Microsoft released four patches on its final day of support for Windows XP last night.
Addressing issues in Windows, Internet Explorer and Office, the critical-rated MS14-018 addresses six vulnerabilities in Internet Explorer (IE) and affects all versions from IE6 to IE11, while patches were issued for XP service pack 3.
Wolfgang Kandek, CTO of Qualys, said: “Microsoft gives this bulletin an exploitability index rating of “1”, meaning that attacks can be expected with the next 30 days. The attack vector would be a malicious webpage that the user has to browse. Patch together with MS14-017.”
Kandek described MS14-017 as “the top bulletin” as this addresses three vulnerabilities in Microsoft Word, including the zero-day in the RTF (Rich Text Format) parser. “The problem was first disclosed by Microsoft in KB2953095 on March 24th, where Microsoft acknowledges the existence of exploits in the wild,” he said.
“Microsoft credits the Google Security team with the discovery. As a workaround Microsoft recommends disabling the opening of RTF files with Word, which can be automated with the provided FixIt MSI. The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers. The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE). Our recommendation: Patch Microsoft Word as quickly as possible.”
Craig Young, security researcher at Tripwire, said: “The top priority for most administrators will be to apply MS14-017 to fix CVE-2014-1761, the Word vulnerability, because it’s currently being exploited in the wild.
“As always, the Internet Explorer fix, MS14-018 should also be treated with high priority because attackers have become very adept at quickly creating IE exploits by reversing patches.
“Microsoft has blocked off a potential attack vector with MS14-019 which could allow context-dependent attackers to execute attacker-controlled code within poorly implemented programs. Similar to DLL preloading, this attack vector relies on a process loading executable code from an untrusted path.”
Kandek said: “MS14-019 and MS14-020 are bulletins that cover Windows and Microsoft Publisher. Both provide Remote Code Execution to an attacker, but have lower viability than MS14-017 or MS14-018. The Windows vulnerability only works under very special conditions and Publisher in only sparsely installed and does not have any known exploits. Patch within your normal patch cycle.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “The top story in these advisories is actually the Word issue, MS14-017. One of the issues addressed by this fix is under active exploitation in the wild and has already been temporarily addressed in security advisory 2953095. The 2953095 fix is a complete, but heavy handed fix and Microsoft is advising that it can be removed safely before or after installing the MS14-017 patch in order to restore full rich text format functionality. None of the other advisories feature attacks under active exploitation.
“MS14-019 is
definitely the lowest priority, in that a user would have to be enticed into executing a batch file on a malicious network share. Exploitation of this vulnerability is two steps of misdirection removed from reality. Nothing to ignore, but not a top tier, urgent concern.”