Once again it’s time for Microsoft’s Update Tuesday and this
time it’s almost all about Internet Explorer. We had a bit of a lull in the
past months with respect to IE vulnerabilities, especially due to the
out-of-band patch that Microsoft released last month, which delayed some of the
regularly scheduled fixes. However, this month more than makes up for it: we
have a total of seven advisories this month, fixing 66 vulnerabilities, 59 of which
are in IE.
There are two advisories that are marked as critical:
The first critical bulletin is MS14-035 and is the IE
bulletin that covers 59 total vulnerabilities. Of these 59 vulnerabilities, two
are information disclosure issues: CVE-2014-1777 and CVE-2014-1771. The last
vulnerability was publicly known and is a TLS renegotiation vulnerability that
could be exploited by a man-in-the-middle attacker. There are also 3 escalation
of privilege vulnerabilities, while the remaining 54 vulnerabilities are memory
corruption vulnerabilities. Once again many of these memory corruption
vulnerabilities are use-after-frees. Of these memory corruption vulnerabilities,
one was publicly known: CVE-2014-1770. Microsoft is also adding a defense in
depth protection to IE this month to better protect against these
use-after-free vulnerabilities.
MS14-036 is the second and final critical bulletin this
month and is for GDI+, this bulletin covers two CVEs. The first CVE (CVE-2014-1817) is related
to a vulnerability when processing Unicode Script while the other one is
related to image parsing (CVE-2014-1818).
The remaining bulletins are all marked as important and each
fix a single vulnerability.
Remote desktop is the subject of the first important bulletin
(MS14-030, CVE-2014-0296) and fixes a vulnerability that could allow an attacker to
disclose and modify a session. One mitigating factor this vulnerability is that
an attacker must be able to perform a MITM attack at the beginning of the session
to be able to influence it.
The next bulletin, MS14-031, is for a Denial of Service
issue in the way that TCP (CVE-2014-1811) is handled. An attacker can send
sequence of crafted TCP packets to cause a DoS.
MS14-032 covers Lync Server and fixes CVE-2014-1823
which is a reflected XSS vulnerability, where an attacker modifies a parameter
to an existing meeting which allows Javascript to be injected in the target’s
browser.
There is an information disclosure in MSXML (CVE-2014-1816) that
is fixed by MS14-033, where an attacker can obtain paths (and thus usernames),
when a malicious XML file is loaded in the browser.
The final bulletin for this month, MS14-034, covers a vulnerability
in Word that can result in a remote code execution due to a vulnerability in
the handling of embedded fonts (CVE-2014-2778).
VRT is releasing the following rules to address these issues: SID 31188-31194, 31196-31209, 31215-31217.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.