It’s time for another Microsoft Update Tuesday, the first one which will not feature any XP updates (except of course for the out-of-band patch (MS14-021) which was released to deal with the IE 0-day which is officially part of this release, but which we won't be discussing here, more on that can be found here and here). It’s a pretty straightforward month this time around, with eight bulletins covering 13 CVEs.
The numbering is a little off this month, usually the critical bulletins came first, but it seems that Microsoft hasn't done that this time around. We’ll list the critical bulletins first, followed by the important ones.
There’s two critical bulletins and six important bulletins this month:
The first critical bulletin is MS14-022 and covers three CVEs in Sharepoint. Two of them can result in remote code execution, but they require the user to be authenticated. That user may then be able to provide a specially crafted page that can result in RCE due to improper sanitization. The other vulnerability in Sharepoint (CVE-2014-1754) can result in escalation of privilege due to a reflected XSS vulnerability using the ThemeOverride parameter.
MS14-029 is the requisite IE bulletin and is also marked as critical. It covers two CVEs. One of the CVEs, CVE-2014-1815, is under limited active attack according to Microsoft. However, the vulnerability information was publicly known before the patch was released. Both issues are once again the result of use-after-free vulnerabilities.
The next bulletin, MS14-023, is marked as important and covers two CVEs that occur in Office 2007, 2010 and 2013. The first one (CVE-2014-1756) can result in remote code execution by allowing the attacker to load an arbitrary DLL that is in the same directory as a malicious docx file, while the second one (CVE-2014-1808) is a vulnerability that could allow an attacker to reuse a user's token.
Bulletin MS14-024 provides a fix for an ASLR bypass in MSCOMCTL that has been used by attackers.
MS14-025 is an update to group policy preferences behavior. The update is meant to prevent attackers from reading stored passwords in group policy preference XML files. The passwords are encrypted with a 32-byte (256-bit) key, but Microsoft has made this key publicly available. These files might contain passwords for local or domain administrator accounts (dependingon the policy being applied). The change will not occur for group policies that have already been deployed, so administrators will have to update those manually.
The next important bulletin is for .NET and is numbered MS14-026. The single CVE (CVE-2014-1806) covered by this bulletin, could allow an attacker to gain privileges in the .NET context if .NET remoting is used.
MS14-027 also deals with a single CVE (CVE-2014-1807) and fixes a vulnerability in file association in the Windows Shell. This update fixes a technique used by malware to gain increased privileges on a system.
The final bulletin for this month is MS14-028 and handles two issues in Windows Storage Server that have iSCSI Target enabled. An attacker could cause a Denial Of Service attack on the service. One important thing to note about this update is that it will not be made available for Windows 2008. While Windows 2008 is affected by the problem, Microsoft has determined that it would require too much rearchitecting of the platform to provide an effective fix. However, Windows 2008 R2 will receive the fix.
As is usual, the VRT is making the following rules available to address these issues: SID 30951, 30956-30957, 30961-30964. We also have prior coverage for MS14-021 in rules SID 30794 & 30803.