This October Microsoft has released eight security bulletins that cover a variety of Windows technologies from client-application attacks that would be useful in drive-by web attacks to privilege escalation vulnerabilities useful as second stage payloads to elevate from a standard user to having increased Administrator privileges. We recommend patching MS14-056 (Internet Explorer) first and then prioritizing between Office and .NET based on your environmental usage while rounding things out with some of the privilege escalation vulnerabilities and lastly MS14-062 (MSMQ) depending if it is installed.
MS14-056 – It seems massive Internet Explorer patches are the new norm on Patch Tuesday. This Patch Tuesday is no different with over 14 different vulnerabilities covering every version of Internet Explorer. This is another Patch Tuesday that easily fuels future drive-by web attacks for the months ahead. Beyond just code execution there also exists the ability to bypass ASLR (Address Space Layout Randomization) which is a helpful OS security migration for exploitation. This ASLR bypass can be used in conjunction with other vulnerabilities for more successful exploitation where it had might not been possible in the past. It should be noted that Microsoft’s EMET technology will help mitigate some of these attacks and even more importantly these client application vulnerabilities are a great reminder of the need for Least Privilege in making sure users are not running as Administrator.
MS14-057 – What would be a Patch Tuesday these days without more .NET vulnerabilities? This time around there is both code execution and ASLR bypass vulnerabilities as we have seen in previous months. It is interesting to note that the code execution vulnerability affects a function (iriParsing) which is disabled by default in .NET 4.0 and later enabled by default (and cannot be disabled) in .NET 4.5. On a more interesting note is a privilege escalation vulnerability within Microsoft’s ClickOnce technology. This technology helps with easier deployment of applications through a web browser but restricting code to run in Protected Mode. This vulnerability will allow an attacker however to break out of that Protected Mode and therefore elevate privileges. Here to though it is worth researching Microsoft’s EMET technology as it looks to be helpful in mitigating some of these attacks.
MS14-058 – TrueType Font functionality is the Patch Tuesday gift that keeps on giving. This bulletin fixes two privately reported vulnerabilities one which can be used in client-side code execution and a second which can be used locally for privilege escalation. These types of vulnerabilities are always useful as secondary payloads to gain elevate privileges after an initial client application exploitation.
MS14-059 – Multiple versions of ASP.NET MVC are vulnerable to a cross-site scripting vulnerability. This is your standard XSS style attack in which an attacker can leverage the vulnerability to inject code into a victim’s web browser. Given the popularity of ASP.NET MVC this makes this particular XSS more interesting than normal.
MS14-060 – We can’t help but remember the old days of Windows 3.1 anytime we see Windows OLE mentioned but in this case Microsoft is fixing a modern vulnerability in Windows OLE which can be leveraged for code execution. Specifically an attacker can embed a specifically crafted OLE object within a document that when opened by various Microsoft Office applications can lead to code execution. One of the good mitigations to put in place here is disabling the WebClient service. This is something we have mentioned on numerous previous blog posts and is a great area of attack surface to reduce in your environment via GPO. This vulnerability also represents another great example of client-application exploitation in the context of the current logged on user; so if you are not already implementing Least Privilege to make sure employees are not Admin by default you should get on it.
MS14-061 – This vulnerability can be used for code execution against Microsoft Office, in particular Microsoft Word and also Microsoft Office Web Apps Server and other combinations relating to SharePoint. We have seen many previous Patch Tuesdays covering similar vulnerabilities and it seems there is no lack of vulnerabilities to be found here. This also is another vulnerability which allows execution for code with the same rights as the logged on user so again – remove those administrator credentials!
MS14-062 – Microsoft’s Message Queuing Service is back in the bulletins after making a few appearances recently. This time the vulnerability is a local privilege escalation vulnerability that can allow a standard user to gain elevated rights through a malicious IOCTL request. This is a great vulnerability to pair with a client-application vulnerability in order to go from a standard user to elevated access. The good news here is this service is not enabled by default but given its frequently used in some distributed web apps and cloud services you will want to review your environment for exposure.
MS14-063 – This is probably one of our favorite vulnerabilities this Patch Tuesday. The vulnerability is within Windows handling of FAT32 disk partitions. While this attack can only be exploited with physical access to a machine it can be done so simply by an attacker plugging a USB drive into a system regardless if that system is currently unlocked etc… This can be used in the same vein of what we saw previously in attacks such as Stuxnet that are looking to cross air gapped and related networks. In this particular case however only Windows Server 2003, 2008 and Windows Workstation Vista are affected.
The following audits are available as of release 2825 to assist with identifying these threats:
[MS14-056] - Cumulative Security Update for Internet Explorer (2987107)
35409 - Microsoft Cumulative Security Update for Internet Explorer (2987107)
35413 - Microsoft Cumulative Security Update for Internet Explorer (2987107) - IE8/2003
35420 - Microsoft Cumulative Security Update for Internet Explorer (2987107) - IE8 Other
[MS14-057] - Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)
35405 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972106
35406 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979575
35407 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972107
35408 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979578
35411 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2968292
35414 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972098
35416 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979568
35417 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2968294
35418 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972100
35419 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979570
35421 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2968295
35422 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972101
35423 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2978042
35424 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979571
35425 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979577
35427 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2968296
35428 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972103
35438 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2978041
35440 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979573
35441 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979576
35444 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2972105
35448 - Microsoft .NET Multiple Vulnerabilities (3000414) - KB2979574
[MS14-058] - Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)
35415 - Microsoft Kernel-Mode Driver Remote Code Execution (3000061)
[MS14-059] - Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)
35434 - Microsoft ASP.NET MVC Security Feature Bypass (2990942) - MVC 2.0
35435 - Microsoft ASP.NET MVC Security Feature Bypass (2990942) - MVC 3.0
35436 - Microsoft ASP.NET MVC Security Feature Bypass (2990942) - MVC 4.0
35437 - Microsoft ASP.NET MVC Security Feature Bypass (2990942) - MVC 5.0
35439 - Microsoft ASP.NET MVC Security Feature Bypass (2990942) - MVC 5.1
[MS14-060] - Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)
35429 - Microsoft Windows OLE Remote Code Execution (3000869)
[MS14-061] - Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (3000434)
35426 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB2883013
35430 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB2883031
35431 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB2883032
35432 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB3004865
35433 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB2883008
35442 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB2883098
35443 - Microsoft Word and Office Web Apps Remote Code (3000434) - KB2889827
[MS14-062] - Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)
35410 - Microsoft Message Queuing Service Elevation of Privilege (2993254)
[MS14-063] - Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)
35412 - Microsoft FAT32 Disk Partition Driver Elevation of Privilege (2998579)
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.