Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer

The Microsoft Updates are pretty significant this month. Internet Explorer, which was missing from the updates for the first time in a long time last month is back with a whopping 24 vulnerabilities. Besides the IE bulletin, there’s six more bulletins, 4 of which are rated critical and 3 of which are rated important. All-in-all, this Update Tuesday provides fixes for 32 CVEs. The list of bulletins below is ordered by rating rather than number (i.e., the same ordering as used here: https://technet.microsoft.com/en-us/security/bulletin/ms14-feb).

The first bulletin, MS14-010, deals with IE and is rated critical and provides fixes for 24 CVEs. As is usual, most of the vulnerabilities are the result of use-after-free vulnerabilities. Most of the vulnerabilities were reported privately to Microsoft, but there is also one fix for a publicly disclosed vulnerability (CVE-2014-0267), a use-after-free vulnerability. 

The second critical bulletin, MS14-011, provides an update for a vulnerability in VBScript that is shared with the IE bulletin (CVE-2014-0271), where a type confusion vulnerability could lead to arbitrary code execution.
 

MS14-007 is also rated critical and it fixes a vulnerability in Direct2D (CVE-2014-0263) that could result in remote code execution. The vulnerability can be triggered if a user browses to a malicious website and is presented with a malicious SVG object.

The final critical bulletin this month is MS14-008.  This vulnerability occurs in Microsoft’s Forefront Protection 2010 which provides anti-malware and anti-spam protection for Exchange Server. The vulnerability occurs when a specifically crafted email is scanned by the server and could result in remote code execution (CVE-2014-0294). It is unclear if the vulnerability can be triggered and there are currently no known exploitation scenarios for this vulnerability. 

Microsoft’s next bulletin, MS14-009 is rated as important and deals with the .NET framework. It is the only bulletin besides IE that compromises multiple CVEs: three in total. Two of these have been publicly disclosed. The first one is a denial of service in ASP.NET that can be triggered via an incomplete POST request (CVE-2014-0253). The second publicly disclosed vulnerability is an ASLR bypass (CVE-2014-0295) due to a lack of ASLR support in VSAVB7RT.DLL. Finally, the last vulnerability in this bulletin is an escalation of privilege vulnerability due to type traversal (CVE-2014-0257).

MS14-005 is also rated as important and provides a fix for a single vulnerability in XML Core Services that could result in a bypass of the same origin policy (CVE-2014-0266). This could allow information disclosure, where an attacker could read local files on disk via a malicious webpage. This information leak was previously used in conjunction with the IE 0-day “Watering hole” vulnerability (CVE-2013-3918), which was patched in a previous update cycle. The information disclosure vulnerability was used to retrieve thetimestamp from the PE headers of msvcrt.dll to allow the attacker to use a ROP chain specific to that version of the DLL.

The last bulletin of the month is MS14-006 and is rated as important. It provides an update for Microsoft’s IPV6 TCP/IP stack, where maliciously crafted IPV6 routing discovery packets sent on the same subnet as the vulnerable machine could result in a denial of service (CVE-2014-0254), which causes the machine to become unresponsive while processing these packets and could possibly crash.

The VRT is releasing the following rules SIDs 23178, 24926, 29655, 29667-29668, 29671-29722, 29727-29738 and 29741-29744 to address these issues.