Tuesday, March 11, 2014

Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)



It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5 bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s a total of 23 CVEs covered by the bulletins, 18 of which are found in IE. 

There’s 2 critical and 3 important bulletins this month:

MS14-012 is the first critical bulletin and is the IE bulletin. Most of the vulnerabilities are, as usual, the result of "use-after-free" vulnerabilities. One of the vulnerabilities, CVE-2014-0322, was known publicly before the update and saw targeted attacks since February 14th. The temporary workaround in security advisory 2934088 that has been available from Microsoft since February 19th is now being replaced by a more formal fix. The vulnerability was being exploited in a watering hole attack at vfw.org. Microsoft is also providing a fix for another 0-day use-after-free vulnerability, CVE-2014-0324, which has seen very limited targeted attacks. The exploit targeted IE8 specifically and the update that Microsoft issued in their December Update (MS13-106) that fixes an ASLR bypass in HXDS.dll makes this vulnerability harder to exploit.

Next up is a critical vulnerability in DirectShow (MS14-013), where a specially crafted JPEG results in a double free vulnerability (CVE-2014-0301) that may result in remote code execution. While DirectShow is the underlying application that is vulnerable, IE would be used as an attack vector to get the victim to load the malicious JPEG.

The next bulletin (MS14-014) is marked as important and fixes an ASL/DEP bypass in Silverlight (CVE-2014-0319).

MS14-015 is also marked important and fixes 2 CVEs in Windows Kernel Mode Drivers. The first update is for CVE-2014-0323 and fixes a publicly known information disclosure vulnerability that could allow an attacker to read arbitrary addresses that would allow it to be used to bypass ASLR. The other update fixes a vulnerability that could result in an escalation of privileges (CVE-2014-300).

The final bulletin (MS14-016) for this month is also considered important and is a vulnerability (CVE-2014-0317) in the Security Account Manager Remote (SAMR) that could allow an attacker that is brute-forcing passwords to bypass the account lockout feature. This could allow an attacker to continue a brute-force attack by resetting the lockout.

The VRT is releasing rules SID 29717-29718, 29819-29822, 30106-30132, 30139-30145

No comments:

Post a Comment