It’s the last Microsoft Update Tuesday before the
end-of-life of both Windows XP and Office 2003 and Microsoft is patching two vulnerabilities
that also impact XP and two that also impact Office 2003 this month. All-in-all
it’s a relatively light month this time around with only four bulletins covering eleven CVEs.
The first bulletin this month, MS14-017, deals with Word and
covers three CVEs. One fix is for a 0-day vulnerability, CVE-2014-1761, that
Microsoft previously addressed in advisory 2953095 and a “Fix it” that disables
support for RTF completely in Word. The vulnerability results from an incorrect “listoverridecount” value in an “overridetable”
structure in the RTF file. This value is
not properly checked by Word and setting it to an invalid value causes a type
confusion bug, which can be exploited by an attacker to gain remote code
execution. The vulnerabilities addressed
in this bulletin also cover Word 2003.
The requisite Internet Explorer bulletin, MS14-018, only covers six CVEs this
month. As usual most of the issues are the result of use-after-free vulnerabilities.
This time, none of the vulnerabilities that are being patched were publicly
known. Given that IE runs on XP as well, this is one of the two bulletins that
covers XP.
MS14-019 fixes a vulnerability (CVE-2014-0315) in the way
that Windows handles files that can result in remote code execution. This is
the second bulletin that also covers XP.
The final bulletin this month is MS14-020 and deals with Publisher,
where a maliciously crafted file can result in remote code execution due to an
arbitrary pointer dereference (CVE-2014-1759). As with the Word
bulletin, this one also covers 2003.
Rules SID 24974-24975, 30497-30502, 30508-30509 address these
vulnerabilities.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.