February 2014 Patch Tuesday

BeyondTrust Research Team, February 11th, 2014

February’s Patch Tuesday comes to us with patches for XML Core Services, IPv6, Direct2D, Forefront, .NET, Internet Explorer, and VBScript. There are a total of seven bulletins (4 critical, 3 important) addressing 31 unique vulnerabilities.

Most notable this month is the patch for Internet Explorer, MS14-010, which fixes 24 vulnerabilities: over two thirds of this month’s patched vulnerabilities. Every supported version of Internet Explorer is affected (versions 6 through 11). Multiple types of bugs are fixed in this patch, including memory corruptions (1 of which was publicly disclosed), an elevation of privileges vulnerability that permits escalation from low integrity to user privileges, and a cross-domain information disclosure vulnerability. Also noteworthy is CVE-2014-0271, a VBScript memory corruption vulnerability, which is only fixed in Internet Explorer 9 with this bulletin. For all other affected versions of Internet Explorer, CVE-2014-0271 can be addressed by installing MS14-011. It is important to roll both MS14-010 and MS14-011 out as soon as possible.

Going back to the beginning of the bulletin list, we have MS14-005, a patch for Microsoft XML Core Services. This vulnerability, CVE-2014-0266, has been publicly disclosed and used in targeted attacks, seen in November 2013 during the IE zero-day watering hole attacks, as reported by FireEye. The vulnerability lies only within XML Core Services version 3.0, leaving versions 4.0, 5.0, and 6.0 unaffected. This bulletin affects every supported version of Windows because XML Core Services 3.0 is shipped with every version of Windows. Since this vulnerability has exploited in targeted attacks, it is important to roll it out as soon as possible.

The next critical bulletin is MS14-007, which fixes a vulnerability in Direct2D, a graphics component in Windows. This patch applies to Windows 7, 8, 8.1, RT, RT 8.1, Server 2008 R2, Server 2012, and Server 2012 R2. Additionally, exploitation can be achieved by delivering malicious 2D geometric figures through Internet Explorer. Therefore, attackers will be very interested in it, given that it affects the latest versions of Windows and can be exploited via drive-by mechanisms. Deploy this patch as soon as possible.

MS14-008 addresses a critical vulnerability in Microsoft Forefront Protection for Exchange. This vulnerability could allow an attacker to execute arbitrary code on the Exchange server when a malicious email is scanned by Forefront. Code would be executed in the context of the configured service account. This does not affect all Forefront solutions: it only affects Forefront Protection 2010 for Exchange Server. Nonetheless, it is important to get this patch deployed as soon as possible, because attackers will be interested in any way to potentially compromise an Exchange server.

The IPv6 component in Windows 8, RT, and Server 2012 is receiving a fix with MS14-006. This publicly disclosed vulnerability can be used by attackers to cause targeted systems to stop responding. The attacker would need to send a large amount of malicious packets to the affected system in order to achieve the denial of service condition. While this sounds like an ominous vulnerability, the attacker must be on the same subnet as the victim, so this greatly increases the barrier to properly exploiting this vulnerability.

The .NET Framework is receiving a patch this month, MS14-009, which addresses multiple vulnerabilities: a denial of service vulnerability, a type traversal vulnerability, and an ASLR bypass vulnerability. The denial of service vulnerability and the ASLR bypass were both publicly disclosed, and the ASLR bypass has been used in targeted attacks. The denial of service vulnerability would be used to target ASP.NET servers, whereas the other two vulnerabilities could be targeted in any .NET application.

Be sure to patch Internet Explorer (MS14-010), VBScript (MS14-011), XML Core Services (MS14-005), Direct2D (MS14-007), and Forefront Protection for Exchange (MS14-008) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, February 12 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!

We frequently mention Chrome as an alternative to Internet Explorer. Has your organization made strides towards adopting a safer browser like Chrome? If not, what is stopping you? Legacy systems? Learning curve? Policies?

Most insightful and/or awesome answer wins!

>> VEF News Articles

NSA’s ‘Dishfire’ program said to capture nearly 200M texts a day

 Spam From Your Fridge

Don’t Believe Everything You Read (Webroot/Novell/Target)

Target Hackers Broke in Via HVAC Company

China Operating System

Microsoft Announces Brussels Transparency Center at Munich Security Conference

>> VEF Questions & Comments

During the VEF, Shelly asked, “Does MS14-007 bypass Java?”. If our understanding of the question is correct (and correct us if we’re wrong!), if an attacker were to exploit MS14-007, they would not need Java in order to gain remote code execution. As we explained during the VEF, Java 6 is often used to bypass DEP and ASLR in Internet Explorer, which is why Java 6 is so dangerous… in addition to all the remote code execution vulnerabilities in Java 6 itself, instantiating Java 6 in a browser also gives attackers the opportunity to use Java 6 libraries to generate ROP-gadgets and leverage other exploitation techniques.

Jay wanted to know, “How are some of these newest exploits related to leveraging off the recent amplification attacks for UDP?” Although some of this Patch Tuesday’s bulletins were networking related (IPv6), none of them were associated with recent amplification DDoS attacks we have been seeing in the wild. The DDoS that we’ve been seeing has to do with a known weakness in NTP (Network Time Protocol), which allowed attackers to generate a massive amount of traffic directed toward targeted hosts. Cloudflare was mitigating the attack and has technical details of the attack on their blog.

Thank you to all who attended this month’s VEF! We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.