allow an attacker to gain elevated privileges by exploiting a vulnerability in win32k.sys (CVE-2014-0262).

The final bulletin (MS14-004) fixes a denial of service vulnerability (CVE-2014-0261) in Microsoft Dynamics AX. 

We’re releasing rules SID 28867-28872 to address these issues.



No comments:

Post a Comment