The Microsoft Updates are pretty significant this
month. Internet Explorer, which was missing from the updates for the first time in a long time
last month is back with a whopping 24 vulnerabilities. Besides the IE bulletin,
there’s six more bulletins, 4 of which are rated critical and 3 of which are
rated important. All-in-all, this Update Tuesday provides fixes for 32 CVEs. The list of bulletins below is ordered by rating rather than number (i.e., the same ordering as used here: https://technet.microsoft.com/en-us/security/bulletin/ms14-feb).
The first bulletin, MS14-010, deals with IE and is rated
critical and provides fixes for 24 CVEs. As is usual, most of the
vulnerabilities are the result of use-after-free vulnerabilities. Most of the
vulnerabilities were reported privately to Microsoft, but there is also one fix
for a publicly disclosed vulnerability (CVE-2014-0267), a use-after-free vulnerability.
The second critical bulletin, MS14-011, provides an update
for a vulnerability in VBScript that is shared with the IE bulletin
(CVE-2014-0271), where a type confusion vulnerability could lead to arbitrary
code execution.
MS14-007 is also rated critical and it fixes a vulnerability
in Direct2D (CVE-2014-0263) that could result in remote code execution. The
vulnerability can be triggered if a user browses to a malicious website and is
presented with a malicious SVG object.
The final critical bulletin this month is MS14-008. This vulnerability occurs in Microsoft’s
Forefront Protection 2010 which provides anti-malware and anti-spam protection
for Exchange Server. The vulnerability occurs when a specifically crafted email
is scanned by the server and could result in remote code execution
(CVE-2014-0294). It is unclear if the vulnerability can be triggered and there
are currently no known exploitation scenarios for this vulnerability.
Microsoft’s next bulletin, MS14-009
is rated as important and deals with the .NET framework. It is the only
bulletin besides IE that compromises multiple CVEs: three in total. Two of
these have been publicly disclosed. The first one is a denial of service in
ASP.NET that can be triggered via an incomplete POST request (CVE-2014-0253).
The second publicly disclosed vulnerability is an ASLR bypass (CVE-2014-0295) due
to a lack of ASLR support in VSAVB7RT.DLL.
Finally, the last vulnerability in this bulletin is an escalation of privilege
vulnerability due to type traversal (CVE-2014-0257).
MS14-005 is also rated as important and provides a fix for a
single vulnerability in XML Core Services that could result in a bypass of the
same origin policy (CVE-2014-0266). This could allow information disclosure, where
an attacker could read local files on disk via a malicious webpage. This
information leak was previously used in conjunction with the IE 0-day “Watering
hole” vulnerability (CVE-2013-3918), which was patched in a previous update cycle. The information disclosure vulnerability was used to retrieve thetimestamp from the PE headers of msvcrt.dll to allow the attacker to use a ROP
chain specific to that version of the DLL.
The last bulletin of the month is MS14-006 and is rated as
important. It provides an update for Microsoft’s IPV6 TCP/IP stack, where maliciously
crafted IPV6 routing discovery packets sent on the same subnet as the
vulnerable machine could result in a denial of service (CVE-2014-0254), which
causes the machine to become unresponsive while processing these packets and could
possibly crash.
The
VRT is releasing the following rules SIDs 23178, 24926, 29655, 29667-29668, 29671-29722,
29727-29738 and 29741-29744 to address these issues.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.