This month’s Microsoft Update Tuesday is relatively light
compared to the major update of last month. We’re getting a total of six
bulletins this month, two marked critical, three as important and finally one
moderate. These six bulletins cover a total of 29 CVEs, most of which are, as is
usual, in Internet Explorer.
Let’s start off with the Internet Explorer bulletin, MS14-037. It covers a
total of 24 CVEs, 23 of which are memory corruption vulnerabilities that could
result remote code execution vulnerabilities and most of those memory
corruptions are the result use-after-free vulnerabilities. What’s interesting
this month is that Microsoft has implemented a number of enhancements to IE
that make particular use-after-free vulnerabilities non-exploitable. The one
vulnerability (CVE-2014-2783) that didn’t deal with remote code execution is an
update that fixes a vulnerability in extended validation (EV) SSL certificates.
EV-SSL certificates cannot contain wildcards, however most major browsers did support
wildcards when tested. This update corrects that issue for Internet Explorer.
The next critical update (MS14-038) is for Window Journal, a
note-taking application that comes installed by default on non-Server editions
of Windows. The update covers a single vulnerability, CVE-2014-1824, where an
attacker can achieve remote code execution by getting a user to open a
maliciously crafted Windows Journal file.
The next three important updates are all fixes for escalation
of privilege vulnerabilities and were disclosed during Pwn2Own. With these fix,
Microsoft is closing out all the vulnerabilities related to Windows (both kernel
and usermode) that were disclosed during the competition. MS14-039 is an update
that fixes a vulnerability in the on-screen keyboard (CVE-2014-2781), where an
attacker could call the on-screen keyboard from a low integrity application and
cause the keyboard to execute a higher privileged program. The next one is
MS14-040, it corrects a vulnerability in the Ancillary Function Driver
(afd.sys) that when exploited can provide an application with increased
privileges. Finally, MS14-041 provides an update for a vulnerability in DirectShow
(CVE-2014-2780), that can be used by an attacker to escape the restrictions
imposed on a low integrity application.
The final update (MS14-042) for this month is marked as
moderate and is a fix for a Denial of Service in the Service Bus (CVE-2014-2814).
The vulnerability can be exploited by a remotely authenticated user who sends
crafted messages to the Service Bus that result in a system crash.
The VRT is releasing the following rules to address these issues: SID 31380-31387.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.