Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

June 2014 Patch Tuesday

June 10, 2014

  • Blog
  • Archive
This June we are greeted with 7 different Microsoft Security bulletins for Patch Tuesday. MS14-030 covers a vulnerability within Remote Desktop that could allow for tampering with RDP session data. The sky is not falling here though as in order for an attacker to perform this tampering they need to already be on the same network segment as their target. If you are running Windows 2003, 2008, 2008 R2, Vista or RT you can safely ignore this vulnerability. It should also be noted that Microsoft reminds people to enable Network Level Authentication (NLA) which can help mitigate this attack. This is a great example of a good Microsoft GPO setting that you should already have in place in your organization. You can read more on how to enable this GPO option here. MS14-031 is a vulnerability within Windows handling of the TCP Protocol which can allow for a Denial of Service at the operating system level. The good news here though is that Microsoft suggests that exploit code is unlikely. This could be because a number of hoops and nuances that are required to properly craft the correct sequence of packets to bring a system down. Here also it seems Windows Server 2003 dodges a bullet as it is not affected by this vulnerability. MS14-032 continues a trend of vulnerabilities related to Microsoft's Lync Server. The vulnerability itself is actually an information disclosure bug where by a user has to be tricked into joining a Lync meeting by clicking on a specially crafted URL. This could allow scripts to execute in a user's browser to gather extra information possibly used in combination with future attacks. Overall though this vulnerability is not critical and especially not for those not even running Lync Server! MS14-033 fixes new vulnerabilities in Microsoft XML Core Service. MSXML has had a variety of vulnerabilities over the years and the trend continues here. Not to worry though this is not a critical vulnerability and while something you want to patch; it is certainly not top priority. MS14-034 on the other hand is a critical vulnerability for Microsoft Word that you likely will see active exploits for. The good news though is that the latest major release versions of Word, such as included with Office 2013, are not affected. This is a great reminder that sometimes when budgeting and thinking about security it is not simply about buying some new protection appliance but making sure your organization has migrated from things like Office 2007 to Office 2013 etc... One important point to note is this vulnerability allows for code execution as the user privilege that opened the document. This is yet another great reminder of implementing least-privilege to make sure your users are not running as Administrator. MS14-035 is the bulletin you have been looking for. In short - Internet Explorer was broken every which way today. There are a significant number of Internet Explorer code execution and related vulnerabilities patched by this bulletin. Essentially if you running Internet Explorer 6 through 11 - you are vulnerable. This bulletin also resolves two previously publicly disclosed vulnerabilities. One of those previously disclosed vulnerabilities would help attackers potentially intercept and decrypt portions of encrypted TLS traffic. There are also other useful vulnerabilities to attackers that allow for elevation of privilege. By default Internet Explorer runs code in low-integrity mode which means when it is exploited an attacker can do less with a system. There are 3 different vulnerabilities fixed here though that allow an attacker to go from low-integrity to medium-integrity; or basically to run code as the user of Internet Explorer. This is another great reminder of the need to implement least-privilege so that even when an attacker breaks out of Internet Explores low privilege modes they are still not obtain Administrator without a fight. More than just fixing bugs though Microsoft has also included updates to Internet Explorer's XSS Filter to help prevent more cross-site scripting style attacks. This is certainly the most critical vulnerability to patch immediately. MS14-036 brings back even more fun with GDI+. GDI+ is a graphics device interface for Windows and a reoccurring pain point from a vulnerability perspective. Part of the challenge is because GDI+ vulnerabilities tend to affect multiple Microsoft products including in this case base operating systems and Microsoft Office. Good news again here for those running Office 2013; it is not affected. But the bad news is as mentioned this also affects base OS components which in this case is every supported OS version from Microsoft. And not to pile on further bad news but Microsoft also suggest exploit code is likely. Given what we have seen from GDI+ in the past we suggest also getting this patched immediately. One of the two vulnerabilities fixed in this bulletin is likely to be exploited via the WebDAV protocol which by default on Windows is supported via the WebClient service. As we have recommended many times in the past this service should be disabled by default within GPO.

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Secure Access

Webcasts

Rising CISOs: Ransomware, Cyber Extortion, Cloud Compromise, oh my!

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.