Once again it’s time for Microsoft’s Update Tuesday and this time it’s almost all about Internet Explorer. We had a bit of a lull in the past months with respect to IE vulnerabilities, especially due to the out-of-band patch that Microsoft released last month, which delayed some of the regularly scheduled fixes. However, this month more than makes up for it: we have a total of seven advisories this month, fixing 66 vulnerabilities, 59 of which are in IE.
There are two advisories that are marked as critical:
The first critical bulletin is MS14-035 and is the IE bulletin that covers 59 total vulnerabilities. Of these 59 vulnerabilities, two are information disclosure issues: CVE-2014-1777 and CVE-2014-1771. The last vulnerability was publicly known and is a TLS renegotiation vulnerability that could be exploited by a man-in-the-middle attacker. There are also 3 escalation of privilege vulnerabilities, while the remaining 54 vulnerabilities are memory corruption vulnerabilities. Once again many of these memory corruption vulnerabilities are use-after-frees. Of these memory corruption vulnerabilities, one was publicly known: CVE-2014-1770. Microsoft is also adding a defense in depth protection to IE this month to better protect against these use-after-free vulnerabilities.
MS14-036 is the second and final critical bulletin this month and is for GDI+, this bulletin covers two CVEs. The first CVE (CVE-2014-1817) is related to a vulnerability when processing Unicode Script while the other one is related to image parsing (CVE-2014-1818).
The remaining bulletins are all marked as important and each fix a single vulnerability.
Remote desktop is the subject of the first important bulletin (MS14-030, CVE-2014-0296) and fixes a vulnerability that could allow an attacker to disclose and modify a session. One mitigating factor this vulnerability is that an attacker must be able to perform a MITM attack at the beginning of the session to be able to influence it.
The next bulletin, MS14-031, is for a Denial of Service issue in the way that TCP (CVE-2014-1811) is handled. An attacker can send sequence of crafted TCP packets to cause a DoS.
There is an information disclosure in MSXML (CVE-2014-1816) that is fixed by MS14-033, where an attacker can obtain paths (and thus usernames), when a malicious XML file is loaded in the browser.
The final bulletin for this month, MS14-034, covers a vulnerability in Word that can result in a remote code execution due to a vulnerability in the handling of embedded fonts (CVE-2014-2778).
VRT is releasing the following rules to address these issues: SID 31188-31194, 31196-31209, 31215-31217.