Microsoft released five updates for a total of 23 CVEs for the March Patch Tuesday. Two patches are rated critical and the remaining bulletins are rated Important. Russ Ernst, director, product management at Lumension, provides more information on this month’s updates.
Click through for more information on the March Patch Tuesday updates, provided by Russ Ernst, director, product management, Lumension.
Not surprisingly, the first on the list, MS14-012, is another cumulative update to all versions of Internet Explorer. It fixes 18 CVEs, including the IE Zero Day we saw last month that Microsoft addressed with the release of security advisory 2934088 on February 19. Anymore, it’s cause for pause when we don’t see an IE update in Microsoft’s Patch Tuesday; it’s a popular browser and a favorite among attackers. Internet Explorer accounted for 27 percent of all Microsoft vulnerabilities last year, making it the most targeted Microsoft application. While updating IE, make sure you also include the Flash Player update from Adobe released on February 20.
MS14-013 is the second critical bulletin this month. Addressing CVE 2014-0301, this vulnerability could allow a remote code execution in DirectShow for all supported versions of Windows. The attack method requires a user to click on a specially crafted JPEG file in IE, although there are no known active attacks.
MS14-014 is an important rated bulletin for a security feature bypass in Silverlight for both Windows and Mac; there are no known active attacks at this time. Since this is a heterogeneous vulnerability, make sure your desktop team has their Macs in the update queue. Silverlight is no longer under development by Microsoft but the company has said they will support it through October 2021.
CVE 2014-0323 and CVE 2014-0300 are both addressed with MS14-015. They are for vulnerabilities in Windows Kernel Mode Driver that could allow a remote code execution.
The final bulletin for this Patch Tuesday is MS14-016. It covers one CVE for a vulnerability in Security Account Manager Remote Protocol that could allow a security feature bypass. In this instance, an attacker could lock out a user account if they have account name using return status codes and brute force to break the password.