This month’s Microsoft Update Tuesday is relatively light compared to the major update of last month. We’re getting a total of six bulletins this month, two marked critical, three as important and finally one moderate. These six bulletins cover a total of 29 CVEs, most of which are, as is usual, in Internet Explorer.
Let’s start off with the Internet Explorer bulletin, MS14-037. It covers a total of 24 CVEs, 23 of which are memory corruption vulnerabilities that could result remote code execution vulnerabilities and most of those memory corruptions are the result use-after-free vulnerabilities. What’s interesting this month is that Microsoft has implemented a number of enhancements to IE that make particular use-after-free vulnerabilities non-exploitable. The one vulnerability (CVE-2014-2783) that didn’t deal with remote code execution is an update that fixes a vulnerability in extended validation (EV) SSL certificates. EV-SSL certificates cannot contain wildcards, however most major browsers did support wildcards when tested. This update corrects that issue for Internet Explorer.
The next critical update (MS14-038) is for Window Journal, a note-taking application that comes installed by default on non-Server editions of Windows. The update covers a single vulnerability, CVE-2014-1824, where an attacker can achieve remote code execution by getting a user to open a maliciously crafted Windows Journal file.
The next three important updates are all fixes for escalation of privilege vulnerabilities and were disclosed during Pwn2Own. With these fix, Microsoft is closing out all the vulnerabilities related to Windows (both kernel and usermode) that were disclosed during the competition. MS14-039 is an update that fixes a vulnerability in the on-screen keyboard (CVE-2014-2781), where an attacker could call the on-screen keyboard from a low integrity application and cause the keyboard to execute a higher privileged program. The next one is MS14-040, it corrects a vulnerability in the Ancillary Function Driver (afd.sys) that when exploited can provide an application with increased privileges. Finally, MS14-041 provides an update for a vulnerability in DirectShow (CVE-2014-2780), that can be used by an attacker to escape the restrictions imposed on a low integrity application.
The final update (MS14-042) for this month is marked as moderate and is a fix for a Denial of Service in the Service Bus (CVE-2014-2814). The vulnerability can be exploited by a remotely authenticated user who sends crafted messages to the Service Bus that result in a system crash.
The VRT is releasing the following rules to address these issues: SID 31380-31387.