Microsoft released five patches last night to cover two critical flaws in Windows and Internet Explorer.
Firstly, MS14-012 addresses 18 vulnerabilities in all versions of IE, from IE6 on Windows XP, to IE11 on Windows 8.1. It also includes the fix for a 0-day vulnerability that was identified by FireEye on February 11, first on the website of the organization of the US Veterans of Foreign Wars.
According to Wolfgang Kandek, CTO of Qualys, said: “The attack used a previously unknown flaw in IE 10 (CVE-2014-0322), plus a known vulnerability in Adobe Flash to bypass ASLR protections and gave the attackers control over the computers visiting the site with that particular configuration. Microsoft has acknowledged the problem and provided a FixIT in KB2934088, but this is the permanent patch for the problem. Apply it as soon as possible.”
Tyler Reguly, manager of security research at Tripwire, said: “This update resolves multiple vulnerabilities including two zero-day issues, one that we were expecting (affecting IE10) and a second one affecting IE8. Once again, we’re seeing evidence that IE11 is the way to go.”
The other critical patch, MS14-013, addresses one critical vulnerability which involves the DirectShow Windows component rather than IE itself. “Microsoft states that exploitation is hard and gives it an exploitation index of 3, but you should give it priority in your patch cycle,” Kandek said.
Craig Young, security researcher at Tripwire, said: “The DirectShow code execution bulletin (MS14-013) and Silverlight ASLR bypass (MS14-014) should also receive high priority. Anyone who has not deployed the ASLR bypass update from December (MS13-106) should strongly consider applying the patch now because hxds.dll continues to be used in exploits.”
The remaining bulletins, MS14-014, MS14-015 and MS14-016, are all rated important. MS14-014 is an ASLR bypass vulnerability that needs to be paired with a code execution vulnerability in order to become useful (see also the recent 0-day that used Adobe Flash exactly for that purpose). MS14-015 is a Windows Kernel driver fix addressing two CVEs, and MS14-016 is a change in the Windows API that allowed an attacker to bypass password shutout rules, which could be used in brute force attack attempts.
Young said: “In a much welcomed spring cleaning, Microsoft is releasing an updated Silverlight which prevents attackers from using it to bypass ASLR. This is another in a series of steps Microsoft has been taking to not only fix vulnerabilities but to also to increase the complexity required for exploit developers to achieve reliable code execution.
The most interesting fix this month is to the security accounts management (SAM) API which MS14-016 describes. This vulnerability could be abused to perform a brute force password attack while flying beneath the radar of the account lockout policy. Although this vulnerability is somewhat unique compared to the typical bulletin
s, it does not have the impact of the other bulletins this month.”