Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin

This month’s Microsoft Update Tuesday is pretty light save for the Internet Explorer bulletin. While there’s only a total of 4 bulletins, they cover a total of 42 CVEs. The IE bulletin, as is usual, has the most updates for bugs and is rated critical. It covers a total of 37 CVEs. The other three bulletins are rated as important and provide updates for the remaining five vulnerabilities.

MS14-052 is the IE bulletin and is rated critical. It covers a total of 37 CVEs. Of these 37 CVEs, 36 are remote code execution vulnerabilities, the other one is an information disclosure vulnerability (CVE-2013-7331). This last vulnerability is publicly known and under active exploitation. This vulnerability allows attackers to use Microsoft’s XMLDOM ActiveX object to gain information on local drive and network settings. The attack can be used to detect if files or folders are present on the machine due to different error messages being returned depending on if the files or folder exist or not. An attacker can similarly figure out internal IP addresses using this vulnerability. The remaining 36 vulnerabilities are mostly the result of use-after-free vulnerabilities.

The three remaining bulletins are all rated as important:

Bulletin MS14-053 deals with a single CVE (CVE-2014-4072) in .NET. The vulnerability results in a Denial of Service. This is due to a hash collision that can be exploited by an attacker, which will result in resource exhaustion.

CVE-2014-4074 is fixed by bulletin MS14-054, it deals with a vulnerability in the Windows Task Scheduler that could allow a logged on user to schedule a task that would run code at the system level.

The final bulletin is MS14-055 and fixes three vulnerabilities in Lync. Two of the vulnerabilities, CVE-2014-4068 and CVE-2014-4071, could result in Denial of Services. An attacker could create a legitimate meeting and then modify the SIP information, which would result in a DoS on the Lync server. The third vulnerability that is covered by this bulletin is CVE-2014-4070 and can result in information disclosure due to a Cross Site Scripting (XSS) vulnerability on the server.

To address these issues, Talos has the following SIDs:  29821-29822, 30110-30113, 31782-31797, 31799-31802, 31811-31812