June 2014 Patch Tuesday
This June we are greeted with 7 different Microsoft Security bulletins for Patch Tuesday.
MS14-030 covers a vulnerability within Remote Desktop that could allow for tampering with RDP session data. The sky is not falling here though as in order for an attacker to perform this tampering they need to already be on the same network segment as their target. If you are running Windows 2003, 2008, 2008 R2, Vista or RT you can safely ignore this vulnerability. It should also be noted that Microsoft reminds people to enable Network Level Authentication (NLA) which can help mitigate this attack. This is a great example of a good Microsoft GPO setting that you should already have in place in your organization. You can read more on how to enable this GPO option here.
MS14-031 is a vulnerability within Windows handling of the TCP Protocol which can allow for a Denial of Service at the operating system level. The good news here though is that Microsoft suggests that exploit code is unlikely. This could be because a number of hoops and nuances that are required to properly craft the correct sequence of packets to bring a system down. Here also it seems Windows Server 2003 dodges a bullet as it is not affected by this vulnerability.
MS14-032 continues a trend of vulnerabilities related to Microsoft’s Lync Server. The vulnerability itself is actually an information disclosure bug where by a user has to be tricked into joining a Lync meeting by clicking on a specially crafted URL. This could allow scripts to execute in a user’s browser to gather extra information possibly used in combination with future attacks. Overall though this vulnerability is not critical and especially not for those not even running Lync Server!
MS14-033 fixes new vulnerabilities in Microsoft XML Core Service. MSXML has had a variety of vulnerabilities over the years and the trend continues here. Not to worry though this is not a critical vulnerability and while something you want to patch; it is certainly not top priority.
MS14-034 on the other hand is a critical vulnerability for Microsoft Word that you likely will see active exploits for. The good news though is that the latest major release versions of Word, such as included with Office 2013, are not affected. This is a great reminder that sometimes when budgeting and thinking about security it is not simply about buying some new protection appliance but making sure your organization has migrated from things like Office 2007 to Office 2013 etc… One important point to note is this vulnerability allows for code execution as the user privilege that opened the document. This is yet another great reminder of implementing least-privilege to make sure your users are not running as Administrator.
MS14-035 is the bulletin you have been looking for. In short – Internet Explorer was broken every which way today. There are a significant number of Internet Explorer code execution and related vulnerabilities patched by this bulletin. Essentially if you running Internet Explorer 6 through 11 – you are vulnerable. This bulletin also resolves two previously publicly disclosed vulnerabilities. One of those previously disclosed vulnerabilities would help attackers potentially intercept and decrypt portions of encrypted TLS traffic. There are also other useful vulnerabilities to attackers that allow for elevation of privilege. By default Internet Explorer runs code in low-integrity mode which means when it is exploited an attacker can do less with a system. There are 3 different vulnerabilities fixed here though that allow an attacker to go from low-integrity to medium-integrity; or basically to run code as the user of Internet Explorer. This is another great reminder of the need to implement least-privilege so that even when an attacker breaks out of Internet Explores low privilege modes they are still not obtain Administrator without a fight. More than just fixing bugs though Microsoft has also included updates to Internet Explorer’s XSS Filter to help prevent more cross-site scripting style attacks. This is certainly the most critical vulnerability to patch immediately.
MS14-036 brings back even more fun with GDI+. GDI+ is a graphics device interface for Windows and a reoccurring pain point from a vulnerability perspective. Part of the challenge is because GDI+ vulnerabilities tend to affect multiple Microsoft products including in this case base operating systems and Microsoft Office. Good news again here for those running Office 2013; it is not affected. But the bad news is as mentioned this also affects base OS components which in this case is every supported OS version from Microsoft. And not to pile on further bad news but Microsoft also suggest exploit code is likely. Given what we have seen from GDI+ in the past we suggest also getting this patched immediately. One of the two vulnerabilities fixed in this bulletin is likely to be exploited via the WebDAV protocol which by default on Windows is supported via the WebClient service. As we have recommended many times in the past this service should be disabled by default within GPO.