May 2014 Patch Tuesday

May's Patch Tuesday contains eight bulletins addressing 13 issues, fixing Internet Explorer, SharePoint Server, Office, Group Policy Preferences, Windows, the .NET Framework, and iSCSI.

MS14-022 fixes three vulnerabilities in Microsoft SharePoint Server, the worst of which could be used to execute arbitrary code on a targeted SharePoint server. The attacker would need to be authenticated and have the ability to send maliciously crafted page content to the server. These vulnerabilities have not been publicly disclosed, nor have they been used in the wild. No non-patch mitigations exist, so it is strongly advised to deploy this patch as soon as possible.

MS14-023 addresses two vulnerabilities in Microsoft Office. One of the vulnerabilities, CVE-2014-1756, is a classic DLL preloading vulnerability, which means that an attacker can plant a malicious DLL into the same directory as a legitimate document. When the user opens the document, the malicious DLL will be executed, causing arbitrary code to be executed in the context of Office. This can be mitigated by blocking ports 139 and 445 at the perimeter firewall, preventing the WebClient service from running, and preventing DLLs from being loaded from WebDAV and remote shares. The other vulnerability addressed in this bulletin, can allow an attacker to impersonate a user authenticated against a Microsoft online service. Deploy this patch immediately to protect against attacks targeting these vulnerabilities; the DLL preloading vulnerability is very easy to exploit with publicly available, reliable, easy-to-use tools.

MS14-024 fixes an ASLR (address space layout randomization) bypass in MSCOMCTL, a shared common controls library used by Microsoft Office. While the vulnerability has not been publicly disclosed, it has been observed in targeted attacks in the wild. The vulnerability itself is not enough to gain remote code execution on a system, but when coupled with another remote code execution vulnerability, this ASLR bypass makes it far easier to achieve reliable code execution on affected systems. Administrators are advised to patch this vulnerability immediately to protect against active attacks.

MS14-025 fixes a publicly disclosed vulnerability in Group Policy Preferences. This vulnerability has been exploited in the wild. The vulnerability itself exists in the way that Active Directory distributes passwords, when configured using Group Policy preferences. Using this vulnerability, an attacker would be able to decrypt the passwords that are distributed and use them to authenticate against systems on the network, thereby elevating their privileges on the domain. Deploy this patch immediately to protect against active attacks.

MS14-026 addresses a vulnerability in the .NET Framework, which occurs when handling TypeFilterLevel checks on specially crafted objects. Attackers could exploit this in order to elevate their privileges and escape from any existing .NET trust restrictions. While no direct mitigation exists for this vulnerability, administrators can lessen the ease of exploitation by restricting access to the affected application to only authenticated users, by enabling security when registering a channel. Administrators are advised, however, to deploy this patch when possible.

MS14-027 fixes a privilege elevation vulnerability in Windows, which could allow attackers to elevate their privileges to the Local System account. The vulnerability lies within the way the ShellExecute Windows API handles file associations. While the vulnerability has not been publicly disclosed, it has been observed in targeted attacks in the wild. No non-patch mitigations exist. Administrators are encouraged to deploy this patch as soon as possible.

MS14-028 addresses two denial-of-service vulnerabilities that occur when handling iSCSI packets and connections. The vulnerabilities only exist when the server has the iSCSI target role enabled. Attackers that successfully exploit either of these vulnerabilities would be able to stop an affected server from responding by sending a large number of specially crafted packets to the affected server. Block TCP port 3260 at the perimeter firewall and allow list access to servers with the iSCSI role enabled to only specifically permitted clients. Deploy this patch when possible.

MS14-029 addresses two vulnerabilities that could be used to remotely execute code on a user's system. These vulnerabilities both affect Internet Explorer 6 through 11. While neither of these vulnerabilities were publicly disclosed, reports of targeted attacks have surfaced regarding CVE-2014-1815. Both of these vulnerabilities can be mitigated by blocking ActiveX controls and blocking or disabling Active Scripting in both Internet and Local intranet zones. Deploy this patch immediately to protect against active attacks.

Be sure to patch Office (MS14-023), MSCOMCTL (MS14-024), Group Policy Preferences (MS14-025), and Internet Explorer (MS14-029), followed by SharePoint Server (MS14-022) and Windows (MS14-027), followed lastly by the .NET Framework (MS14-026) and iSCSI (MS14-028). Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, May 14 at 1pm PT, where we cover these patches, as well as other security news.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!

Internet Explorer has been getting attacked a lot in recent weeks, being the entry point in targeted attacks. It caused Microsoft to issue an out-of-band patch for IE, even for XP, which they said would receive no more patches. Has this caused your organization to reconsider moving to another default browser for security reasons?

Most insightful and/or awesome answer wins!

>> VEF News Articles

After Heartbleed, Tech Giants Fund Open Source Security

Canada Revenue Agency Hit by Heartbleed

Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA

Coupling Functions Enable Secure Communications

How We Got Read Access on Google's Production Servers

Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.