Microsoft was looking to deliver a light Patch Tuesday this month, but added two last-minute bulletins to the mix. February now includes seven bulletins, four critical and three important, that cover a total of 32 CVEs. The patches address vulnerabilities in Windows, Internet Explorer, Security Software and the .NET framework. Russ Ernst, director of product management at Lumension, takes a closer look at this February’s Patch Tuesday.
Click through for more info on this February’s Patch Tuesday, provided by Russ Ernst, director of product management at Lumension.
MS14-010 & MS14-011
The highest deployment priority for administrators should be MS14-010, a cumulative security update for Internet Explorer, and MS14-011, a vulnerability in VBScript Scripting Engine that could allow Remote Code Execution. MS14-010 addresses 25 vulnerabilities in Internet Explorer. Of these vulnerabilities, only one was publicly disclosed prior to today and none are known to be under active attack. The companion bulletin MS14-011 shares CVE-2014-0271 in common with MS14-010. When the Advance Notification was released last Thursday, Ernst was a bit surprised not to see an update for IE since the browser had not updated in January, either. But, it had been updated every month for at least a year prior to that. It’s possible Microsoft wanted to give some last-minute quality attention to the bulletin prior to release.
Next on the list should be MS14-005, a vulnerability in MS XML Core Services that could allow information disclosure. The bulletin is rated as Important, but the vulnerability covered has been publicly disclosed and has known active attacks. This is a browser-initiated attack vector and the bulletin is applicable to all currently supported Windows platforms. The likely goal for an attacker would be to grab an OS version and use that information for a more targeted exploit against a different vulnerability.
Also a top deployment priority is MS14–007, a critical vulnerability in DirectWrite that could allow remote code execution. This update addresses one privately reported vulnerability and is applicable to Windows 7 and higher platforms. This vulnerability carries a critical severity for all impacted systems and is at the top deployment priority because it is given an exploitability index of one, meaning that exploit code is expected within the next 30 days.
At a deployment priority of two is MS14-008, a vulnerability in Microsoft Forefront Protection for Exchange that could allow remote code execution. This bulletin is rated as critical and addresses a privately reported vulnerability. Although the bulletin has a critical severity, the vulnerability is applicable to a software product that Microsoft stopped updating back in September 2012. This is an example of Microsoft honoring their commitment to fixing any security gaps in this application, but this should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or considering a third-party email security application. Administrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.
The next bulletin is MS14-009, which covers three vulnerabilities in the .NET framework that could allow elevation of privilege. The aggregate severity for the bulletin is important and it is applicable to all shipping versions of Windows from XP through 8.1. Of the three vulnerabilities covered, two were publicly disclosed and one has known active attacks. MS14-009 is the second bulletin released by Microsoft, along with MS14-005, that has active attacks and requires another vulnerability to effectively commandeer a system. This leads Ernst to believe attackers are getting more sophisticated in coordinating their attacks.
Rounding out the Microsoft bulletins is MS14-006, a denial of service vulnerability in IPv6. This bulletin is at the third tier in deployment priority and addresses one CVE. The vulnerability was publicly disclosed, but as of Feb. 11, Microsoft is not aware of any known active attacks and it is only applicable to Windows 8 and Server 2012 systems. Microsoft gives an exploitability index of three to this vulnerability, meaning that exploit code is not likely within the next 30 days.
Aside from the Microsoft security updates, IT should give some extra attention this month to application updates outside of Microsoft. Adobe released an emergency fix last week to patch vulnerabilities in the Flash Player plug-in for IE and other browsers. These vulnerabilities are under active attack and, given the widespread use of Flash, this will create a cascading effect for companies as they apply updates for their Firefox and Google Chrome users.