This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is MS14-056 and is the IE bulletin. There’s a total of 14 CVEs and it is rated critical. One is an ASLR bypass (CVE-2014-4140), while the others can result in remote code execution. As is usual, most of the bugs are use-after-free vulnerabilities. One of the vulnerabilities is under limited attack.
MS14-057 is also rated critical and fixes 3 CVEs in .NET that could result in remote code execution. The most vulnerability addressed by this update (CVE-2014-4121) can occur due to errors in parsing Internationalized Resource Identifiers which can result in heap corruption, which can lead to remote code execution.
The final critical bulletin is MS14-058 which addresses 2 issues in Windows Kernel Mode Drivers that could result in remote code execution. The first bug (CVE-2014-4113) results in an escalation of privileges for the attacker. However, the second vulnerability (CVE-2014-4148), is related to the parsing of TrueType fonts and could result in remote code execution, if the fonts are displayed on a webpage. This bug is currently under active attack.
The remaining five bulletins are rated as important and all address a single vulnerability each:
Bulletin MS14-059 fixes a vulnerability in ASP.NET MVC (CVE-2014-4075) that could allow a security feature bypass which could result in a Cross Site Scripting (XSS) attack due to improper output encoding. While the vulnerability was publicly disclosed, it is not under active attack.
CVE-2014-4114 is fixed by bulletin MS14-060, it deals with a vulnerability in Windows OLE. The vulnerability is under active attack and can be triggered by an attacker if an Office document is opened in edit mode. It does not work if the document is opened in protected mode, which is the default for Office files from untrusted locations.
In MS14-061 a fix is provided for a use-after-free vulnerability in Microsoft Word (CVE-2014-4117) that could result in remote code execution when a malicious XML file is included in a document.
The next bulletin, MS14-062, provides a fix for CVE-2014-4971 for Windows 2003. The bug was publicly disclosed as an elevation of privilege vulnerability for Windows XP, which is no longer supported by Microsoft, but it also impacts Windows 2003. The vulnerability is due to a lack of validation in the Windows Message Queueing service, allowing a user to specify an arbitrary memory address for the driver to overwrite with an attacker controlled value. An exploits for Windows XP is available here.
The final bulletin for this month (MS14-063) fixes a vulnerability (CVE-2014-4115) in the FAT32 driver. It was discovered by our own Marcin Noga, who is part of the vulnerability research effort at Talos. The vulnerability occurs by setting a specific value in a FAT32 boot sector which can result in pool corruption. This can allow an attacker to gain escalated privileges.
Talos is releasing the following SIDs to address these issues: 32137-32169.